In a groundbreaking report, analysts have uncovered that a known vulnerability in Microsoft’s Entra ID has spectacularly refused to retire. The nOAuth vulnerability, a popular hangout for ambitious cybercriminals, continues to show up for work at nine out of 104 scrutinized SaaS applications despite being discovered two years ago. Experts suggest it’s due to a strong benefits package and unlimited potential for evildoing.

Microsoft Entra, dubbed the ‘hotel California of vulnerabilities,’ allows hackers to check in anytime they like—and they don’t have to leave. Researchers expressed concern over how well this vulnerability adjusts to new environments, catering seamlessly to malicious actors while apparently pursuing a lifelong tenure at these SaaS applications.

The cybersecurity community has reacted with a mix of awe and mild panic. Semperis, the identity security company that conducted the analysis, described the vulnerability’s performance as ‘consistent and reliable,’ which would be admirable if it didn’t come with a side of account takeovers. Meanwhile, Microsoft is reportedly considering introducing a loyalty card program for its most resilient vulnerabilities.