A license audit caught the breach
A six-week account takeover surfaced during a license audit. The detection vector defines the control failure.
An account takeover ran for six weeks before anyone noticed. Detection did not come from a security control. It came from a license audit. That sequence defines the failure.
The audit was scheduled as administrative work. Confirm seat counts, reconcile entitlements, close out unused licenses. It was not designed to surface compromise. It surfaced compromise anyway. That is the only reason this incident has an end date.
Six weeks of access was not identified based on available evidence by every control nominally responsible for catching it. The detection mechanism was an accounting exercise. Treat that as the headline finding. Everything that follows is downstream of that one fact.
The operating assumption was that identity governance worked on its own. Provision a user, assign entitlements, trust the directory. Validation of who actually held what access was not part of any recurring control. License audits were treated as procurement hygiene, not security telemetry. The two functions were budgeted, staffed, and scoped as if they had nothing to say to each other.
The second assumption was that anomalous account behavior would surface through monitoring. Whether monitoring was in place at sufficient depth is not confirmed. What is confirmed is that whatever monitoring existed did not detect six weeks of takeover activity. Either the signals were absent, the thresholds were wrong, or no one was reviewing the output. Each of those is a control failure with a different root cause and a different remediation path. The incident does not tell us which one applied.
The third assumption was that audits and security operate on separate planes. The audit team checks compliance. The security team checks threats. In this case the audit team did the security team’s job by accident. That is not a model. That is luck. A program that depends on the wrong team finding the right thing is not a program.
The audit produced a finding that an account held access it should not have held. The specific access path is not confirmed in the available facts. What is confirmed is that the access was unauthorized and that the account had been operating under that access for six weeks. The persistence of that access across that interval is the technical finding. Whether the takeover involved credential compromise, session hijack, token theft, OAuth abuse, or insider misuse is not confirmed. The mechanism matters for response scoping. It does not change the control gap.
The detection vector changed nothing about the underlying control surface. The same gaps that allowed six weeks of undetected activity remain in place for every other identity in the environment. The audit caught one account. It did not catch a category of failure. The directory still trusts its own assignments. The monitoring stack still produced no actionable signal across the full interval. The access review cadence, if one existed, did not fire inside that window.
What also changed is the assumption that license audits are low-stakes work. They are now a detection channel by demonstrated capability. That is a problem, not a win. A detection channel that runs on a quarterly or annual cadence cannot bound dwell time below that cadence. Six weeks was the lower bound on this discovery because the audit happened to land when it did. The next access may run until the next audit fires. Detection by audit is not a control. It is the absence of one.
The failure mechanism is straightforward. Access assignments were treated as durable state. Once granted, they were trusted until something else inspected them. Nothing was scheduled to inspect them as a security function. The directory held the assignment. The assignment held the access. The access held for six weeks. No layer in that chain was responsible for asking whether the assignment still matched intent.
This is a continuous validation gap. Identity was the boundary, but the boundary was set once and never re-asserted. Whether the original assignment was correct or the account was later compromised is not confirmed. Either path produces the same outcome under this design. A correct assignment that becomes incorrect through compromise is indistinguishable from an incorrect assignment that was never reviewed, because no review mechanism exists to separate them. The control surface does not differentiate. That is the drift.
The second mechanism is detection ownership. Detection of access was implicitly assigned to monitoring. Monitoring did not fire across a six-week window. Whether signals existed, whether thresholds were tuned, and whether output was reviewed is not confirmed. What is confirmed is that the output produced no action. A detection function that produces no action across the duration of the event is not detecting. It is logging. The distinction is operational. The audit team, with no detection mandate, produced the action. The mandated function did not.
The same mechanism applies to every assignment-based trust relationship in the environment. Service account permissions granted for a project that ended. API keys issued for an integration that was decommissioned. Group memberships inherited from a role the user no longer holds. OAuth grants approved for an application no longer in use. Each of these is an assignment that persists past its validating context. Each is invisible to controls that only check whether the assignment exists, not whether it should.
The pattern extends to any control that is asserted at provisioning time and never re-asserted. Network segmentation rules written for a deployment that has since changed shape. Firewall exceptions opened for a vendor relationship that has lapsed. Conditional access policies scoped to identities that have shifted role. The assignment outlives the justification. The control inherits trust it can no longer earn.
The detection parallel is the same. Any function that depends on a non-security process to surface a security finding is operating on the same model that failed here. Cost reviews that catch unused infrastructure with active credentials. Procurement reconciliations that surface vendor accounts no one closed. Capacity reviews that find compute running workloads no one owns. These are detection channels by accident. They run on cadences set by other functions for other reasons. Dwell time is bounded by their schedule, not by threat model.
The license audit did not detect a breach. It detected a control gap that had already been exploited for six weeks. The breach is the symptom. The gap is the finding. Conflating the two produces a remediation scope that closes one account and leaves the mechanism intact.
What must now be true is that access validation is a security control with a defined cadence, owner, and signal output. Not an audit byproduct. Not an annual reconciliation. A control. If the cadence is longer than the acceptable dwell time for access, the cadence is wrong. If the owner is procurement, the owner is wrong. If the signal output does not reach the team responsible for response, the signal does not exist.
Identity is the boundary. A boundary that is set once and trusted indefinitely is not a boundary. It is a historical record. The environment that produced this incident treats identity as a record. Until that changes, the next six-week takeover is already running. It has not been audited yet.
See also: NordVPN for tunneled traffic when operating outside controlled networks.
#ad Contains an affiliate link.
Keep Reading
account takeoverLicense audit caught a six-week account takeover
A six-week account takeover surfaced in a license audit that never checked access legitimacy. Why that gap is a control failure, not a breach.
trust boundariesThe door was unlocked, not picked
Federal concern over fable 5 was a trust boundary failure, not a jailbreak. Fix this code targets content, not access enforcement.
AI governanceYour AI features are now your attack surface
Meta has confirmed over 1,000 Instagram accounts were compromised through abuse of its AI chatbot - a board-level view of the control failure.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.