This updated guide will help you stay informed about the evolving landscape of SaaS security threats with a closer look at recent breaches and high-impact misconfigurations.
Google
Google Salesforce Breach—ShinyHunters Uses Vishing and Malicious Data Loader to Steal CRM Data
August 2025
Even tech giants like Google aren’t immune to targeted social engineering. In June 2025, threat actor ShinyHunters (UNC6040) used vishing to manipulate employees into installing a malicious version of Salesforce’s Data Loader—granting them unauthorized access to one of Google’s corporate Salesforce instances. During a brief window before access was revoked, attackers exfiltrated small- and medium-business contact details. The breach highlights how easily SaaS platforms can be weaponized with social engineering, reinforcing the need for careful control over connected apps, strong user training, and vigilant detection of suspicious authorization activity.
Qantas SaaS-Based Call Center Breach Exposes Data of 6 Million Customers
June 2025
Qantas revealed that nearly 6 million customer records were exposed after a compromise at one of its third-party SaaS-based call center providers. The breach, which occurred around June 30, 2025, involved names, emails, dates of birth, phone numbers, and loyalty program information. While no passports or payment data were accessed, the scale and sensitivity of the exposed information reflect the risks of deeply embedded SaaS supply chains. Outsourced SaaS platforms often lack visibility and control, creating blind spots in the security posture. When customer service workflows run on external SaaS systems, compromised access can create a wide blast radius across entire ecosystems.
Commvault Metallic Zero-Day Exploited via Microsoft 365 Credentials in SaaS Backup Attack
June 2025
A zero-day vulnerability (CVE-2025-3928) in Commvault’s SaaS backup platform, Metallic, was exploited by attackers using exposed Microsoft 365 client secrets to gain unauthorized access. The breach highlighted an increasingly common risk: cascading impact from poorly managed credentials across SaaS ecosystems. Backup platforms, often seen as secure by default, can become high-value targets when federated credentials are reused or improperly stored. This incident serves as a critical reminder that backup SaaS tools must be continuously monitored for cross-platform dependencies, misconfigurations, and overprivileged integrations. Credential hygiene and SaaS-to-SaaS trust relationships should be regularly audited to prevent systemic risks.
Scattered Spider Campaign Hits Insurance and Aviation with SaaS Credential Phishing Spree
June 2025
In June 2025, threat actor Scattered Spider (UNC3944) broadened its focus beyond retail, launching a wave of attacks on the insurance and aviation sectors. Using advanced social engineering—primarily impersonating IT helpdesk staff—the group tricked employees into surrendering SaaS credentials, leading to breaches in platforms like Salesforce, Okta, and Microsoft 365. High-profile victims included Aflac, Erie Insurance, and Hawaiian Airlines. These campaigns exploited the human layer of SaaS access, often bypassing technical safeguards via phishing and vishing. The campaign underscores the need for strong SaaS user training, granular role-based access, and real-time detection of abnormal behavior within trusted applications.
Microsoft Entra ID “nOAuth” Flaw Enables SaaS Account Takeovers across Thousands of Apps
June 2025
In June 2025, researchers disclosed a critical vulnerability in Microsoft Entra ID (formerly Azure AD) called “nOAuth.” This flaw allowed attackers to hijack OAuth tokens and bypass multi-factor authentication and conditional access policies—creating a pathway to full account takeover in SaaS applications. The vulnerability affected improperly configured apps, potentially exposing up to 10% of the 150,000+ SaaS apps that rely on Entra ID for authentication. The issue highlights how small gaps in OAuth implementation can cascade into major security failures. Organizations must rigorously validate redirect URIs, tighten token scopes, and regularly audit Entra-integrated apps to reduce identity-driven SaaS risk.
Stormous Breaches Hy-Vee Atlassian Tools, Steals 53GB of Internal Data
June 2025
In a breach claimed by the Stormous group, attackers accessed Hy‑Vee’s Atlassian environment—including Confluence and Jira—and exfiltrated approximately 53 GB of internal documents. While the full scope is unclear, this incident highlights how cloud collaboration tools—often used to house everything from architecture diagrams to product roadmaps—can become prime targets when improperly secured. SaaS-based development and documentation environments often carry sensitive internal data but lack strong segmentation, audit logging, and DLP controls. As attackers increasingly seek lateral paths into broader infrastructure, security teams must ensure that SaaS workspaces are not soft targets hiding in plain sight.
Salesforce Vishing Attack Deploys Malicious Data Loader at 20 Organizations
June 4, 2025
In one of the more brazen SaaS-targeted attacks of 2025, threat group UNC6040 impersonated internal IT staff and convinced employees at ~20 organizations to install a tampered version of Salesforce’s Data Loader. Once deployed, the tool granted the attackers access to sensitive CRM data, which was later weaponized for extortion. In some cases, the attackers even moved laterally into Okta and Microsoft 365 environments. This attack shows how simple voice phishing can turn trusted SaaS admin workflows into entry points for broader compromise—and highlights the need for strict app verification, identity segmentation, and tighter user education around SaaS tool installation.
