Beyond employee credentials: how dormant identities magnify cyber risk
When TPG Telecom — Australia’s second-largest internet provider — recently disclosed that hackers had exploited employee credentials in its iiNet order management system, it reignited an uncomfortable truth: credentials remain the keys to the kingdom.
In this case, approximately 280,000 customer emails, 20,000 landline numbers, 10,000 iiNet usernames, addresses and phone numbers, plus 1,700 modem setup passwords, were accessed. While early investigations point to access through a stolen employee credential, it has not yet been confirmed whether the account belonged to a current or former employee. What is clear is that accounts left unmonitored – whether active, dormant, or orphaned – represent a critical weak point.
A mirrored warning across the industry… and the world
It’s tempting to treat such events as isolated. But this breach is just one example of a wider, escalating trend. Globally, identity-driven attacks are rising at pace, with investigations into credential misuse up more than 150% year-on-year.
Channel News Australia also highlights how this breach reflects a broader recurring pattern in the telecom sector. Telstra’s November 2024 breach exposed 47,300 employee records through stolen login credentials, while Tangerine Telecom’s February 2024 incident affected 230,000 customers after a contractor’s compromised credentials were used to access an unsecured database.
The reason is simple: attackers follow the path of least resistance, and credentials – whether active or dormant – are often that path.
The hidden surge in identities
The challenge is amplified by the explosion of digital identities in today’s enterprises. According to CyberArk’s 2025 Identity Security Landscape Report, organisations now have 82 machine identities for every single human identity. That’s a staggering ratio – and one that’s only increasing as cloud adoption, APIs, and automation reshape IT landscapes.
The 2024 CyberArk report also revealed that half of organisations expect their total identities to triple within a year, underscoring how rapidly this surface is growing. With so many identities created and so few properly monitored, dormant and unmanaged accounts have become a prime target.
The overlooked threat: dormant and hidden Identities
While most organisations focus on active accounts, the greater danger often lies in what’s not seen: dormant, hidden, or forgotten identities. These include:
Orphaned accounts left behind when staff move on, but access is never revoked.
Service accounts or API keys created for one project but never rotated or decommissioned.
Hidden or Dormant human identities tied to contractors, interns, or former employees
Learn more about the challenges of hidden identities and where to find them>
Unmonitored, these identities are still doors into your environment. They may not be in daily use, but they remain valid and exploitable.
Why they matter in a breach
When attackers get hold of a stolen credential, their next move is lateral exploration. Dormant identities give them shortcuts: overlooked accounts that may carry privileges, bypass monitoring, or evade regular MFA prompts. A single unmanaged identity can expand a minor credential theft into a full-scale data breach.
Building proactive identity hygiene
Protecting against credential misuse requires more than enforcing MFA and rotating passwords. It requires visibility: knowing every identity in your environment and ensuring none are left unmonitored. This means:
- Conducting regular identity audits across human and non-human accounts.
- Enforcing least privilege access and removing unnecessary entitlements.
- Automating account deprovisioning for staff exits and role changes.
- Continuously monitoring dormant accounts for signs of misuse.
See the unseen: free identity scan
At Avocado, we often find the biggest risks aren’t malicious insiders or external hackers – but the identities that simply fall through the cracks. To help organisations uncover them, we offer a free Identity Scan.
This quick, no-strings assessment highlights dormant, orphaned, or hidden accounts across your cloud environment. It gives you actionable insight before attackers do – a proactive step to reduce risk without disruption.
The Takeaway
The iiNet breach is another reminder that stolen credentials remain a favourite weapon for cybercriminals. But the real danger is not just in the accounts we use every day. It’s in the identities we’ve forgotten, neglected, or assumed were harmless.
You can’t secure what you don’t know exists. By surfacing hidden identities and acting before they’re exploited, organisations can build resilience and protect what matters most: customer trust, operational continuity, and reputation.
