Case Study: A Password Almost Cost This Company Everything

If you ended an IT vendor relationship three years ago, how do you know for certain their access is gone? If there's any hesitation in your answer, keep reading.

Our NOC caught it at 2:00 AM before a single file moved. 

The client profile



• Industry: Large-Scale Professional Services/Manufacturing
• Scale: 100+ Users

The problem:

A high-growth environment with a decade of accumulated vendor relationships and "ghost" access. The kind of company that had grown fast, onboarded a lot of outside help along the way, and (like most companies at that stage) had never had the time or process to properly unwind any of it.

The lesson here:

Vendor risk won’t always show up in a highly chaotic attack. In fact, it often hides in plain sight. It is a quiet, 10-year-old account that stays active just because "it has always been that way."

Here's exactly how it happened, how Hyperion took action, and why most companies wouldn't have been so lucky.

1. The Discovery: A 3:1 Account-to-User Ratio

When the Hyperion team started onboarding this client, we did what we always do first: pull a full audit of their Active Directory.

We expected to find around 100 accounts. We found 317. All active and ALL with remote access enabled.

It sounds alarming and very surprising, but it's more common than most companies would like to admit. Vendors come and go, employees turn over, systems get migrated... it’s inevitable. Nobody wants to touch accounts that seem to just work. It’s not malfunctioning anyway.

But over a decade, that avoidance is extremely dangerous. What can first start as a reasonable caution (don't break what isn't broken) turns into an attack surface three times larger than it should be, filled with accounts nobody can confidently vouch for.

In long-established environments, this "Account Sprawl" is a silent killer. It creates a massive Attack Surface, making it nearly impossible to distinguish a legitimate login from a malicious one.

2. The Red Flag: The "Untouchable" Accounts

Buried in the documentation were accounts flagged with notes like "DO NOT CHANGE" or "DO NOT ROTATE PASSWORD."

To an untrained eye, these look like essential system accounts.  Touch them, and something “breaks”. That's exactly what those notes imply, and it's exactly why they work. It does not work as protection, but as a deterrent to anyone who might otherwise ask questions.

The truth is usually less interesting. These notes get added for a specific reason at a specific moment, the reason gets forgotten, and eventually the note itself becomes the justification. Nobody touches it because the note says not to. The note stays because nobody's touched it. Years pass.

To our surprise, one of those accounts belonged to a vendor the company had fired ten years ago. The vendor was gone. The relationship had ended badly, apparently. But the account was still there (still active, still enabled for remote access) because it had a note on it, and because offboarding, at that company, had never been a documented process. It lived in someone's memory. That person had probably left years ago.

3. The Hidden Vulnerability: Password Reuse

Here's where it gets worse. 

Neither the client nor Hyperion knew the most dangerous detail: The fired vendor had reused the same password across multiple clients.

It's an incredibly common habit, especially among smaller vendors and contractors who are managing access to dozens of environments and leaning on muscle memory to get through their day.

When their credentials eventually surfaced somewhere else (through a breach at another client, a leaked database, or a successful phishing attempt) that same password still worked perfectly on our client's network. Valid credentials with a clean login, no failed attempts, and no brute force. None of it looked like an attack from the outside.

30% of breaches involve a third-party compromise (Verizon DBIR).

Even if your company’s security is tight, you are only as secure as your vendor's worst habit. Because that account was excluded from password rotations for a decade, a single leaked credential from that vendor’s other clients became a valid key to our client’s network.

4. The 2:00 AM Intervention

At Hyperion, our Stability, Security, and Operations pillars are active around the clock. When the compromise finally happened, it didn't look like a hack.

The attackers didn't have to "guess." They had a valid, 10-year-old credential.

How we caught it: At 2:00 AM, our Network Operations Center (NOC) flagged a successful VPN login.

But we had context. During onboarding, we had specifically flagged that account, documented it as an unresolved risk, and noted that it should never generate activity. 

When it did, we knew exactly what we were looking at, and we didn't wait.

We treated it as an active incident, terminated the session, and locked down the environment before any data could be exfiltrated.

Our Three-Pillar Breakdown: How We Work

The Critical Question for Your Business

If you ended a contract with a vendor five years ago, are you 100% sure their access is gone? Not "probably." Not "I think so." Sure.

Because if the answer is anything other than yes (if there's even a moment of hesitation) you have the same exposure this client had. An open door from a relationship that ended years ago, attached to a password you didn't create, can't see, and have no way to control.

If you have even one "Do Not Change" account in your environment, you are betting your business on a password you didn't create and cannot verify.