The High Cost of Poor Privileged Account Management

The High Cost of Poor Privileged Account Management

In the past year, several major security breaches were traced back to basic failures in privileged account management. Weak controls on admin-level accounts – from not using multi-factor authentication (MFA) to poor password hygiene – have proven to be low-hanging fruit for attackers. Microsoft reports that over 99.9% of compromised accounts lacked MFA, making them easy targets for password attacks ( Security at your organization - Multifactor authentication (MFA) statistics - Partner Center | Microsoft Learn ). The incidents below show how such oversights led to serious consequences, and how stricter controls could have prevented the damage. This is a wake-up call for executives: reducing your attack surface by locking down admin access isn’t just IT best practice – it’s vital business protection.

An Orphaned Admin Account Leads to a State Government Breach

One recent breach at a U.S. state government agency started with an administrator account of a former employee that was never deactivated. Attackers obtained the ex-employee’s credentials (likely via a leak from a prior breach) and used them to log in through the agency’s VPN – no MFA was required, so a password alone let them in ( U.S. State Government Network Breached via Former Employee’s Account ) ( U.S. State Government Network Breached via Former Employee’s Account ). Once inside, the hackers discovered that this old admin account still had broad access, including to a SharePoint server where another set of admin credentials was stored in plaintext. Using those, they gained domain administrator privileges over on-premises and cloud systems ( U.S. State Government Network Breached via Former Employee’s Account ). In short, one forgotten account opened the door to the entire network.

The consequences were severe. The intruders accessed internal directories and documents containing host and user information, and ultimately posted sensitive data on a dark web marketplace ( Top Data Breaches in 2024 [Month-wise] - Strobes ). The breach forced an incident response involving state and federal cyber agencies. Fortunately, the attackers did not pivot into the most sensitive cloud systems in this case, but the reputational damage and potential exposure of citizen data were already done. This incident could have been prevented with basic hygiene: promptly disabling departed employees’ accounts, enforcing MFA on VPN/admin logins, and never storing admin passwords in unsecure places. CISA’s advisory on this attack emphasized exactly these points, urging organizations to “remove and disable accounts…no longer needed,” “enable and enforce MFA,” and “store credentials in a secure manner” ( Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA ). In other words, had the agency practiced strict off-boarding and privileged credential management, this breach might never have happened.

Ransomware via Missing MFA at a Healthcare Provider

In February 2024, healthcare IT giant Change Healthcare (a subsidiary of UnitedHealth) suffered a massive ransomware attack that disrupted services across U.S. hospitals and insurers ( Change Healthcare hacked using stolen Citrix account with no MFA ). How did it happen? Attackers from the BlackCat (ALPHV) gang used stolen employee credentials to log into the company’s Citrix remote access portal, which did not have MFA enabled ( Change Healthcare hacked using stolen Citrix account with no MFA ). In other words, a critical admin gateway was protected only by a password – one the hackers already had from prior data theft malware. With that single factor, the adversaries remotely authenticated as a valid user and immediately sprang deeper into the network.

What followed was nine days of unchecked roaming in the IT environment. Once inside, the attackers moved laterally through systems, quietly exfiltrating about 6 TB of data and ultimately deploying ransomware that brought operations to a standstill ( Change Healthcare hacked using stolen Citrix account with no MFA ). The impact was enormous: key healthcare services (payment processing, prescription systems, claims platforms) went down, affecting providers and patients nationwide, and the company estimates $872 million in financial damages ( Change Healthcare hacked using stolen Citrix account with no MFA ). UnitedHealth ultimately paid a ransom (reportedly $22 million) ( Change Healthcare hacked using stolen Citrix account with no MFA ) to regain control, and had to replace thousands of computers and rebuild its data center from scratch in the aftermath ( Change Healthcare hacked using stolen Citrix account with no MFA ). This nightmare scenario began from a single missing control – MFA – on an admin remote access point. Had a one-time code or push approval been required, the stolen password alone would have been useless to the attacker, likely thwarting the intrusion at the outset. This case underscores that any externally accessible admin tool must be gated with strong authentication; otherwise, it’s an open invitation to hackers.

Stolen Credentials Exploit Weak Cloud Account Controls

Even cutting-edge cloud platforms are not immune to old-school security lapses. In mid-2024, data warehousing firm Snowflake found itself at the center of a multi-organization breach campaign due to customers not enforcing MFA on their Snowflake user accounts ( Snowflake Data Breach Sparks MFA Enforcement Urgency ). Attackers (eventually linked to the ShinyHunters group) leveraged login credentials stolen via malware as far back as 2020 to access Snowflake accounts at 165 different companies ( Public breaches from identity attacks in 2024 ). Because many of those usernames and passwords had never been changed or secured with MFA, the hackers could simply log in to each target’s cloud data environment with valid credentials. Snowflake’s own systems weren’t breached per se – instead, the attackers piggybacked on weak customer account security.

