Code Room
On-callMediumoc-g366
Subject Suspicious accessLevel Mid–Senior~35 minCommon in Reliability & on-call interviewsIndustries Software development, IT services, Technology

Question

Your IdP access-review flags that an **admin account belonging to a contractor who offboarded 7 months ago** logged in successfully 3 times this week from a VPN exit node, then opened the admin console and viewed (not yet modified) billing and customer-export pages. The account was supposed to be deprovisioned but was only *disabled in one system* — it stayed active in the IdP and retained its admin role. No password reset, no MFA prompt seen in logs. How do you triage whether this is the ex-contractor, a leaked credential, or an attacker, and what do you do?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.