The ‘Zombie’ Account: How a Former Employee’s Credentials Nearly Compromised a U.S. City’s Water Supply
Table of Contents
A Backdoor Left Wide Open
In the world of cybersecurity, the most dangerous vulnerabilities aren’t always complex zero-day exploits or sophisticated AI-driven malware. Sometimes, the most catastrophic failure is simply a failure to delete a username. This was the case for an unnamed American city, where a “zombie” account—belonging to an employee who had left the organization years prior—became the primary gateway for a threat actor to infiltrate critical municipal infrastructure.
The breach was uncovered by Nicole Beckwith, senior director for security engineering and operations at the telemetry platform Cribl, who was brought in as a consultant to investigate the intrusion. What she found was a textbook example of poor identity and access management (IAM) that nearly resulted in a public health crisis.
From Projectors to Water Valves
The attack didn’t begin with a direct assault on the city’s most sensitive systems. Instead, the intruder took what Beckwith described as a “leisurely tour” of the network. The hackers initially spent time manipulating low-stakes endpoints, such as conference room projectors, essentially testing the fences to see what remained unguarded.
However, the stakes escalated rapidly when the attackers discovered they had access to the city’s water utility controls. Using the compromised credentials, the threat actor began switching off critical controls—an action that could have physically endangered the water supply or disrupted service for thousands of residents.
The Case of ‘Greg from Auditing’
During the forensic investigation, Beckwith traced the malicious activity back to a single user: “Greg from Auditing.” The immediate red flag was that Greg had not been employed by the city for several years. Despite his departure, his digital identity remained active, clinging to a level of privilege that was staggering even by the standards of an active employee.
The account retained domain administrator rights, the ability to perform help desk functions, and—most critically—SCADA (Supervisory Control and Data Acquisition) operator access. SCADA systems are the industrial control systems used to monitor and control the physical processes of infrastructure like water treatment plants and power grids. It remains unclear why a member of the auditing department would ever have required such expansive technical permissions, but the fact that they persisted years after his exit point was the critical failure.
The Anatomy of a Credential Leak
The breach was likely not the result of a targeted phishing campaign against the city, but rather a consequence of “credential stuffing.” Beckwith speculates that Greg had used his official .gov email address to sign up for various third-party services and social media platforms. When those external sites suffered data breaches, Greg’s email and password were leaked into the wild.
Since Greg had apparently used the same password for his professional city account as he did for his personal accounts, the hackers simply had to try the leaked credentials on the city’s login portal. To the system, the attacker looked like a legitimate, high-privileged administrator.
The High Cost of Poor Housekeeping
This incident underscores a persistent gap in municipal IT governance: the deprovisioning process. While many organizations have robust onboarding procedures, the “offboarding” of digital identities is often neglected or handled inconsistently.
“The lesson, beyond the obvious ‘please, for the love of all that is holy, audit your dormant accounts,’ is that every forgotten user is an easy ticket to being on the 5 o’clock news,” Beckwith told The Register. She emphasized that quarterly access reviews should be mandatory, as the assumption that access is automatically terminated when a person leaves the building is often a dangerous fallacy.
For critical infrastructure, the stakes of this administrative oversight are far higher than a leaked email or a corrupted spreadsheet. When a zombie account has the power to manipulate water valves and chemical levels, basic IT housekeeping becomes a matter of public safety.
