When an employee leaves, HR typically has a process. Exit interview, equipment return, email deactivation, Active Directory suspension. It’s a checklist that gets completed and closed off. It also tends to leave something out: shared credentials. These are the team logins, vendor portals, social media accounts, and client-facing platforms that exist entirely outside the scope of standard IT deprovisioning. Deactivating a corporate email doesn’t affect any of them.
Cash App learned this in 2022, when a former employee downloaded internal documents on user accounts after their employment was terminated. Insufficient offboarding controls were central to the lawsuit that followed, which settled for $15 million. It's far from the only case. The pattern repeats with enough consistency to suggest it isn't a series of isolated failures. This occurs when offboarding stops at the corporate account layer and does not account for shared credentials beyond it.
Standard offboarding was designed around individually provisioned accounts, the kind tied to a central system that IT controls. Disable the account, cut access, and deprovision the email. That logic is sound as far as it goes. It just doesn't go far enough. Individual accounts have owners. Shared credentials have users, and that's a different thing.
A generic login for a social media scheduling tool, a supplier portal the team shares, a client's billing account the departing employee managed, none of these are visible to that central system, because they were never set up through it. They were created informally, shared across a team, and used without any central record of who had access.
The numbers reflect how difficult this has become to manage. According to Nudge Security research, 69% of organizations need three or more separate sources just to identify all the cloud and software access a given employee has. There is no single authoritative list. You cannot remove access you have not inventoried, and for most organizations that inventory doesn't exist at the credential level.
This is ultimately a process gap, and HR controls the trigger. Getting that right is a matter of HR and IT working from the same checklist.
Not every departure carries the same credential risk. A junior team member with narrow access is one scenario. A marketing manager with administrative control over every brand account is another. An account manager who has been managing a client's login for two years is another still. In these roles, there's often no separation between the employee's access and the company's access. In these roles, the organization's access often depends entirely on the individual's control of shared credentials.
There’s a significant exposure window here. BetterCloud's 2025 State of SaaS report found that about a third of IT teams take more than 24 hours to fully offboard a departing employee. In that window, access to client accounts, financial platforms, and brand logins remains live. This is where the concept of the shadow employee shows up: a former employee whose digital access was never fully revoked, still present in systems the organization doesn't know to check, whether they intend harm or not.
The aforementioned Cash App breach involved exactly this kind of exposure window. So did the Geisinger case, where a former Nuance Communications employee accessed patient records after termination and the breach took over a year to surface. In 2024, a cyberattack on a U.S. government agency was traced back to a former employee's admin credential that had never been revoked, exploited not by the former employee but by an external attacker who found the door open.
This scenario deserves particular attention. The shadow employee doesn't have to be the threat. An unrevoked account sitting dormant in a system is, from an attacker's perspective, a credential with no active owner monitoring it, no one watching for unusual login behavior, and in many cases no additional verification layer because it was never set up for a shared login in the first place.
This is where the process has to be rebuilt, and it starts before anyone hands in their notice.
Visibility is the foundation. Teams need a running inventory of which shared credentials exist, what systems they access, and who has use of them. This cannot be assembled on departure day. By that point, the response becomes reactive rather than planned. The organizations that handle this well maintain a shared credential register as standard practice, which means that when someone leaves, there's a list to work from.
Every shared credential also needs a named owner: someone accountable for access review and making sure passwords get updated when circumstances change. Shared credentials without an owner are, in practice, unmanaged credentials. Ownership is also what makes the handoff conversation possible. When a departure happens, the owner can coordinate the required credential updates.
Updating passwords is the step that most checklists miss. Removing a departing employee from a shared system is not enough if they could already see the passwords. Every shared login that employee had access to needs to be changed. Not archived. Changed.
Finally, there needs to be an audit trail: a record of which credentials the departing employee had access to and when each one was updated. Regulators and legal teams will ask these questions after the fact. The organization needs to be able to show its work.
None of this will be managed by HR alone. The password updates themselves are an IT function. But the offboarding trigger is an HR function, and that's where the coordination has to be locked in. The most common failure mode is HR closing the file while IT learns about the departure three days later.
CHROs are in a position to drive this. The departure process runs through HR, and that's the leverage point for getting credential protocols connected to it rather than treated as an afterthought.
Every HR leader should be able to identify which shared credentials a departing employee had access to and confirm that each one was updated.
If the answer is uncertain, the scope of your offboarding process needs to expand. The good news is that this is a process problem, and process problems are solvable.

Chris Skipworth is the CEO of Passpack, a zero-knowledge password management platform serving businesses worldwide. With 25 years of technology experience in software, hardware, and semiconductor engineering, he has brought innovative solutions to markets across North America, Asia, and Europe. Since leading Passpack in 2013, Chris has secured company financing, expanded into new markets, and positioned Passpack as a leading password management solution for SMBs.
This website uses cookies to enhance website functionalities and improve your online experience. By browsing this website, you agree to the use of cookies as outlined in our privacy policy .