Stop Forgotten Service Accounts From Becoming Liabilities

Business & Finance beginner 6 min read

Abandoned padlock on a rusty chain against a weathered wall

You have more online accounts than you think. Not just the obvious ones — your email, Netflix, GitHub. The real count includes every bot account you created for a Slack integration three years ago. The iOS app you signed up for with “Sign in with Google” and never opened again. The cloud storage trial you abandoned. The developer account you created to test an API once and let the credentials sit in your code.

Most of these accounts are harmless. Some are not.

A dormant account with outdated credentials is a liability. If it was caught in a breach you never heard about, your email and password may be circulating in leaked databases — and you have no idea because you forgot the account existed. Old API keys in abandoned projects are a similar risk: they often have more permissions than you’d grant today, and if they’re leaked in a git history, anyone can find them.

The subscription tracker handles the accounts you care about paying for. This use case handles everything else — the accounts you forgot, the integrations that accumulated, and the security hygiene that nobody has time to maintain.

What This Solves

  1. Dormant account discovery — finding accounts tied to your email that you genuinely forgot about
  2. Breach exposure awareness — knowing when a forgotten account appears in a leak
  3. Stale credential risk — identifying old API keys, OAuth tokens, and service accounts still pointing at your infrastructure
  4. Inactive integration cleanup — flagging bots and integrations that still have access to your systems but aren’t being used
  5. Data exposure audits — checking what data a forgotten account might still hold (what did that 2021 SaaS trial have access to?)

How It Works

The Service Account Inventory

You build this over time, not all at once. Start with what you know:

~/accounts/inventory.yaml

service_accounts:
  - name: "CI Bot"
    type: github-app
    email: [email protected]
    created: 2023-03-15
    last_used: 2024-11-20
    permissions: ["repo", "workflows"]
    notes: "Used in old dotfiles repo — check if still needed"
    linked_email: [email protected]

  - name: "IFTTT Webhook"
    type: integration
    created: 2022-08-01
    last_used: 2023-02-14
    permissions: ["send_webhook"]
    notes: "Triggered Slack alerts — replaced by n8n"
    status: dormant

  - name: "CloudStorageTrial2021"
    type: saas
    provider: "CloudSync Pro"
    created: 2021-06-10
    last_used: 2021-06-30
    data_access: ["personal_files", "contacts"]
    notes: "30-day trial, never converted — check if data still there"
    breach_exposed: unknown

  - name: "Discord Bot - Moderator"
    type: bot
    platform: discord
    created: 2021-01-01
    last_active: 2022-06-15
    permissions: ["kick", "ban", "read_messages"]
    notes: "Old community server bot — server was archived"
    status: orphaned

  - name: "Twitter API - Analytics"
    type: api-key
    created: 2020-11-01
    last_used: 2021-03-20
    key_id: "AKIAIOSFODNN7EXAMPLE"
    notes: "Old analytics script — revoke if not in use"
    status: likely_stale

OpenClaw can help you build this inventory by checking your email for old “sign up” confirmations, searching your密码 manager for service account entries, and querying GitHub for organization memberships and OAuth applications you’ve authorized.

What OpenClaw Does With It

Breach checking — OpenClaw can check if your email addresses (and service account emails) appear in known breach compilations. Services like HaveIBeenPwned aggregate these; OpenClaw can query them on a schedule and alert you if a forgotten account surfaces:

🔓 BREACH ALERT
"CloudStorageTrial2021" — [email protected]
Found in: CloudSyncPro breach (Jun 2021)
Data exposed: email, hashed password, 2GB of files
Action: Check if this account still exists — if not, nothing to do.
        If it exists, change password or delete.

Stale credential detection — For GitHub OAuth apps and personal access tokens, OpenClaw can check last usage via the API and flag tokens that haven’t been used in 6+ months:

🔑 STALE CREDENTIAL
GitHub PAT: @old-dotfiles-ci — last used Nov 2024 (5 months ago)
Scope: repo, workflow
Action: If you still use this, ignore. Otherwise, revoke at:
https://github.com/settings/tokens

Dormant integration alerts — For integrations you set up and forgot:

🤖 DORMANT INTEGRATION
IFTTT Webhook — last triggered Feb 2023 (14 months ago)
Status: Slack webhook still pointing to your workspace
Action: If you're not using this, go to ifttt.com and remove the applet.
        It still has permission to post to #alerts.

Monthly dormant account digest — A regular summary:

📋 SERVICE ACCOUNT DIGEST — April 2026

Total tracked: 14 accounts
Active (used < 90 days): 6
Dormant (90 days – 1 year): 5
Stale (> 1 year): 3 ⚠️

⚠️ Action needed:
• Discord Bot - Moderator — orphaned community server, still has kick/ban perms
• Twitter API - Analytics — PAT likely stale, should revoke
• CloudStorageTrial2021 — found in breach, data may still exist

Dormant (review at convenience):
• CI Bot — Nov 2024, confirm if still needed
• IFTTT Webhook — Feb 2023, likely deprecated
• CloudStorageTrial2021 — see above

New accounts this month: 1
• Raycast Extension (Apr 2026)

Setting It Up

  • OpenClaw with file access and a messaging channel
  • Your inventory file — build it gradually; start with what you know
  • Optional: email access — helps discover accounts you signed up for and forgot
  • Optional: HaveIBeenPwned API — for breach checking (free tier available)
  • Optional: GitHub token — for checking OAuth app permissions and PAT last usage
  • A monthly cron job — for the digest; breach checks can run less frequently

The inventory file is the key to this working. The first version will be incomplete — that’s fine. Every time you remember an account or OpenClaw finds something new, add it. Over time you build a complete picture of your digital footprint.

What OpenClaw Can’t Do

It can’t automatically discover every service account you have without access to your email or connected apps. The inventory is only as complete as what you put into it.

It can’t revoke credentials on your behalf — for most services that requires logging in with a browser session or MFA. It can point you to the right page and tell you exactly what to revoke.

It can’t check whether a dormant account’s data was actually exposed in a breach without the breach being publicly documented. It checks known breaches, not every possible leak.

Why This Works

Account sprawl is a silent security problem. The accounts that pose the most risk are the ones you don’t remember creating. A Slack bot from 2021 that still has permission to read your channel history. A cloud storage trial with your personal files still on the servers. An OAuth app that has access to your GitHub repos.

You can’t secure what you don’t know exists. OpenClaw’s job here is to make the invisible visible — build the map, check it against reality, and tell you which forgotten doors should be closed.

Want to try this with OpenClaw?

OpenClaw is free and open source. Get started at openclaw.ai

Try OpenClaw →