🚨 You Left Your Screen Unlocked 🚨

Why This Is a Big Deal

An unlocked screen doesn't just expose your files — it hands over your entire authenticated identity. Every session, every credential, every connected service is wide open. An attacker doesn't need your password. They already have it — because you are already logged in. In just minutes, someone could:

Bypass Multi-Factor Authentication entirely. Your device is already authenticated. An attacker doesn't need your password or your phone — the session is live and trusted.
Export all saved browser passwords. Chrome, Firefox, and Edge all allow credentials to be exported in seconds — no master password required on an active session.
Access your unlocked password manager. If 1Password, Bitwarden, or any similar vault is open, every account you own is compromised.
Access your corporate network. If you're connected to a VPN or on a corporate machine, the attacker now has access to internal systems, file shares, and databases — all authenticated as you.
Install persistent malware or a keylogger. Planted now, it runs silently long after you've walked back and locked up — continuing to exfiltrate data for weeks or months.
Send emails, approve transfers, or impersonate you. A wire transfer request, a link to your contact list, or a message to HR — all sent from your trusted address with no phishing indicators.
Steal or exfiltrate sensitive files. Source code, contracts, PII, and trade secrets can be copied to a USB drive or uploaded externally in under a minute.
Create backdoor accounts or escalate privileges. On a company machine, they may be able to add admin accounts, disable endpoint security, or register persistent remote access.

The consequences range from personal embarrassment to a data breach with serious legal and financial fallout. The good news: preventing all of this takes exactly two seconds.

How to Lock Your Screen

Locking your screen is quick and should be a habit every time you step away. Here are the keyboard shortcuts for major operating systems:

Windows

Press Windows Key + L

macOS

Press Control + Command + Q

Linux

Press Super Key + L

(The Super Key is usually the Windows key. This shortcut is common on environments like GNOME/Ubuntu. Others may use Ctrl+Alt+L.)

Real-World Consequences

These are not hypothetical risks. Unlocked and unattended workstations have been directly cited in regulatory enforcement actions, criminal investigations, and multi-million dollar settlements.

HIPAA Enforcement — Healthcare

The HIPAA Security Rule's Workstation Security standard (45 CFR §164.310(c)) explicitly requires covered entities to implement physical safeguards preventing unauthorized access to workstations containing patient data. The HHS Office for Civil Rights (OCR) regularly cites unattended and unsecured workstations in enforcement actions. In 2019, the University of Rochester Medical Center paid a $3 million settlement with the OCR following investigations that included repeated failures to secure devices and workstations containing protected health information. HIPAA penalties can reach up to $1.9 million per violation category per year.

Read the URMC Resolution Agreement →

Business Email Compromise (BEC) — Financial Fraud

The FBI's Internet Crime Complaint Center (IC3) 2023 Annual Report recorded over $2.9 billion in BEC losses — making it the costliest cybercrime category for the fourth consecutive year. An unlocked workstation with an active email session is uniquely dangerous compared to a phished account: the attacker has a live, already-authenticated session, meaning MFA is completely bypassed. They can send emails, modify mail forwarding rules, impersonate executives, and approve financial transactions — without triggering a single security alert.

Read the FBI IC3 2023 Annual Report →

Insider Threat & Opportunistic Data Theft

The 2023 Ponemon Institute Cost of Insider Threats Global Report found that insider-related incidents cost organizations an average of $16.2 million per year. An unlocked screen is the simplest form of insider threat: it requires no hacking tools, no stolen credentials, and leaves minimal forensic traces. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) notes that insiders — and opportunistic bystanders — can exploit authorized access to steal data, install backdoors, or sabotage systems. The attacker doesn't need to "break in" if the door is already open.

Learn about Insider Threats via CISA →

Regulatory & Legal Liability — GDPR, CCPA, and Beyond

Under GDPR (EU), CCPA (California), and most modern data protection regulations, organizations have a legal duty to prevent unauthorized access to personal data through reasonable security measures — including workstation controls. A breach that begins with an unlocked, unattended computer can trigger mandatory breach notification obligations, regulatory investigations, and significant fines. Under GDPR Article 32 alone, penalties can reach €20 million or 4% of global annual turnover — whichever is greater.

Read GDPR Article 32 — Security of Processing →

A single unlocked screen can be the starting point for a breach that costs millions, destroys customer trust, and ends careers. Two seconds to lock your screen is worth it.

Play the Game, Spread the Lesson

Found a coworker's or friend's computer unlocked? You can teach them this important lesson in a harmless and memorable way. It's simple:

Find an unlocked, unattended computer.
Open their web browser.
Go to www.youleftyourscreenunlocked.com (or the short URL: ylysu.com)
Walk away and let the page do the talking.

It's a friendly prank that reinforces a critical security habit. By "YLYSU-ing" your colleagues, you help make everyone, and the entire organization, more secure.

🚨 You Left Your Screen Unlocked. 🚨