Every app you use creates a record. When you log into your bank, that's recorded. When someone tries your password three times and fails, that's recorded. When a file gets downloaded from your company's shared drive at 3am, that's recorded. These records — called logs — are the security camera footage of your digital life. They're supposed to show who came in, what they took, and when they left.

Here's what's happening right now: attackers aren't just breaking in. They're walking straight to the recording system and deleting the footage of themselves. Then they take whatever they want. By the time anyone notices something's wrong, there's no evidence it ever happened. No timestamp. No login record. No trail.

And the worst part? The tools they're using to erase the logs are the same admin tools that were supposed to protect them.

Every cloud service you use — Google Workspace, Microsoft 365, your company's HR system, your kid's school portal — generates logs constantly. Someone logged in from a new device. Someone changed a permission. Someone exported a spreadsheet with 10,000 customer email addresses. All of that gets written to a log file, and that log file is supposed to be untouchable.

But logs aren't untouchable. They live in the same cloud systems they're monitoring. And if an attacker gets the right access — often just a single stolen credential from someone with admin rights — they can do more than steal your data. They can delete the record that they were ever there.

This isn't theoretical. Unit 42 researchers just documented exactly how it works across AWS, Azure, and Google Cloud. An attacker logs in with stolen credentials. They disable logging. They take what they want — files, secrets, customer records. Then they either delete the logs entirely or edit them to remove their tracks. When your security team goes looking for evidence of the breach, they find nothing. The attack might as well have never happened.

Here's the part that should scare you: this works because logging systems were designed for convenience, not security. They were built so admins could troubleshoot problems and investigate incidents. Nobody planned for the logs themselves to become the target.

Two things changed in the last 18 months.

First, AI-powered attack tools can now automatically identify logging systems, figure out how to disable them, and erase their tracks — all in minutes. What used to require a skilled hacker now happens at scale, automatically, across thousands of targets at once.

Second, more companies moved their logs to the cloud to save money. That means the logs live in the same place as the data they're protecting. One compromised credential can now unlock both the vault and the security footage of the vault. Attackers don't need two break-ins anymore. They need one.

The number of cloud environments with logging protections that actually work — where logs can't be deleted even by administrators — is shockingly low. Most organizations can see their logs. Almost none of them have made their logs tamper-proof.

If you're a regular person using cloud apps, here's what you can control:

1. Turn on account activity notifications for every service you care about. Google, Microsoft, Apple, Dropbox, and most financial apps will email or text you when someone logs in from a new device. Turn that on. If your logs get erased, you'll at least know something happened.

2. Check your login history monthly. Most apps have a "recent activity" or "login history" page. Look at it. If you see a login from a city you've never been to, that's your warning.

3. Use a password manager and enable multi-factor authentication everywhere. Stolen credentials are how attackers get in. Make your credentials harder to steal.

4. If you run a small business, ask your IT person or cloud provider one question: "Can our logs be deleted by an attacker?" If the answer is yes or "I don't know," that's a problem you need to fix. The solution is called "immutable logging" or "write-once" logging. It costs almost nothing. Most providers offer it. Almost nobody turns it on.

5. For security and IT teams: enable CloudTrail Insights (AWS), Azure Monitor immutable storage, or Google Cloud Audit Logs with retention locks. Make it impossible to delete logs even with admin access. Test it. Verify an admin can't turn it off.

Years ago I worked an incident where we couldn't answer the most basic question: when did the attacker get in? Not because the logs were missing — because we'd never verified anyone couldn't touch them. The retention policy existed on paper. The tamper protection didn't exist at all. We rebuilt the timeline from email headers and badge swipe records, which is exactly as painful as it sounds.

Here's the thing nobody internalizes until it happens to them: logs you can delete are not evidence, they're a suggestion. If an admin credential can erase the trail, then every admin credential is a single point of failure for your entire investigation capability.

The action I'd take this week — and the one I gave my own team: send your logs somewhere the credentials being logged can't reach. In AWS that's a separate account with CloudTrail log file validation on. For your personal life, it's simpler: turn on login alerts for your email, bank, and Apple/Google account tonight. The alert that hits your phone is a copy of the evidence that lives outside the attacker's reach. They can delete the log. They can't delete the text message you already read.

Maybe it was a suspicious charge on your credit card with no matching transaction record. Maybe it was a file that disappeared from a shared folder with no history of who deleted it. If you've experienced the frustration of digital evidence that should exist but doesn't, reply and tell me what happened.

Identity Decoded publishes every week at identity-decoded.com