Dormant Accounts and Forgotten Credentials: The Small Business Blind Spot That Just Cost 200 Companies Their Data
The Klue breach used a 4-year-old credential to hit 200 companies. Here's why small businesses have the same problem, and a 30-minute audit to fix it.
On June 12, 2026, a hacking group called Icarus walked into Klue, a market intelligence platform used by large sales teams. They did not exploit a zero-day. They did not phish anyone. They logged in with a credential that Klue had issued back in 2022 for a "limited pilot" and then forgot about. That credential had been sitting live and unwatched for roughly four years. Once inside, Icarus used it to generate OAuth tokens for Klue's connected Salesforce environments and exfiltrated data in bulk from around 195 to 200 companies, including LastPass, BeyondTrust, Jamf, HackerOne, Snyk, Tanium, Huntress, Gong, OneTrust and Sprout Social.
Read that again. One forgotten login. Two hundred companies. Some are the exact security vendors other businesses trust to keep them safe.
If you own a small business and you are thinking "that is a big-company problem," this post is for you. The reason the Klue breach worked is the same reason small businesses get quietly hollowed out every week. Nobody was watching a credential that everyone had stopped thinking about. Your business has the same problem. It is called the dormant account problem, and it is the biggest visibility gap most small teams have without knowing it.
What actually happened at Klue
The technical details are worth understanding, because they translate directly to your business.
Klue is a SaaS product that plugs into other SaaS products. Sales teams connect their Salesforce, HubSpot or Slack accounts to Klue so it can pull in competitor intelligence. To do that, Klue holds authentication tokens for those connected accounts. When Icarus got in, they did not just steal Klue's own customer list. They used Klue's stored tokens to reach into every connected Salesforce instance and pull data out.
The entry point was a service account credential from a 2022 pilot. Nobody remembered it existed. It had no owner. It was never rotated. It never triggered a login-anomaly alert because dormant accounts do not have a baseline for "normal" activity. The moment an attacker used it, the system treated the traffic as legitimate.
Roughly a month after the initial breach, companies were still confirming exposure. LastPass has stated its products, services and infrastructure were not affected and that customer vaults remain secure. The exposure was limited to business contact and CRM data. That is the good news. The bad news is that a credential nobody was watching handed attackers a foothold into hundreds of companies, and the pattern is now being copied.
Why this is a small business problem
You are not Klue. You do not run a SaaS platform. So why does this matter for a 10-person accounting firm or a 5-person marketing agency?
Because you have the same category of blind spot, just on a smaller scale. Every small business accumulates logins the way a garage accumulates cables. The trial from 18 months ago. The MailChimp account someone set up before you moved to Klaviyo. The Xero account with the ex-bookkeeper still listed. The Slack workspace admin credential that was created for the founder and then handed to the office manager and then never handed back. The vendor portal login for the printer you replaced two years ago.
Each of those is a Klue-style credential in miniature. Small in isolation. Devastating when an attacker finds one that still works and it happens to have OAuth connections to Google, Microsoft or your file storage.
The numbers back this up. Research published in 2026 found that on average, 1 in 8 employee accounts in a typical organisation is dormant, and 88% of organisations have "ghost users," which are stale but enabled accounts that still retain access to sensitive data. In June 2026 alone, researchers found an unsecured database sitting in the open with more than 24 billion stolen username and password combinations built from years of infostealer malware. Because roughly nine in ten people reuse passwords somewhere, attackers only need to find one match against your dormant accounts to get in.
For a business with fewer than 500 employees, the average cost of a breach is now $3.31 million, up 13.4% year over year. That number does not care whether your dormant account was strategic or an oversight. And it is not a rare event: one in four small businesses got hit last year.
The four kinds of forgotten credentials in a small business
Not every dormant credential is the same. If you want to find yours, it helps to know what you are looking for. In every small business we see, dormant credentials fall into one of four buckets.
1. Ex-employee accounts that are "sort of" offboarded
Someone left the business six months ago. You disabled their email. You feel like the job is done. But their Xero login still works. Their Canva account is still active. The Google Workspace shared drive still shows them as a member of three folders. Their Slack Connect messages to your customers still surface their old avatar.
Disabling one login does not disable the rest. Research on account offboarding in 2026 found that 89% of ex-employees retain some form of access to a former employer's systems after the "official" offboarding is complete. Every one of those accounts is a Klue credential waiting to be used.
2. Free trials and pilots that never got cancelled
Every small business does this. Someone signs up for a project management tool to see if it fits. It does not. They stop opening it. Nobody cancels the account. Twelve months later, the login is still active, the trial has quietly rolled into a paid tier, and the tool still has OAuth access to your Google Drive from the original signup.
The Klue credential began life exactly this way. A pilot, quietly extended, never revoked.
3. Vendor and contractor accounts you never revoked
The web designer who built your site three years ago probably still has a WordPress admin login. The bookkeeper who left in 2024 might still be listed as a user on your accounting software. The marketing agency you fired last year may still have a token on your ad account.
These are the hardest to see because they are often not "your" accounts. They live in vendor portals, third-party dashboards and integration settings you rarely open. But an attacker who compromises the vendor gets the same access the vendor had to you. That is the third-party breach pattern the 2026 Verizon DBIR flagged as doubling year over year.
