“Ghost Users” are active accounts for former employees on the corporate network despite their departure from the company. Ghost users are also called “ghost accounts”.


If ghost users don’t sound like things that should be on your network, it’s because they shouldn’t.  It’s obviously not a great idea for former employees to have ongoing access to your corporate network. But the bigger risk is a cyberattack.  Criminals seek out ghost users’ credentials when trying to encrypt or steal company data – they know their suspicious network behavior is less likely to be detected since the account is probably not anyone’s primary account. Security-conscious IT teams know this, so they try to ensure that user accounts are disabled as soon as users leave the company.

Despite IT’s efforts, many networks still have ghost users floating around. The most obvious reason for this is a process failure – somebody didn’t follow through on notifying the IT team that an employee left, or the IT team didn’t follow through on deleting that employee’s account.

But ghost users aren’t always inactive, and they aren’t always left around by accident.  When high-level employees leave, their accounts are sometimes intentionally left active.  That’s because those credentials are used to access important computers or software tools – and shifting access to all of those assets over to other employees is a lot of work.  In some cases, IT teams might not even be able to shift access to each asset when a long-time employee leaves, because they may not know about all of them; sometimes systems requiring a departing employee’s credentials are poorly documented.

So the former employee’s account is left active to avoid crippling “surprise” lockouts.  The person who inherits the former employee’s role also inherits their dormant login credentials (if their role is split up, several people might inherit them) and is told to try these old credentials whenever they need to access to a system that doesn’t recognize their own credentials.

It’s an easy solution that creates big problems.

Here’s How Ghosts Take Down Networks

As mentioned earlier, the biggest risk that ghost users present is that these accounts are compromised much more frequently than active users.  Here are five reasons they’re especially prone to attack:

Ghost accounts are often unmonitored accounts.

If the account is used at all, it’s only used occasionally. Because of this, If the account is hacked it’s likely to be weeks or months before anyone notices.

Ghost accounts are likely to have high-level network access.

If the account was intentionally left active, it was probably because it had access to tools that most other accounts didn’t.

Ghost accounts were last actively managed years ago.

Because of this, they are less likely to have newer security features like multi-factor authentication enabled.

Ghost accounts that are still in use are often being shared.

Sharing account credentials is a bad idea. Shared accounts grant greater access than is necessary for some users, are less likely to have multi-factor authentication enabled, and make it more difficult to determine the source of a breach (even if the employees sharing the account are innocent of any wrongdoing and the credentials were stolen by an external party).

Ghost accounts perpetuate bad habits.

One-user, one-account policies help to ensure that access permissions are understood, well-documented and limited only to those that need it. The opposite is true when multiple users each juggle several accounts to access various company hardware and software.  Over time, these users are left with a messy web of widely shared passwords and account lockouts, creating a drag on productivity and a security risk.

Worth the Effort

Cleaning up access to a network with many ghost users can be a significant undertaking.  It’s also time-consuming to shift access to multiple systems to new users when a high level employee leaves.  It’s easier to maintain appropriate user permissions on an already well-maintained network, although it does require focus and prioritization.

But the most costly scenario of all is dealing with a network breach – and unfortunately, each ghost user on your network increases the odds of that becoming a reality. It is well worth the time to have your IT support team investigate to see what ghost accounts may exist in your organization, create a plan to eliminate them and then also build a process to prevent future ghost users. This will greatly increase your protection from having ghost users come back to haunt you later on.

To learn how WingSwept’s security offerings can help keep your network better protected, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.