Thought I’d share this with yall. But I’m gonna answer the obvious question right away: No, I didn’t abuse it.

So, I used to work for a large corporation in the geophysics industry… well, I still do, just a different one. I will of course not name them, but it’s a behemoth in the industry, and if you are familiar with the field, you’ve definitely heard of them.

I wasn’t the “normal” kind of sysadmin - I mostly handled off-site production stuff (where the actual money was being made), and how all of this stuff interfaced with each other as well as the head office.

The “normal” IT stuff was handled by a friend/coworker with whom I’ve worked for well over a decade in several companies - We have an odd habit of crossing professional paths from time to time. Let’s call him Bob.

I had handed in my three months notice, as the competition had given me an offer I couldn’t refuse, so I was on my way out. While visiting the head office for unrelated reasons I had gotten a desk assigned close to Bob’s for convenience, as a lot of the stuff I did was related to his stuff.

Then suddenly, come 15:00 my VPN stopped working. Then email. Then everything else. If it had been later in the day I would’ve assumed my employer had decided to let me go earlier, but the timing didn’t make sense.

Me: “Hey, Bob, I’m still working here, you know? Well, trying to…”
Bob: “Yeah, why?”
Me: “You didn’t kill my access?”
Bob: “No, but I have a hunch…”

So, long story short, it turned out that Bob’s American counterpart, Alice had been tasked with the offboarding, as she had set up some specialized access for me. And as you probably know, date formats between Europe and US can be confusing and ambiguous. So Alice had set up her offboarding-script with the wrong date. 15:00 was when her office hours started.

Bob and Alice had a quick chat and the problem was easily identified. No problem, and as apologetic as Alice was, I don’t really blame her as it was an honest mistake anyone could’ve done in her position. Anyway, Bob was tasked with setting up (again) what I needed, as we were in the same room.

Bob started adding me back to stuff, restoring my password from earlier. Turns out users are never deleted, only deactivated so that roles can easily be copied. And after a while, which never struck me as oddly long, he seemed done.

Bob: “Try it now”
Me: “Yup, works”
Bob: “Please test them all… there are some modules that most people don’t get added to”
Me: “I’ll test them as I go. If there’s something missing we’ll deal with it tomorrow.”

Things worked for the rest of the day, so I didn’t really think about it. When the next day arrived I had some idle hours in the morning while waiting for some stuff, and decided to put the time to good use before Bob came in. So I started testing, going through all of our access portals. And in the name of science, I tested a few I wasn’t supposed to have access to.

Me: “Bob, am I really supposed to have access to payroll?”
Bob: “No?”
Me: “Or the corporate drafts?”
Bob: “Wtf?”

Well, it just so happens that I share the first name with the CEO of the entire fucking corporation. And Bob had copied the access from the active CEO and not my own deactivated account. For 12 hours this random dork who was about to leave for the competition had access to EVERYTHING in the company.

Because I’m not stupid and because I didn’t want to get Bob into any trouble I didn’t do anything with it once I realized how much I had access to. I wonder if any of the other ~2000 employees would’ve been as sensible as I was.