top of page
Search

Mass Firing, Mass Exposure

One question. When you do a mass firing, does anyone actually believe all the access to all the systems is killed, promptly, or at all? I don’t. I have never seen it. And from the other side of the keyboard, neither have the attackers.


The old playbook was simple. Kill the Active Directory account and most of the building went dark, email, file shares, VPN, a handful of on-prem apps. Done by lunch. That world is gone. The modern employee is federated into two, five, eight, sometimes twenty separate SaaS tenants, each with its own admin console, its own identity mapping, its own offboarding lever. Salesforce, Workday, NetSuite, GitHub, Jira, Slack, Zoom, DocuSign, HubSpot, AWS, Azure, the MSP’s RMM, the payroll vendor, the benefits portal, the EDR console, the Dropbox somebody spun up without asking.


SSO covers some of it. SSO does not cover all of it. Break-glass local admins, tenant-level owners, personal access tokens, OAuth apps that user authored, API keys buried in a script, service accounts named after them, shared credentials in a Notes app on a phone you do not own. Every one of those is a live door after the badge is turned in.


Now layer mass firing on top. A thousand people out in a morning. The IT team running the revocations just lost a third of its own headcount. The offboarding ticket queue is twelve days deep. HR’s termination list does not match the asset inventory. The asset inventory does not match the SaaS vendor list. The SaaS vendor list was last updated in 2024. Three hundred former employees still hold tokens that will not expire for ninety days.


From a hacker’s point of view this is not a breach opportunity. It is an all-you-can-eat buffet. A freshly terminated insider who feels wronged, still authenticated into six platforms, carrying a grudge and a working laptop, is the cheapest initial access vector on earth. No phishing. No zero-day. Just a Tuesday.


If you are cutting headcount this year, your offboarding control is not a checklist. It is an attack surface. Audit it like one.


The hits will keep coming. So will the breaches.


 
 

Recent Posts

See All
Scamming - Public Service Announcement

A text arrived on my phone this morning. Final Warning. Today’s date. Massachusetts Department of Transportation. License suspension if I don’t pay by end of day. A code citation. Five escalating cons

 
 

Timcke Risk Management, LLC

660 Massachusetts Ave

6th Floor, Boston, MA 02118

 

© 2025 by Timcke Risk Management, LLC

 

bottom of page