This updated guide will help you stay informed about the evolving landscape of SaaS security threats with a closer look at recent breaches and high-impact misconfigurations.
Fortinet Data Breach
Sensitive Data Breached From Fortinet's SaaS SharePoint Server
September 12, 2024
Fortinet confirmed a data breach following a hacker's claim of leaking 440GB of internal files. The compromised data allegedly included sensitive customer information, as well as financial, marketing, and HR records. Though the exact method of access is still unknown, the attacker reportedly gained access to a cloud-hosted Microsoft SharePoint server. This breach highlights the critical need to protect sensitive data within SaaS applications, especially as they continue to store business-critical information. It also serves as reminder of the importance of SaaS security best practices related to security configurations, identities, data, integrations, and threat monitoring.
Snowflake Customers Suffer Data Breaches, Targeted Due to Lack of MFA
May 31, 2024
An attack campaign targeted Snowflake customer accounts (Ticketmaster, Santander Bank, and others). While initial reports—based on a later deleted post by a threat intelligence firm—suggested a breach of Snowflake's corporate production environment, the company clarified that no vulnerability or misconfiguration within their environment was exploited. Instead, attackers likely gained access to the Snowflake customer environments through use of stolen credentials (exposed through unrelated cyber activity), as well as due to a lack of Multi-Factor Authentication (MFA). This incident highlights the importance of the Shared Responsibility Model in SaaS security, in which the SaaS customer must enforce strong security configurations.
Attackers Exploited Service Account, Stole Customer Data and Authentication Secrets
April 24, 2024
Dropbox Sign was breached by attackers who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The breach is the latest example of a SaaS breach in which attackers either abused or directly targeted non-human identities. Unlike human users, NHIs often lack strong security measures like multi-factor authentication, making them attractive targets. From a compromised service account, to attacker access of user authentication data like API keys and OAuth tokens, the incident illustrates that effectively securing non-human identities in SaaS remains a significant challenge.
Salesforce Health Cloud Misconfiguration Exposed Personal Data of Millions
March 13, 2024
A serious misconfiguration was discovered in the Irish Health Service Executive's (HSE) COVID-19 vaccination portal, built on Salesforce's Health Cloud platform. This misconfiguration exposed the personal data of over 1 million Irish residents to potential public view. The misconfiguration, which was fixed in late 2021 but whose details were only revealed now, allowed anyone registering on the portal to access the health information of other users, including full names, vaccination details (reasons for vaccination or refusals), type of vaccinations received, and even internal HSE documents. While the misconfiguration remained undiscovered and unexploited by malicious actors, it highlights the potential severity of SaaS misconfigurations in healthcare, as well as the complexity of SaaS configuration management. It also underscores the importance of robust access controls and regular security audits within SaaS environments.
Attackers Leveraged Service Token and Account Credentials from Okta Breach
February 2, 2024
Cloudflare was impacted by a sophisticated wide-range Okta supply-chain campaign by a nation-state attacker which breached its Atlassian Bitbucket, Confluence and Jira platforms. The attackers leveraged a service token and service account credentials leaked during the Okta breach, that was granted to allow the SaaS application Smartsheet to have administrative access to Cloudflare's Atlassian. The attackers accessed its internal wiki (Confluence) and bug database (Jira) before accessing its Atlassian server. From there, they successfully hopped over to Cloudflare’s source code repositories in Bitbucket and an AWS instance where they were looking for information about their global network.
This incident highlights the importance of SaaS security best practices for both primary and third-party applications. It also reinforces the challenge of managing non-human identities and service accounts, where just because they are inactive does NOT mean they pose no security risk. It’s important to continuously audit non-human identities and SaaS-to-SaaS connections, and to revoke any privileges that are not currently needed.
Attackers Exploit a Microsoft Non-Production Test Tenant and Legacy OAuth Application
January 25, 2024
Microsoft's disclosure of the Midnight Blizzard attack reveals a sophisticated nation-state cyber siege. The threat actor, NOBELIUM or APT29, exploited a non-production test tenant and a legacy OAuth application to access corporate email accounts, targeting senior leadership and legal teams. This SaaS breach exposed MFA configurations, overprivileged OAuth applications, and the creation of new identities. The breach emphasizes the importance of holistic SaaS security, considering human and non-human identities, third-party integrations, and potential misconfigurations.
