Comment by agwa

The rogue accounts would show up in the administrative settings in the third-party apps, and they would stick out like a sore thumb because they'd have weird email addresses. So they're not completely invisible, albeit not visible from one central place.

> Needing the same level of access that an employee has in order to utilize it doesn't make it less valuable.

The only way that would be true is if compromising an employee account has no cost, which is obviously not the case. Thus, attackers would prefer to purchase a vulnerability that doesn't require also compromising an employee account.

I trust tptacek is correct that Zerodium wouldn't even pay $133.70 for this: https://news.ycombinator.com/item?id=38722395