I once read a book where an attacker accessed a live system with a set of compromised credentials, then found some "disabled" accounts from retired staff, re-enabled them, then simply used the retired accounts for routine access. Sventek was one of those, I think.