The Account Nobody Closed: How a Former Employee Still Had the Keys

When someone leaves your company, you collect their laptop and shake hands. But their access often lingers in a dozen systems nobody thinks about. A growing marketing agency learned this the hard way when a login belonging to an employee who had left four months earlier was used to download client files in the middle of the night.

The setup

The agency had grown fast and added tools as it went: a file-sharing service, a project tool, a CRM, a design app, and several others. Each was set up by whoever needed it first. When a designer left on good terms, HR closed the email account and assumed that was that. But the file-sharing login, set up with a personal-style password and no central control, kept working.

The trigger

The exact source was never confirmed. The password may have been reused and leaked, or simply remembered. Either way, the still-active account was used to pull down a large set of client files. The agency only noticed because a client asked why their confidential materials had been downloaded at 3 a.m. by a name they recognized as a former employee.

Why it worked

  • No offboarding checklist. Closing email was treated as closing access. It was not.
  • No inventory of accounts. Nobody had a single list of every tool and who could log in.
  • Logins managed app by app. Without central sign-on, each tool was its own forgotten door.
  • No alerting on unusual activity. A large after-hours download by a dormant account raised no flag.

The fix, and what it would have cost

A one-page offboarding checklist, a simple inventory of every tool and account, and central single sign-on so access can be cut in one place would have closed this gap entirely. For a small business these are low-cost, mostly one-time efforts. The agency instead faced an awkward client conversation, a review of what else might be exposed, and real damage to a relationship it had spent years building.

Access you forget about is still access. Knowing who can reach your systems, including people who left, is a core part of any security review.