The problem with the office@ login
Most businesses have at least one. A shared inbox for orders or customer inquiries. An admin account for the accounting software that three people log into. A vendor portal where the whole team uses the same credentials because nobody set up individual accounts.
These feel practical because in the short term they are. No provisioning required. No helpdesk ticket. Everyone who needs access has it.
The problems show up later, and they tend to show up at a bad moment.
What you lose when accounts are shared
When something goes wrong on a shared account, you lose the ability to trace it.
Someone sent an email from the shared inbox that should not have been sent. A charge appeared in the billing software that nobody claims to have authorized. A customer record was changed in a way that caused a problem. In each of those situations, knowing who was logged in is exactly the thing you need to know, and with a shared account you often cannot find out.
Most audit logs record activity against credentials, not physical people. If five staff members share one login, every action in the log looks identical. That matters for diagnosing honest mistakes. It matters considerably more when something looks deliberate.
The offboarding gap shared accounts create
When someone leaves, the standard process revokes their individual accounts and removes their access from known systems. That works for accounts they owned personally.
Shared accounts are almost never part of that process, because they exist outside the directory. Nobody has a formal list of them. They were set up informally, they are maintained informally, and they are almost never included in offboarding checklists.
The result is predictable. A former employee retains access to the shared order inbox, the accounting system, or the company social media accounts for months or years after leaving. Most of the time nothing comes of it. Sometimes it does, and when it does there is no clean way to trace what happened.
Offboarding access properly depends on knowing what accounts exist in the first place. Shared accounts are a consistent blind spot in that inventory.
What shared accounts do to MFA
Multi-factor authentication does not work well with shared logins. You cannot route a push approval to five different phones simultaneously without someone doing something complicated and fragile. The workaround most teams land on is to disable MFA for the shared account, which means those accounts end up with weaker protection than individual ones.
Attackers who target small businesses specifically look for shared service accounts and vendor portals. They tend to have broad access, minimal logging, and weak authentication. They are a predictable weak point.
What to do instead
The goal is individual accountability without adding meaningless friction. That is achievable for most of what shared accounts are typically used for.
Shared inboxes in Microsoft 365 and Google Workspace can be configured so that multiple people access the same mailbox using their own individual credentials. No one shares a password, but everyone can read and reply from the shared address. Access is granted and revoked one person at a time.
For software that does not have a native team access model, the password should live in a shared folder in a business password manager rather than being memorized and passed around. When someone leaves, rotating the credential is one action that immediately removes their access.
Vendor portals and external platforms should follow the same logic. Where the platform supports team accounts or role-based access, use it. Where it does not, one person owns the credential and everyone else gets it through the password manager.
Finding what you have
The first step is building the list. Most businesses do not have one. Start by asking team leads what shared logins their teams use. Check expense reports for software the IT team does not manage. Look at which accounts are associated with a general inbox rather than an individual.
That list will be longer than expected. Most of it can be resolved without replacing anything, just by changing how access is managed.
Reducing security exposure in practice is mostly about removing the kind of unnecessary access that accumulates over time. Shared accounts are a consistent part of that picture.