Default Account Activity Detected


Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools.

   GDPR Relevance


Default user accounts are often targeted for exploitation since they have administrative privileges on the host system, thereby enabling an attacker who gains access to the default account to use system resources how they see fit. Depending on the environment, default accounts may not be able to be deleted, and depending on corporate IT policy may have a no-use or limited-use restriction.


The use of default accounts is often out of corporate IT compliance as in most cases no individual can be assigned to the activity happened. Using individual user accounts with administrator privileges in larger organizations with multiple system administrators, is a security best practice and service accounts should rarely be used.

Specific to GDPR, monitoring and demonstrating that security controls are effective is required by Article 32, therefore immediate awareness of any default account activity is critical to maintaining compliance posture and documenting such activity and remedial actions is required in order to prove compliance for data privacy audits initiated by data privacy authorities (Article 58) and also to help counteract compensation claims (Article 82).

Resolution Path:

Analyze default user accounts for activity that could be security issues – for example, creation of new accounts, modification in account or file privileges, or other unauthorized configuration changes that could indicate a threat. This helps maintain security posture, compliance, and provide early warning of a larger potential issue.