4. Service accounts and integrations nobody documented
This is the Klue category. Somebody, at some point, set up an API key so a form on your website could send leads to your CRM. Somebody else connected Zapier to Slack. A previous IT contractor plugged your backup tool into your cloud storage. It is the connected-tool cousin of shadow AI: access granted with good intentions, then forgotten.
These credentials have no human owner. They do not show up in your "users" list because they are integrations. Nobody has thought about them since the day they were created. Research in 2026 found that for every human user, there can be as many as 40 service accounts, many of them undocumented.
Why you cannot see them
The core problem is not laziness. The core problem is that no single screen shows you all of it.
Your Google Workspace admin console shows you Google accounts. It does not show you the Dropbox account someone signed up for with their Google login three years ago. Your Xero shows you Xero users. It does not show you the ex-bookkeeper still listed on the bank feed. Your Slack shows Slack users. It does not show you the four other tools each of those users signed into using their Slack account as SSO.
Every SaaS tool sees its own slice. None of them see the whole picture. You are the only person who could, in theory, connect the dots. And you are also the person running the business, closing the sales, and doing everything else. So you don't.
The Klue attackers exploited exactly this gap. The credential they used was not hidden. It was in Klue's database, in a table someone at Klue could have looked at. The problem was that nobody had a reason to look, and no automated system flagged it as "still enabled after four years of zero use." Your business has the same gap.
A 30-minute account audit any small business can run
You do not need a fancy identity platform to make progress on this. Do the first pass by hand — a spreadsheet is fine for this one job — and work through the five steps below. That first manual audit is how you learn what your business actually has. Then stop maintaining the spreadsheet. For every audit after that, hand the grunt work to an AI agent like Claude Cowork: give it last quarter's list plus your current bank statements and user screens, and ask it to come back with the outliers — new tools, new logins, accounts nobody has touched in months. You make the revoke decisions. The agent does the comparing.
Step 1. List every tool your business pays for. Pull your last 12 months of credit card and bank statements. Every SaaS charge is a tool that has at least one login. Write them all down. Add anything you use for free, like Google, Slack, Canva or Zoom. You will be surprised at the length of this list. Most small businesses find between 40 and 80 tools.
Step 2. For each tool, open the users or team screen. Every SaaS product has one. It is usually under Settings, Team, Users or Admin. Look for anyone listed who no longer works for you. Look for anyone listed who you do not recognise. Look for anyone listed as "invited" but never joined. Write those names down next to the tool.
Step 3. Check the connected apps or integrations screen. In Google Workspace, this is under Security, then API controls, then Manage third-party app access. In Microsoft 365, look inside the Entra ID admin center under your registered and installed apps. In Slack, it is under Apps. Every OAuth connection you find that you do not immediately recognise is a candidate for removal.
Step 4. Check billing history for tools you no longer use. Sometimes a tool you cancelled is still charging you because you cancelled the wrong plan. If you are still paying, the account is still live and probably still connected to your other systems.
Step 5. Revoke, disable or delete anything you cannot justify. Not tomorrow. Now. Every credential you remove is a Klue you avoided.
That is it. First time through, expect two to three hours. After that, a quarterly re-run with an agent doing the comparison work takes about 30 minutes, and most of that is deciding what to revoke.
Making it a habit, not a heroic effort
The reason dormant accounts pile up is that the person best placed to notice them is also the busiest person in the business. The audit gets skipped, the credentials pile up, and the next Klue-style breach lands on someone who did not have visibility either.
The habits that actually work in a small business are the ones that require almost no effort once they are set up:
- When someone leaves, run every SaaS tool on your list, not just email.
- When you start a trial, set a calendar reminder for the day before it ends. If you have not adopted the tool, cancel and revoke.
- Every quarter, block 30 minutes to re-run the audit and deal with the outliers it surfaces.
- Every year, close the account for anything you have not opened in six months. Do not just cancel the subscription.
Where Vera fits
Vera is a dashboard built for small businesses that do not have a dedicated IT person. One of the things it does is give you a single place to see your team, your assets, your software licences and your data exposure without having to log into 60 admin panels one at a time.
If you are running a business with 5 to 20 staff, the account audit above is a great starting point. Vera is designed for the follow-up. It tracks the software you are paying for, the accounts you have on file, the breaches your team's emails appear in, and the assets tied to each person. When someone leaves, you have a checklist. When a new tool appears in your bank statement, you can add it. When your team's credentials show up in a breach dump, you know before an attacker does.
It will not find every dormant OAuth token by itself. Nothing will, because no software has a full view of every SaaS product on Earth. But it removes the biggest reason small businesses skip the audit in the first place, which is that the information is scattered across too many places to keep track of.
If you want to see how it looks, verait.io walks you through it in a few minutes.
The bottom line
The Klue breach is not a story about a sophisticated attack. It is a story about a credential that everyone forgot existed. That is the same story that plays out, quieter and smaller, in thousands of small businesses every month. The attackers who cascaded through 200 companies via Klue are already looking for the next Klue. Some of them will find it in a business much smaller than Klue, using a login that a founder set up in 2023 and hasn't thought about since.
You cannot secure what you do not know about. Spend 30 minutes this week finding the dormant accounts in your business. If you want a quick read on where the rest of your setup stands, the free IT health checkup takes about five minutes. Then build the habit of not letting them pile up again. That single step puts you ahead of most businesses your size, and it is the difference between reading about a breach and being in one.