The Forgotten Tool That's Still Holding Your Keys
Every small business has them. The marketing tool you tried for three months in 2023. The accounting add-on your old bookkeeper installed. The AI chatbot you tested before picking a different one. You stopped using them. You probably forgot about them.
But they didn't forget about you.
When you connected those tools to Google Workspace, Microsoft 365, Salesforce, or QuickBooks, you granted them an OAuth token — a digital key that lets them read your email, access your files, or pull customer data. That key keeps working long after you stop using the tool. Long after the vendor goes out of business. Long after the company gets acquired and rebranded into something you've never heard of.
A recent breach at Vercel exploited exactly this attack path: a forgotten vendor connection that still had live credentials. The vendor was effectively dead. The OAuth token wasn't.
The threat isn't the tools you use. It's the tools you used to use.
This guide walks you through a 20-minute audit any small business owner can run today — no IT department required. By the end, you'll have a clean inventory of every third-party tool with access to your business systems, and a clear list of what to revoke.
Why Forgotten Vendors Are a Real Threat
When a SaaS company shuts down or gets acquired, three things typically happen:
- The product stops getting security patches
- The original team disperses, and access controls lapse
- The credentials and data they hold for you stay exactly where they were
If attackers compromise that abandoned vendor — and they actively hunt for these — they inherit the access the vendor had to your systems. Your customer list. Your email history. Your financial data. Whatever permissions you granted three years ago when you signed up for a free trial.
This is not a hypothetical. Supply-chain attacks through dormant vendor connections have become one of the fastest-growing threat categories for small and mid-size businesses, precisely because most owners have no inventory of which tools still have access.
The Three Categories of Risk
Discontinued tools — The vendor is out of business or has formally end-of-lifed the product. These are the highest risk because no one is monitoring or patching them.
Acquired and rebranded tools — The vendor was bought by another company. The product may still work, but support, security posture, and data handling may have changed without you being notified.
Forgotten but still-running tools — The vendor is alive and well, but you stopped using the product. These tools still have whatever access you originally granted, and you're no longer watching the relationship.
All three categories represent the same underlying problem: active credentials with no active oversight.
Step 1: Build Your Deprecation Register
The goal of this step is one consolidated list of every third-party tool that has — or recently had — access to your business systems. Plan on 5-7 minutes.
Pull OAuth Grants From Your Core Platforms
Google Workspace: Go to admin.google.com → Security → API controls → Manage Third-Party App Access. Export the list of connected apps. This shows every tool that has been granted access to Gmail, Drive, Calendar, or Contacts.
Microsoft 365: In the Microsoft Entra admin center, go to Applications → Enterprise applications. Filter by application type "Enterprise Applications." Export the list. This shows every third-party tool with access to Outlook, OneDrive, SharePoint, or Teams.
Salesforce: Setup → Connected Apps OAuth Usage. Export the list of authorized apps and the users who authorized them.
QuickBooks Online: Settings → Apps → My Apps. Lists every connected accounting integration.
Add Your Contract and Subscription List
Pull a list of every recurring software subscription from the last 18 months. The fastest source is your business credit card statement or your accounting software's vendor report. Anything you stopped paying for but didn't formally disconnect goes on the list.
Combine Into One Sheet
A simple spreadsheet with these columns is enough:
- Tool name
- Source platform (Google, Microsoft, Salesforce, etc.)
- Permissions granted
- Last used (your best guess)
- Status (unknown for now — you'll fill this in next)
Don't worry about being exhaustive. Aim for the top 80% — the long tail of one-time integrations will surface naturally as you work through the next steps.
Step 2: Tag Each Entry Against Four Questions
For each tool on your list, answer four yes/no questions. This takes about 8-10 minutes for a typical small business inventory of 20-40 tools.
The Four Questions
1. Is the vendor discontinued, end-of-life, or out of business?
A quick web search of the company name plus "shutdown," "acquired," or "end of life" usually answers this in under a minute. Check the vendor's website for status pages or recent blog posts. No updates in 12+ months is a red flag.
