Valence threat labs- Valence Security: Collaboratively remediate your SaaS security risks.

SaaS Security Breach Guide

Valence Security Threat Labs is your go-to source for the most up-to-date information on SaaS application breaches and risks.

Assess Your SaaS Risk

Latest SaaS Breaches

Microsoft-Dragos' Sharepoint Breach

Storm-0558

Microsoft-Storm-0558 Breach

June 2023

On June 16, 2023, a Microsoft 365 customer alerted Microsoft to some anomalous email activity they had detected. Microsoft began investigating and found that an external adversary had compromised the email of 24 other customers as well. The attack began 32 days prior, on May 15, 2023.

A China-based adversary (Storm-0558) chose to compromise Microsoft to get access to these 25 companies, instead of trying to attack each organization individually. Azure AD tokens were forged, used to generate access tokens, which were then used to steal email via the Outlook Mail API. In the months following the attack, Microsoft received strong criticism from private industry experts and US politicians alike.

Read More

Microsoft-Dragos' Sharepoint Breach

Unknown Cybercriminal Group

Microsoft-Dragos' Sharepoint Breach

May 2023

A known cybercriminal group compromised a new sales employee's email, impersonated them, and accessed cybersecurity vendor Dragos' SharePoint platform. The group downloaded general use data and 25 intel reports before failing an extortion attempt. Role-based access control (RBAC) prevented further breaches, and no other Dragos systems were compromised. The company swiftly deactivated the infiltrated account and blocked the criminals' access. Investigation is ongoing, though the stolen data may become public.

Read Announcement

Salesforce-Misconfiguration Risk

Misconfiguration Risk

Salesforce-Misconfiguration Risk

April 2023

Brian Krebs from Krebs on Security posted that numerous organizations, including banks and healthcare providers, are leaking sensitive info from public Salesforce Community websites due to misconfiguration. This allows unauthenticated users to access private records. Recent cases like the Vermont state and Washington D.C. government exposed sensitive data such as names, SSNs, and bank account info. Salesforce advises customers to use their Guest User Access Report Package and follow best practices when configuring guest user profiles.

Read Announcement

Github-CircleCI

CircleCI

Github-CircleCI

December 2022

CircleCI, a vendor specializing in CI/CD and DevOps tools, admitted that customer data had been compromised in a data breach. The inciting incident was a compromised GitHub OAuth token, an increasingly popular attack vector.

The CircleCI investigation revealed that the attackers stole a valid session token of a CircleCI engineer, enabling them to bypass two-factor authentication and gain unauthorized access to production systems. As a result, they managed to purloin customer variables, tokens, and keys.

Read Announcement

Github-CircleCI

Data Theft

GitHub-Drizly Alcohol Retailer Breach

October 2022

The FTC filed a data privacy lawsuit against Drizly CEO, James Rellas, for the 2020 breach that allowed an attacker to access information on 2.5 million customers. This breach stemmed from giving a company executive access to GitHub for a one-day hackathon in 2018 that was never revoked. Password complexity and MFA was not enforced for these accounts, and the executive reused a password for multiple work and personal accounts. Over two years later, the executive’s account still had access to the corporate GitHub tenant and was compromised via credential stuffing.

Read Announcement

Google-SharpTongue/Kimsuky

Sharptongue/ Kimsuky

Google-SharpTongue/Kimsuky

July 2022

A cyber threat actor, believed to have links with North Korea, was found deploying a malicious extension on Chromium-based web browsers to steal email content from Gmail and AOL. This malware, attributed to SharpTongue by cybersecurity firm Volexity, is particularly aimed at individuals working on topics of strategic interest to North Korea. The Sharpext extension inspects and exfiltrates data from a victim's webmail account as they browse it. The malware has been successful in stealing thousands of emails, presenting a new challenge in email data security. Google has clarified that the malicious extension was not available on the official Chrome Web Store.

Read Announcement

GitHub-Heroku/Travis CI

Heroku/ Travis CI

GitHub-Heroku/Travis CI

April 2022

GitHub announced that attackers had stolen OAuth user tokens issued to third-party vendors, Heroku and Travis-CI. These tokens were then used to download private data repositories from dozens of GitHub customers, including GitHub itself and npm, who had been using Heroku and Travis-CI-maintained OAuth applications.

Github researchers suspect that secrets harvested from these data stores could potentially be used to launch much wider supply chain attacks to gain access to additional infrastructure.

Read Announcement

Okta-Oktapus Phishing Campaign

Oktapus Phishing Campaign

Okta-Oktapus Phishing Campaign

March 2022

The "0ktapus" phishing campaign potentially compromised over 130 organizations, including Twilio and DoorDash, with login credentials of nearly 10,000 individuals stolen. Hackers mimicked single sign-on service Okta, gaining access to multiple accounts across different services. Twilio's breach revealed approximately 1,900 Signal accounts, with 163 customers' data accessed and 93 users of Authy compromised. Victims were lured to a convincingly designed phishing site, where they were prompted for their login details. Despite the phishing kit being poorly configured, the massive scale of the attack affected multiple industries. Financial motives seemed to be driving the hackers.

Read Announcement

Mailchimp-Unidentified Bad Actor

Bad Actor

Mailchimp-Unidentified Bad Actor

March 2022

MailChimp, a leading email marketing firm, discovered that hackers had gained access to internal customer support and account management tools, which could be used to launch phishing attacks to steal customer data. Buried by the headline, however, was this even bigger eye-opener–In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.

Read Announcement

Okta-LAPSUS$

LAPSUS$

Okta-LAPSUS$

January 2022

Okta detected an attempt to compromise the account of a customer support engineer working for a third-party provider. They alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. After analysis of the breach, they concluded that a small percentage of customers had potentially been impacted and whose data may have been viewed or acted upon. Okta identified those customers and reached out directly by email.

Read Announcement

Slack-Electronic Arts Breach

Hacker Group

Slack-Electronic Arts Breach

June 2021

Game publisher Electronic Arts suffered a significant data breach perpetrated by hackers who tricked an employee over Slack to secure a login token. The hackers reportedly stole the source code for FIFA 21, the Frostbite engine, and other game development tools, totalling around 780GB of data. This breach was achieved through a multifactor authentication request to EA's IT support, granting them access to the corporate network. EA has confirmed the breach, stating that they are currently investigating the incident and have implemented security improvements. No player data was compromised in this breach according to EA's report.

Read Announcement

Assess Your SaaS Security Risks

What Risks Are Lurking in Your Shadow Third-party SaaS Integrations?
By submitting, I acknowledge Valence Security's Terms of Use and Privacy Policy