IM DOMINATOR · AI Hack Defense
Get the Free Checklist

AI Security Guide → Old connected apps

Your Old Connected Apps Are the Way In: How to Audit & Remove Third-Party Access

By Benjamin Hübner · Updated June 2026

Quick answer: open myaccount.google.com → Security → "Third-party apps with account access", review every app, and remove access for anything you don't actively use. Do the same at account.live.com/consent/Manage for Microsoft. This takes about 20 minutes and closes more real risk than any security tool you could buy.

Remember that AI tool you tried for one afternoon in 2024? The one that needed "access to your Google account" before it would work?

It still has that access. Today. Right now.

That's the old-access problem, and it's the most overlooked risk in online business. You don't have a hacker problem — you have a pile of forgotten permissions a hacker can inherit.

Why Forgotten Apps Are the #1 Risk

Three facts make this urgent:

Third-party involvement in breaches doubled in one year — from 15% to 30%.Source: Verizon 2025 Data Breach Investigations Report

OAuth tokens don't expire like passwords. They remain valid for months or years after you stop using the app (AppOmni). Changing your password does nothing — the app never had your password. The only fix is revoking access directly.

And attackers know it. In the 2025 Salesloft–Drift incident, hundreds of organizations were compromised without being hacked directly — attackers inherited the OAuth tokens those companies had granted to one trusted app.

The 20-Minute Audit (Google)

  1. Go to myaccount.google.com and open Security.
  2. Scroll to "Third-party apps with account access" → click Manage third-party access.
  3. For each app, ask one question: did I use this in the last 30 days?
  4. If no → click the app → Remove Access. Don't debate it. You can always re-grant later.
  5. For apps you keep: check what they can access. "Read, compose, send and permanently delete all your email" for a calendar tool? Remove it.

The Same Audit (Microsoft)

  1. Go to account.live.com/consent/Manage (or Microsoft 365 admin → Enterprise applications, if you run Workspace-style accounts).
  2. Review each app with consent. Revoke anything unused.

Make It a Habit, Not a One-Off

New AI tools launch daily, and every "Sign in with Google" click creates new standing access. Put a recurring 15-minute calendar block on the first Monday of each quarter: re-run both audits.

While you're in cleanup mode, also check the data you've already pasted into AI tools — that's the other half of the self-inflicted exposure most marketers carry.

📌 ACTION STEP
→ Run the Google audit now (20 minutes)
→ Run the Microsoft audit if you use it (10 minutes)
→ Set a quarterly calendar reminder titled "App access audit"

The app audit is step 1 of the full checklist

The free AI security checklist covers the other seven gaps — AI-built code, WordPress, voice clones, phishing and more.

Get the Free AI Security Checklist →

This article is part of our guide on how to protect your business from AI-powered cyber attacks.

BH

Benjamin Hübner — founder of IM Dominator and AiMarketingReviews.com. Informational only, not professional cybersecurity advice.