2. Has the product gone 12 months without a security patch or release update?
Look at the vendor's changelog, release notes, or status page. Active products publish updates regularly. Silent products are either abandoned or being maintained by a skeleton crew that may not be patching vulnerabilities.
3. Does this tool still hold credentials, tokens, or business data?
If the tool has an OAuth grant in your platform exports from Step 1, the answer is yes. If it has API keys, login credentials, or stored customer information, the answer is yes. Most tools you've ever connected fall into this category.
4. Has anyone in your business used this tool in the last 90 days?
Check login activity if available, or simply ask your team. A tool no one has touched in 90 days is functionally abandoned, even if the vendor is still alive.
Score and Prioritize
Any tool that scores yes on questions 3 and either 1, 2, or 4 is a deprecation candidate. The combination of "still has access" plus "no longer maintained or used" is the exact risk profile attackers exploit.
Tools that answered yes to question 3 (still holds credentials) but no to all others — meaning actively used and supported — stay on your watchlist. Re-audit them every 6 months.
Step 3: Revoke, Document, and Remove
The final step turns your list into action. Plan on 5-7 minutes for a typical inventory.
For SaaS and OAuth-Connected Tools
Revoke the grant directly from the source platform. Don't rely on logging into the vendor's product to "disconnect" — that may not actually invalidate the token. Always revoke from the system that issued the credentials:
- Google Workspace: Same admin panel where you exported the list
- Microsoft 365: Enterprise applications → select the app → Properties → Delete
- Salesforce: Connected Apps OAuth Usage → Revoke
- QuickBooks: My Apps → Disconnect
Remove the tool from your internal catalog or vendor list. If you maintain a list of approved software for your team, remove the deprecated tool so no one accidentally tries to reconnect it.
Document the revocation. A single line in your spreadsheet — "Revoked 2026-04-30, no replacement needed" — protects you if questions come up later about what happened to the data.
For Acquired and Rebranded Vendors
This category is trickier because the product may still technically work. Your action is to get a written end-of-support date from the new owner.
Email their support address with a simple request: "We are auditing our vendor inventory. Please confirm in writing the end-of-support date for [original product name] under your ownership, and any changes to data handling or security posture since acquisition."
If you don't get a clear answer within two weeks, treat it as a deprecated tool and revoke access. Silence from a vendor about a security question is itself an answer.
For Tools You Still Use But Forgot About
If the audit surfaces a tool you actually need, this is the moment to tighten the relationship:
- Reduce permissions to the minimum the tool needs
- Add the tool to your formal vendor list with an owner assigned
- Set a calendar reminder to re-audit in 12 months
What Good Looks Like After the Audit
A business that has run this audit ends up with three artifacts:
- A current vendor inventory — every active third-party connection, who owns it internally, and when it was last reviewed
- A revocation log — what was disconnected, when, and why
- A 6-month recurring calendar event to repeat the audit
That's it. Three artifacts, repeated twice a year, close one of the most exploited attack paths in small business security.
Make This a Recurring Habit
The single biggest mistake businesses make after a one-time audit is treating it as a one-time event. Vendor relationships change constantly:
- Free trials get connected and forgotten
- Employees authorize tools without telling anyone
- Vendors get acquired or shut down with no notification to customers
- Permissions silently expand when products add features
Put this audit on your calendar twice a year — once in January, once in July is a clean cadence. Each repetition gets faster because the inventory carries forward. The first audit might take 25 minutes; the third one will take 10.
Next Steps
If you'd like help running this audit on your business, or building a more comprehensive vendor risk program, our team works with small and mid-size businesses to design practical security controls that don't require a dedicated IT staff. We can run the audit with you, document the results, and set up the recurring process so it actually happens.
The forgotten vendor problem isn't going away. But 20 minutes today closes a door that's been open for years.