Twin Brothers Accused of Deleting 96 Gov Databases After Termination

Organizations often disable access for fired employees before they learn of their dismissal, treating lingering credentials as a security risk. The Akhter case illustrates how insider threats can persist even after formal separation when deprovisioning is delayed or incomplete.

In February 2025, Muneeb Akhter asked his brother Sohaib for a complainant’s password from an EEOC database maintained by their employer; Sohaib retrieved it via a query and Muneeb used it to access the individual’s email without authorization. Investigators say Muneeb had collected approximately 5,400 credentials from his company’s network, built Python scripts such as "marriott_checker.py" to test them against sites like Marriott and DocuSign, and successfully logged in hundreds of times, booking travel with stolen airline miles. Minutes after both brothers were fired, they allegedly issued DROP DATABASE commands that erased 96 government-hosted databases.

The incident underscores the danger of excessive data access and insufficient monitoring of privileged accounts post‑termination. It shows how stolen internal credentials can be repurposed for credential stuffing and fraud, while destructive actions like database deletion can cause immediate service disruption and data loss.

- Revoke all active sessions and passwords immediately upon termination; automate deprovisioning via identity‑governance tools. - Enforce least‑privilege access and regularly review entitlements for dormant accounts. - Deploy UEBA to detect anomalous login attempts, especially those targeting external services with internal credentials. - Monitor for execution of suspicious scripts (MITRE ATT&CK T1059.003) and database‑deletion commands (T1485). - Apply detection signatures for known malicious tools and review logs for T1078 (Valid Accounts) and T1087 (Account Discovery) activity.