Employee Leaves With Passwords

How To Keep Control of Your Business’s Online Account Access

Sometimes an employee leaves a company without sharing usernames and passwords for the online accounts that they set up. These are often marketing-related accounts such as:

  • Email marketing & marketing automation systems (MailChimp, Constant Contact, ActiveCampaign)
  • Websites (WordPress, Wix, Squarespace)
  • Social media accounts (Twitter, Instagram, Pinterest)
  • Google accounts (My Business, Analytics, Ads, Search Console, YouTube)

Why can these types of accounts be particular problematic? Because the setup of online marketing-related accounts often happens outside of the IT department’s oversight.

And what if the company did not have a policy of keeping all business account usernames and passwords in a company owned password manager?

When Recovering Account Access Can Be Easy

Not having account passwords isn’t a major problem if the username (usually an email address) for the online accounts is the former employee’s company email address.

When that person leaves the company all you have to do is:

1. Ask your email system administrator to reset the password for the email account and then let you know what the new password is.

(Alternatively, you can ask your email administrator to forward you all new emails sent to the former employee’s email address.)

2. Request a password reset from the online vendor.

Password reset instructions will arrive in an inbox that you have access to.

Twitter Account Password Reset

But what if the employee left without first sharing the username for one or more online accounts?

When Recovering Account Access Is Difficult (or Impossible)

When there’s no available username for an online account, there’s of course no way to request a password reset from a vendor’s login screen.

In some cases, you can successfully plead your case with the online vendor’s customer service department.

In other cases, access to that account can never be recovered without the cooperation of the former employee.

Lack of cooperation can mean orphaned online accounts.

Orphaning is most common for Google accounts. A former employee’s consumer Gmail account may have been used for Google business services such as:

  • Google My Business
  • Google Analytics
  • Google Ads
  • Google Search Console
  • YouTube

There are about 1.5 billion active consumer Gmail accounts, so good luck starting up a dialog with Google customer service about getting access to these.

How to Avoid Losing Account Access

How do you avoid losing access to Google and other online accounts?

1. Never let an employee use their own personal email address—Gmail or otherwise—for setting up access to an online account that will be used by your business.

2 Set a policy that requires all of the business’s online passwords to be added to a shared password database.

If the former employee used non-email two factor authentication on an account, that can create an additional challenge. A preventative measure for SMS or voice two factor authentication is covered in the last section below.


Why Consumer Gmail is Used

When a company is not using Google Workspace, a consumer Gmail account is often the default way to access to Google Services.

Sometimes, a Google account without Gmail is set up.

In either case, the email account should be controlled by the owner of a business. For Gmail accounts, the recovery information (mobile number, secondary email) should be that of a business owner.

Google Account Sign-in & Recovery

Best Practices For Google Workspace Customers

If your company uses Google Workspace, you do not need a personal Gmail account for any of the above listed Google Services.

Instead, you can set up a generic Google Workspace account such as marketing@yourcompany.com.

This account will be managed by your Google Workspace administrator. The address is known. It’s easy for the administrator to reset the password if it’s lost. The business owns the account, not the employee.

A note on two factor authentication

To have a higher level of company control over SMS or voice two factor authentication (2FA), a Google Voice number can be set up under the marketing@yourcompany.com account. That number would then be forwarded to the employee’s mobile phone. The company policy would be that the employee uses the Google Voice number for 2FA—not their own mobile number. If you take this approach, make sure the employee’s Google Workspace account is also secured with 2FA.

If the former employee was using an authenticator app or a physical security key for 2FA, you’d probably be back to contacting the vendor’s customer service department.

With the right policies and systems, a lot of time can be saved and inconvenience can be avoided.

Fortis Cyber Security Checklist

Get the Cyber Security Checklist

Protect your business today

Let’s discuss your California business’s technology needs

Fortis Cyber Security Checklist

A step-by-step checklist to assist you in protecting your company against today’s most common cyber security threats.


Your download will automatically begin when the form is successfully submitted

Call now to discuss Managed Cyber Security


or send us a message

Enjoyed the read?

Get more small business advice and technology tips