One Forgotten Password, Almost a Catastrophe
A single Windows machine at a retail store location had a cached AWS access key sitting on it. Nobody put it there on purpose. A user logged in, AWS stored the key automatically, and life moved on. No alarms, no policy violations, no red flags.
Except that one key, sitting quietly on one machine, had a path to 98% of that company’s cloud environment. Almost every critical workload the business ran, one forgotten credential away from disaster.
Security researchers found it before an attacker did. Most organizations would never know it was there.
This is the new reality of cybersecurity: your identity is the attack path. Not only through the front door, but throughout internal systems and networks as well.
What “Identity” Actually Means
When security people talk about “identity,” they mean every username, password, access key, role, and permission that allows someone or something to get into your systems and your data.
That includes your employees, yes. But it also includes:
- The OAuth tokens we wrote about last week, the ones your team created by connecting third-party apps to Google or Microsoft 365, tokens that never expire and keep working long after the app is forgotten
- Service accounts that run automated tasks
- Developer roles set up for a project three years ago that nobody turned off
- AI tools your team added last month that inherited admin-level access
- Old contractors who technically still have active logins
Each of those identities carries permissions. Permissions are what let someone move around inside your systems once they’re in. And attackers are good at finding identities with too many permissions and following them like a clear path through your systems.
Palo Alto found that nearly 90% of 2025 incident response investigations involved exposures that existing tools should have caught. The problem was not a lack of tools or staff. It was a lack of visibility into how identity weaknesses link together across an entire environment.
The Identity Chain Nobody Sees
Here is where it gets sneaky. Identity-based attacks rarely rely on one big vulnerability. They chain small things together.
A group membership in Active Directory that nobody reviewed in two years gives an attacker on a low-level retail computer a path to the corporate network. A cloud role that was created for a migration project still has its permissions active long after the project ended. An AI agent your dev team set up to work across systems inherited admin-level permissions because it was easier that way.
None of those things looks dangerous on its own. Together, they are a four-step route from “random attacker on the internet” to “full access to your production systems.”
Why This Keeps Happening
Most organizations already have good security tooling. They have systems that manage who gets access to what. They have tools that store passwords and monitor logins. Those tools work, but they work in isolation.
Often times, none of these tools look across your whole environment and ask: if an attacker gets into this one account, where would they go next?
That is the gap. And attackers exploit it constantly because they think in identity chains. They look for the path, not the door. The IBM X-Force 2026 Threat Intelligence Index found that stolen or misused credentials accounted for 32% of incidents last year, the second most common way attackers get in. The tools organizations rely on to stop that were not built to show how one stolen credential connects to the next system, and the one after that.
These identity-related breaches were enabled by gaps that existing tools should have caught. Organizations had the correct tools. They did not have clear ways to connect the dots between them.
You do not need to be a large enterprise to start connecting those dots. You need to be intentional and purposeful.
Where to Start Right Now
Here’s where people begin to address this identity abuse issue.
Review who has access to what, at least quarterly. Old accounts, unused roles, and forgotten credentials are gifts to attackers. Set a quarterly calendar reminder. Document all the locations of accounts you need to check and review the document before you start answering this question: Have we added any new identity locations, entitlements, software packages this quarter that need to feed into our quarterly reviews? After answering and updating your process document, go through your user lists and entitlements. If someone left six months ago and their account is still active, fix that today.
Apply the principle of least privilege. People and systems should only have the access they need to do their jobs. The developer who maintains your website does not need access to your payroll system. The simpler you keep permissions, the smaller your attack surface. This extends to administrative rights to laptops and workstations. These administrative rights, when removed from all employees, eliminate the accidental phishing email click from installing malware or granting remote access via employees with unprivileged daily use accounts. For power users, you might consider a secondary privileged account for emergency use, but make sure they are well trained and would know when to use these privileges and when not to.
Check OAuth Entitlements At least Annually: As we mentioned in the 47 Apps have Access to your Microsoft or Google account blog, checking OAuth entitlements as part of your quarterly Identity reviews will help you eliminate some of the 3rd party breaches we’ve witnessed in recent years.
Pay attention to your AI tools. Pay much closer attention to your AI tools. If your team uses AI agents or automation tools that connect to your systems, check what permissions those AI tools were given. The SpyCloud 2026 Identity Exposure Report found that roughly one-third of recovered non-human credentials were tied to AI tools, making AI agent access one of the fastest-growing categories of stolen identity in criminal markets. “Admin access for convenience” is not a valid argument.
Turn on multi-factor authentication on every system that supports it. A stolen password is much less useful to an attacker when they also need a second form of verification to get in. Better still is to mandate the use of Passkeys when and where possible. As we wrote about in DNS Hijacking cases where foreign nation states compromise home routers, a Passkey won’t grant access to Microsoft.com when it resolves to the nation state’s fake login page, while a Password Manager absolutely will be fooled.
Ask your IT provider or IT person specifically about identity risks. Show them this article. Ask them: “If someone got into one of our accounts today, where would they go from there?” The answer to that question will tell you a lot about where to focus next.
Progress Over Perfection
Identity security sounds complicated, and the technical details do get complicated. But the core idea is simple: know who has access to what, remove access people do not need, and make it harder for someone with a stolen password to go anywhere useful.
You do not have to solve all of this at once. Deleting one old account, reviewing one set of permissions, and checking one AI tool is real progress, and that matters a lot.
The organizations that handle this well are not the ones with the biggest budgets. They are the ones that ask good questions and keep working through the small things before they become bigger problems.
You are already doing that by reading this article. Keep going and make it happen.
Sources:
- The Hacker News: When Identity is the Attack Path
- Palo Alto Global Incident Response Report – 2026
- The SpyCloud 2026 Identity Exposure Report
- The IBM X-Force 2026 Threat Intelligence Index
Secure your business with CyberHoot Today!
The post Your Identity Is Not Only a Front-Door Problem, It is an Internal Risk Too appeared first on CyberHoot.