Service accounts are a rising risk
As schools adopt automation and AI tools, misconfigured service and API accounts are becoming preferred persistence points for attackers—security guidance calls for an inventory, unique credentials per integration and regular rotation. Forgotten or over‑privileged non‑human accounts can enable lateral movement and long‑term access. (bankinfosecurity.com)
An industry survey found 75% of organizations report misuse of service accounts (using them like human accounts or vice versa), a practice that security firms say creates long‑lived blind spots for attackers. (businesswire.com) PowerSchool’s incident analysis and third‑party reporting show attackers used a compromised maintenance credential to access the PowerSource support portal in December 2024, an intrusion linked to claims of data on roughly 62 million students and 9.5 million teachers across 6,505 districts. (powerschool.com) (blackswan-cybersecurity.com) Security researchers and vendors documented a wave of malicious OAuth applications in Microsoft Entra ID in 2025 that can survive password resets and act as persistent, non‑human backdoors by holding long‑lived consented tokens. (wiz.io) Government advisories from CISA and NSA’s Enduring Security Framework emphasize inventorying non‑human identities, scanning infrastructure‑as‑code for hardcoded secrets, and removing unexpected app credentials from service principals as core remediation steps. (cisa.gov 1) (cisa.gov 2) Vendor guidance recommends replacing static keys with managed identities and centralized secret stores, and Google Cloud explicitly recommends routine rotation of service account keys at least every 90 days where keys remain in use. (docs.cloud.google.com) (microsoft.github.io) CISA’s countermeasures list CM0083 and other alerts name API key rotation and migration to token‑based authentication as actionable steps and provide step‑by‑step rotation instructions for common SaaS platforms. (cisa.gov) Detection capability examples include Microsoft Defender for Cloud Apps’ App Governance and attack‑path features and practical guidance to use Graph activity logs and Kusto queries to hunt suspicious OAuth consent grants and app registrations. (learn.microsoft.com) (practical365.com) CISA lists no‑cost cyber services and an Account Management support offering that K‑12 organizations can request for assessments and remediation planning, and the agency’s 2025 alerts advise school IT teams to prioritize scanning repos and IaC for embedded credentials as a first‑line cleanup task. (cisa.gov 1) (cisa.gov 2)