The fallout was widespread. Major enterprises like Ticketmaster, Advance Auto Parts, and Santander Bank were reportedly among the victims ( Snowflake Data Breach Sparks MFA Enforcement Urgency ) ( Snowflake Data Breach Sparks MFA Enforcement Urgency ). In total, data on roughly 500 million customers was exposed ( Snowflake Data Breach Sparks MFA Enforcement Urgency ), ranging from personal information to possibly financial or ticketing records, depending on the company. Some of this stolen data appeared for sale on criminal forums for six-figure prices, and at least one telecom victim paid a ransom to prevent leaks ( Public breaches from identity attacks in 2024 ). Beyond the immediate privacy breach, affected companies faced regulatory scrutiny and loss of customer trust. All of this stemmed from a preventable weakness: allowing critical cloud accounts to operate without enforced MFA or routine password updates. Snowflake’s documentation at the time noted that users had to opt-in to MFA on their own ( Snowflake Data Breach Sparks MFA Enforcement Urgency ) – a policy gap that has since been widely criticized. This incident has fueled an industry push to mandate MFA for cloud services and to implement checks so that long-dormant or non-compliant accounts can’t be the source of such a breach. Simply put, strong authentication and password management on third-party platforms are just as important as on your in-house systems.

Even Tech Giants Are Not Immune (Microsoft’s MFA Lesson)

If any company understands cybersecurity, it’s Microsoft – yet an oversight with a privileged account led to an embarrassing incident for them as well. In late 2023, a legacy “test” Azure AD account in Microsoft’s corporate network was left without MFA protection and got compromised via a basic password-spraying attack ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget ). The Kremlin-linked hacking group APT29 (aka “Midnight Blizzard”/Cozy Bear) simply guessed a weak password on this account, which was an admin tenant account that hadn’t been updated to modern security policies. With that foothold, the attackers elevated their access by exploiting OAuth permissions – essentially tricking the system into giving them a token with full access to Exchange Online mailboxes ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget ). Through this, they quietly read the emails of various Microsoft employees, including some senior executives ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget ). Even more alarming, Microsoft later revealed that the hackers used information gleaned from those emails to further infiltrate and access some internal source code repositories and systems ( Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets ).

For Microsoft, the incident was a PR black eye: a nation-state actor rifled through sensitive company communications and intellectual property. While the company says no customer data was compromised, the attackers potentially obtained authentication tokens, API keys, and other “secrets” from emails that could be weaponized ( Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets ) ( Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets ). Microsoft had to notify over 100 affected external organizations that corresponded with those breached email accounts ( Public breaches from identity attacks in 2024 ). The root cause was plainly acknowledged: the test account did not have multifactor authentication enabled ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget ). Microsoft noted that if the same scenario occurred today, their policies would require MFA on such accounts by default ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget ). This case drives home that even one forgotten high-privilege account can undermine an entire security program. It’s a lesson to every enterprise: no account is too minor to secure, and “legacy” or service accounts deserve the same protections as primary accounts – otherwise they become the weakest link.

Reducing the Attack Surface: Key Lessons for Executives

The stories above may span different industries – government, healthcare, cloud services, tech – but they share common failure points. In each case, a privileged or admin-level account was left inadequately protected, providing attackers an easy initial entry. The damage ranged from multimillion-dollar ransomware incidents to massive data breaches and espionage. The good news is that these attacks were not unstoppable super-hacks; they were preventable with well-known best practices. To avoid being the next victim, executives should ensure their organizations take the following steps to harden privileged accounts and shrink the attack surface:

  • Enforce Multi-Factor Authentication Everywhere: Require MFA for all admin and remote access accounts (and ideally all user logins). A second authentication factor would have derailed most of the breaches above. In fact, over 99% of account hacks can be prevented by MFA ( Security at your organization - Multifactor authentication (MFA) statistics - Partner Center | Microsoft Learn ). Make sure this covers not just employees but also third-party services and legacy accounts. MFA is one of the cheapest, highest-impact defenses available.