Ateam, a Japanese game developer, made a simple Google Drive misconfiguration that put the personal information of nearly one million individuals at risk for over 6 years. The misconfiguration in Ateam's Google Drive allowed anyone with the URL link to access files, potentially exposing files created, stored, and shared between March 2017 and November 22, 2023. Ateam confirmed that 935,779 individuals had their data exposed, with 98.9% being customers, the rest being business partners, employment candidates, and several thousand employees. This data breach could have resulted in identity theft, fraud, or other malicious activities.
The misconfiguration could have been prevented by a security configuration that sets Google Drive folders and files to private by default. Additionally, permissions should be explicitly granted to those who need access.
Cyber threat actors utilized stolen credentials to breach Okta's support case management system. This system houses HAR files containing session cookies, which were accessed by the attackers. This unauthorized access prompted the attackers to shift their focus towards targeting Okta's customer base. Cloudflare, 1Password, and BeyondTrust confirmed that hackers used stolen session cookies from the Okta HAR files—used to impersonate real user accounts and bypass multi-factor authentication (MFA)— to target their systems as a result of the breach. In the case of Cloudflare, attackers were able to gain access to Cloudflare's sensitive data such as Jira tickets, wiki pages, source code, and potentially more data sources. This incident underscores the critical role of robust access management and vigilance against social engineering attacks in securing sensitive data in SaaS applications.
Misconfiguration Potentially Exposes ServiceNow Data
October 14, 2023
A misconfiguration within the ServiceNow platform resulted in unintended access to sensitive data by unauthenticated users, even if they don't have a login to the platform. The issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. The default configuration for these tables allows the data to be accessed remotely by unauthenticated users. If a company was breached, security experts said there would have been direct risks such as data leaks, including passwords, sensitive ticket info, and PII, as well as indirect risk for social engineering campaigns and impact on the organization’s reputation. it’s estimated that 80% of Fortune 500 companies deploy ServiceNow.
Attackers Breach MGM Employee's account in Okta and Gained Super Admin Rights
September 13, 2023
Two Las Vegas casino giants, MGM and Caesars, suffered a devastating cyberattack, leading to extensive outages and disruptions across their internal networks, including: ATMs, slot machines, digital room key cards, and electronic payment systems. The attackers utilized voice phishing tactics to initially breach an MGM employee’s account in Okta. Once inside, they gained super admin rights, and launched their ransomware attack. MGM Resorts’ IT team shut down its systems after detecting attackers had compromised its Okta servers. This supposedly resulted in MGM Resorts being locked out of its Okta tenant, while its attackers were able to retain super administrator privileges.
Attackers Hijack Okta Service Desk Personnel to Gain Super Admin Access
September 4, 2023
Attackers consistently executed social engineering attacks against IT service desk personnel to hijack highly privileged Okta Super Administrator accounts. The access was used to assign higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts, and remove second-factor requirements from authentication policies. Okta recommends enforcing phishing-resistant authentication and strengthening help desk identity verification to prevent these attacks.
Adversary Compromised Microsoft to Gain Access to 25 Other Companies
June 2023
On June 16, 2023, a Microsoft 365 customer alerted Microsoft to some anomalous email activity they had detected. Microsoft began investigating and found that an external adversary had compromised the email of 24 other customers as well. The attack began 32 days prior, on May 15, 2023.
A China-based adversary (Storm-0558) chose to compromise Microsoft to get access to these 25 companies, instead of trying to attack each organization individually. Azure AD tokens were forged, used to generate access tokens, which were then used to steal email via the Outlook Mail API. In the months following the attack, Microsoft received strong criticism from private industry experts and US politicians alike.
Compromised Employee Email Account Leads to Loss of Data and Intel Reports
May 2023
A known cybercriminal group compromised a new sales employee's email, impersonated them, and accessed cybersecurity vendor Dragos' SharePoint platform. The group downloaded general use data and 25 intel reports before failing an extortion attempt. Role-based access control (RBAC) prevented further breaches, and no other Dragos systems were compromised. The company swiftly deactivated the infiltrated account and blocked the criminals' access. Investigation is ongoing, though the stolen data may become public.
