Employee Leaves With Passwords

How To Prevent Your Business’s Online Account Access From Walking Out the Door

Sometimes an employee leaves a company without sharing usernames and passwords for the online accounts that they set up. These are often marketing-related accounts such as:

  • Email marketing & marketing automation systems (MailChimp, Constant Contact, ActiveCampaign)
  • Websites (WordPress, Wix, Squarespace)
  • Social media accounts (Twitter, Instagram, Pinterest)
  • Google accounts (My Business, Analytics, Ads, Search Console, YouTube)

Why can these types of accounts be particular problematic? Because the setup of online marketing-related accounts often happens outside of the IT department’s domain.

And what if the company did not have a policy of keeping all business account usernames and passwords in a shared password manager or in a secure CRM system like Salesforce?

When Recovering Account Access Can Be Easy

Not having account passwords isn’t a major problem if the username (usually an email address) for the online accounts is the former employee’s company email address.

When that person leaves the company all you have to do is:

1. Ask your email system administrator to reset the password for the email account and then let you know what the new password is.

(Alternatively, you can ask your email administrator to forward you all new emails sent to the former employee’s email address.)

2. Request a password reset from the online vendor.

Password reset instructions will arrive in an inbox that you have access to.

Twitter Account Password Reset

But what if the employee left without first sharing the username for one or more online accounts?

When Recovering Account Access Is Difficult (or Impossible)

When there’s no available username for an online account, there’s of course no way to request a password reset from a vendor’s login screen.

In some cases, you can successfully plead your case with the online vendor’s customer service department.

In other cases, access to that account can never be recovered without the cooperation of the former employee.

Lack of cooperation can mean orphaned online accounts.

Orphaning is most common for Google accounts. A former employee’s consumer Gmail account may have been used for Google business services such as:

  • Google My Business
  • Google Analytics
  • Google Ads
  • Google Search Console
  • YouTube

There are about 1.5 billion active consumer Gmail accounts, so good luck starting up a dialog with Google customer service about getting access to these.

How to Avoid Losing Account Access

How do you avoid losing access to Google and other online accounts?

1. Never let an employee use their own personal email address—Gmail or otherwise—for setting up access to an online account that will be used by your business.

2 Set a policy that requires all of the business’s online passwords to be added to a shared password database.

If the former employee used non-email two factor authentication on an account, that can create an additional challenge. A preventative measure for SMS or voice two factor authentication is covered in the last section below.

Why Consumer Gmail is Used

When a company is not using G Suite, a consumer Gmail account is often the default way to access to Google Services. Sometimes, a Google account without Gmail is set up.

In either case, the email account should be controlled by a business owner. For Gmail accounts, the recovery information (mobile number, secondary email) should be that of a business owner.

Google Account Sign-in & Recovery

Best Practices For G Suite Customers

If your company does use G Suite, you do not need a personal Gmail account for any of the above listed Google Services.

Instead, you can set up a generic G Suite account such as marketing@yourcompany.com.

This account will be managed by your G Suite administrator. The address is known. It’s easy for the administrator to reset the password if it is lost. The business owns the account, not the employee.

A note on two factor authentication

To have a higher level of company control over SMS or voice two factor authentication (2FA), a Google Voice number could be set up under the marketing@yourcompany.com account. That number could then be forwarded to the employee’s mobile phone. The company policy would be that the employee uses the Google Voice number for 2FA—not their own mobile number. If you take this approach, make sure the employee’s G Suite account is also secured with 2FA.

If the former employee was using an authenticator app or a physical security key for 2FA, you’d probably be back to contacting the vendor’s customer service department.

With the right policies and systems, a lot of time can be saved and inconvenience can be avoided.

Let’s discuss your California business’s technology needs

Call now to discuss Managed Cyber Security


or send us a message

Enjoyed the read?

Get more small business advice and technology tips