  • Harden Password Policies and Eliminate Weak Credentials: Too often, administrators still use weak, default, or reused passwords. One analysis found over 40,000 admin accounts using “admin” as the password in 2023 ( ) – an open door for attackers. Institute strong password requirements (length and complexity) and check new passwords against breach databases to block known leaks. Never reuse passwords across systems, especially for privileged users, and enforce regular rotation or retirement of credentials to mitigate the risk from old leaks. Better yet, consider password managers or moving toward passwordless auth for admins to reduce human error.

  • Limit Admin Account Use and Privileges: Each admin or root account is a high-value target. Reduce their number and scope. Implement the principle of least privilege – admins should have access only to what they absolutely need. Likewise, administrators should use separate non-privileged accounts for email, web browsing, and day-to-day work. This way, if a phishing email or malware attack strikes a regular user inbox, it won’t immediately compromise domain-wide credentials. By segmenting roles and using temporary elevation (just-in-time access) for sensitive tasks, you dramatically cut down the risk that one set of stolen credentials can crater your whole organization.

  • Secure Storage of Credentials: Establish strict policies for how credentials, especially admin passwords and keys, are stored and shared. They should never be stored in plain text on servers, documents, wikis, or email. Use secure credential vaults or privileged access management (PAM) solutions ( Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA ) that enforce encryption, rotation, and controlled access. In the state government breach, an admin password was found on a SharePoint server ( U.S. State Government Network Breached via Former Employee’s Account ) – equivalent to leaving the keys under the doormat. Don’t let convenience undermine security: invest in proper secret storage and require admins to use it.

  • Rigorous Offboarding and Monitoring: Make account deprovisioning a non-negotiable part of your employee exit process. Dormant accounts (especially with high privileges) should be disabled immediately when personnel leave or roles change. Regularly audit your Active Directory, cloud tenant, and other systems for accounts that haven’t been used in months or belong to former staff ( Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA ). Each unnecessary account is an opportunity for attackers. Similarly, monitor active admin accounts for unusual access patterns – if an account that usually lies idle suddenly logs in from abroad at 2 AM, you want to know and act quickly.

  • Invest in Training and Incident Response Plans: Ensure that even privileged users receive ongoing security awareness training, including how to spot phishing and the importance of safeguarding credentials. Executives should also ask: If an admin account were compromised, do we have the monitoring in place to detect it and a plan to respond rapidly? Tabletop exercises and robust incident response playbooks are critical. In several cases above, attackers lurked for days or weeks before discovery. Speedy detection and response can significantly limit damage.

By executing on these key actions, organizations can dramatically reduce the odds that a single password or admin account will be the domino that topples their defenses. The cost of implementing strong authentication and access controls is far less than the cost of cleaning up a breach.

Conclusion

High-profile breaches in the last year make one thing clear: privileged account management is a business-critical issue. When an admin account is compromised due to weak controls, attackers gain the “keys to the kingdom” and the fallout can hit finances, operations, and reputation hard. Conversely, companies that proactively tighten their controls – enforcing MFA, using strong unique credentials, minimizing admin access, and protecting those credentials – are far less likely to become a headline for the wrong reasons. As an executive, championing these measures is not just supporting IT best practices, it’s safeguarding the entire enterprise. The incidents we’ve discussed are sobering, but they also highlight a hopeful message: with the right controls in place, these breaches were avoidable. Reducing your attack surface today means fewer fires to fight tomorrow. It’s time to ensure that your organization’s most powerful accounts are also its most secure.

Sources:

  1. CISA Advisory – Threat Actor Leverages Compromised Account of Former Employee ( U.S. State Government Network Breached via Former Employee’s Account ) ( U.S. State Government Network Breached via Former Employee’s Account )
  2. BleepingComputer – Change Healthcare hacked using stolen Citrix account with no MFA ( Change Healthcare hacked using stolen Citrix account with no MFA ) ( Change Healthcare hacked using stolen Citrix account with no MFA )
  3. Channel Insider – MFA Mandate: Snowflake Doubles Down Amid Attacks ( Snowflake Data Breach Sparks MFA Enforcement Urgency ) ( Snowflake Data Breach Sparks MFA Enforcement Urgency )
  4. TechTarget News – Microsoft: Legacy account hacked by Russian APT had no MFA ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget ) ( Microsoft: Legacy account hacked by Russian APT had no MFA | TechTarget )
  5. The Hacker News – Microsoft Confirms Russian Hackers Stole Source Code ( Microsoft Confirms Russian Hackers Stole Source Code, Some Customer Secrets )
  6. CISA Best Practices – Actions to take to mitigate malicious activity ( Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA )
  7. Specops 2024 Breached Password Report ( ) (common weak admin passwords)
  8. Push Security – Public breaches from identity attacks in 2024 ( Public breaches from identity attacks in 2024 )