Misconfigurations Leak Sensitive Info from Public Salesforce Community Websites
April 2023
Brian Krebs from Krebs on Security posted that numerous organizations, including banks and healthcare providers, are leaking sensitive info from public Salesforce Community websites due to misconfiguration. This allows unauthenticated users to access private records. Recent cases like the Vermont state and Washington D.C. government exposed sensitive data such as names, SSNs, and bank account info. Salesforce advises customers to use their Guest User Access Report Package and follow best practices when configuring guest user profiles.
CircleCI's Compromised GitHub OAuth Token Leads to Access of Production Systems
December 2022
CircleCI, a vendor specializing in CI/CD and DevOps tools, admitted that customer data had been compromised in a data breach. The inciting incident was a compromised GitHub OAuth token, an increasingly popular attack vector.
The CircleCI investigation revealed that the attackers stole a valid session token of a CircleCI engineer, enabling them to bypass two-factor authentication and gain unauthorized access to production systems. As a result, they managed to purloin customer variables, tokens, and keys.
Attacker Accesses Customer Data Through an Unrevoked Hackathon Password
October 2022
The FTC filed a data privacy lawsuit against Drizly CEO, James Rellas, for the 2020 breach that allowed an attacker to access information on 2.5 million customers. This breach stemmed from giving a company executive access to GitHub for a one-day hackathon in 2018 that was never revoked. Password complexity and MFA was not enforced for these accounts, and the executive reused a password for multiple work and personal accounts. Over two years later, the executive’s account still had access to the corporate GitHub tenant and was compromised via credential stuffing.
Threat Actor Deploys Malicious Extension to Steal Email Conent from Gmail and AOL
July 2022
A cyber threat actor, believed to have links with North Korea, was found deploying a malicious extension on Chromium-based web browsers to steal email content from Gmail and AOL. This malware, attributed to SharpTongue by cybersecurity firm Volexity, is particularly aimed at individuals working on topics of strategic interest to North Korea. The Sharpext extension inspects and exfiltrates data from a victim's webmail account as they browse it. The malware has been successful in stealing thousands of emails, presenting a new challenge in email data security. Google has clarified that the malicious extension was not available on the official Chrome Web Store.
Attacks steal OAuth User Tokens From Third-Party Vendors of GitHub
April 2022
GitHub announced that attackers had stolen OAuth user tokens issued to third-party vendors, Heroku and Travis-CI. These tokens were then used to download private data repositories from dozens of GitHub customers, including GitHub itself and npm, who had been using Heroku and Travis-CI-maintained OAuth applications.
Github researchers suspect that secrets harvested from these data stores could potentially be used to launch much wider supply chain attacks to gain access to additional infrastructure.
Hackers Mimick SSO from Okta to Gain Access to Multiple Accounts Across Different Services.
March 2022
The "0ktapus" phishing campaign potentially compromised over 130 organizations, including Twilio and DoorDash, with login credentials of nearly 10,000 individuals stolen. Hackers mimicked single sign-on service Okta, gaining access to multiple accounts across different services. Twilio's breach revealed approximately 1,900 Signal accounts, with 163 customers' data accessed and 93 users of Authy compromised. Victims were lured to a convincingly designed phishing site, where they were prompted for their login details. Despite the phishing kit being poorly configured, the massive scale of the attack affected multiple industries. Financial motives seemed to be driving the hackers.
MailChimp, a leading email marketing firm, discovered that hackers had gained access to internal customer support and account management tools, which could be used to launch phishing attacks to steal customer data. Buried by the headline, however, was this even bigger eye-opener–In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.
Attackers Attempted to Compromise Okta Support Engineer Account to Access Customer Data
January 2022
Okta detected an attempt to compromise the account of a customer support engineer working for a third-party provider. They alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. After analysis of the breach, they concluded that a small percentage of customers had potentially been impacted and whose data may have been viewed or acted upon. Okta identified those customers and reached out directly by email.
Hackers Tricked Employee Over Slack to Obtain Login Token to Steal Source Code
June 2021
Game publisher Electronic Arts suffered a significant data breach perpetrated by hackers who tricked an employee over Slack to secure a login token. The hackers reportedly stole the source code for FIFA 21, the Frostbite engine, and other game development tools, totalling around 780GB of data. This breach was achieved through a multifactor authentication request to EA's IT support, granting them access to the corporate network. EA has confirmed the breach, stating that they are currently investigating the incident and have implemented security improvements. No player data was compromised in this breach according to EA's report.