APT29 Bypasses Gmail MFA via App-Specific Password Social Engineering
June 2025
Russian state-aligned hackers (believed to be APT29) bypassed Gmail MFA protections by socially engineering targets into generating app-specific passwords (ASPs)—a feature that circumvents standard two-factor authentication. Once an ASP was created, attackers gained persistent, MFA-free access to Gmail accounts. Victims were primarily government and policy professionals. This attack underscores a subtle but serious SaaS security gap: legacy features that bypass modern controls. Even platforms with robust security can be undermined when less-visible pathways—like ASPs, backup codes, or recovery emails—are exploited. Organizations must audit and restrict outdated SaaS access mechanisms to maintain true account security.
Microsoft OneDrive File Picker OAuth Flaw Grants Excessive Third-Party Data Access
May 2025
A vulnerability in Microsoft OneDrive’s File Picker interface exposed millions of users to unintended data sharing. The issue allowed third-party SaaS apps like Slack, ChatGPT, Trello, and Zoom to access an entire OneDrive account—even if a user only selected one file to upload. The root causes: overly broad OAuth scopes, vague consent prompts, and token persistence beyond expected lifespans. This incident highlights the importance of auditing consent experiences, restricting OAuth scopes to the principle of least privilege, and validating how third-party apps interact with cloud storage tools. SaaS integrations can create silent risks if not tightly governed.
SessionShark PhaaS Toolkit Bypasses MFA to Breach Microsoft 365 Accounts
May 2025
SessionShark, a sophisticated phishing-as-a-service (PhaaS) toolkit, emerged in early 2025 with a focus on breaching Microsoft 365 environments via adversary-in-the-middle (AiTM) tactics. The platform uses spoofed login pages to steal session tokens and bypass MFA entirely. What makes SessionShark especially dangerous is its professional-grade delivery: real-time token exfiltration via Telegram, Cloudflare tunneling, anti-bot evasion, and user-friendly dashboards. Though marketed as an “educational tool,” its SaaS-breach utility is clear. As phishing toolkits become more commercialized, defenders must adopt advanced detection capabilities that go beyond password protection—focusing on token lifecycle, session behavior, and integration hardening.
Oracle Cloud Supply-Chain Breach Exposes 6 Million Records Across 140,000 Tenants
March 2025
A breach impacting Oracle Cloud customers exposed around 6 million records across more than 140,000 tenants—believed to stem from weaknesses in a third-party API or shared authentication system. The incident illustrates the growing risk of SaaS supply chain vulnerabilities, where a compromise in one layer can lead to widespread, multi-tenant exposure. Organizations using large-scale SaaS platforms often lack visibility into how identity and access flow through API integrations. This breach highlights the need for continuous monitoring of external app access, improved SaaS API governance, and validation that downstream access and data sharing are appropriately restricted and segmented.
Fake GitHub Security Alerts Used to Hijack OAuth Tokens and Repository Access
March 16, 2025
In a phishing campaign targeting developers, attackers planted fake “Security Alert” issues across thousands of GitHub repositories. The alerts encouraged users to authorize a malicious OAuth app—giving attackers full access to their repositories and workflows. Once access was granted, the attackers could clone, modify, or delete critical codebases. This breach demonstrates how even technically savvy users can be tricked through trusted platform interfaces. It also highlights the importance of monitoring OAuth app approvals in SaaS developer environments and enforcing tighter guardrails on third-party app authorization within GitHub and similar CI/CD platforms.
Malicious OAuth Apps Masquerade as Adobe and DocuSign to Compromise Microsoft 365
March 16, 2025
Cybercriminals deployed fake Microsoft OAuth applications disguised as Adobe Acrobat, Adobe Drive, and DocuSign to gain access to Microsoft 365 accounts. Victims, believing these were legitimate tools, unknowingly granted permissions that enabled attackers to read emails, access files, and potentially deliver malware. These types of impersonation campaigns exploit the trust users place in familiar brand names and in the OAuth consent process. This attack reinforces the importance of SaaS app whitelisting, stricter consent UX, and monitoring for unusual OAuth app usage—especially in environments like Microsoft 365, where access can quickly escalate.
Silk Typhoon Targets IT Supply Chain via Compromised SaaS and Remote Management Tools
March 5, 2025
Chinese state-sponsored group Silk Typhoon shifted tactics in early 2025 to focus on IT supply chain targets—breaching remote management tools and cloud services used by downstream organizations. Instead of attacking enterprises directly, the group infiltrated trusted SaaS platforms that support government, healthcare, and energy sectors. These compromises enable stealthy lateral movement and high-value data exfiltration across hundreds of customers at once. The campaign shows how SaaS and IT vendors—particularly those with privileged access—can serve as multipliers in espionage. Organizations must vet their vendors with the same rigor as internal assets and monitor for shared-platform abuse.
HPE Reveals Years-Long Midnight Blizzard Breach of Microsoft 365 Email Accounts
February 2025
In February 2025, Hewlett Packard Enterprise disclosed a 2023 breach by Russian APT Midnight Blizzard involving unauthorized access to its Microsoft 365 email environment. The attackers quietly exfiltrated sensitive emails from targeted mailboxes over months. While the breach originated in 2023, its delayed discovery and long dwell time speak to persistent blind spots in SaaS email auditing. Microsoft 365 remains a high-value SaaS target, and without robust monitoring of login anomalies, token usage, and mailbox rules, even well-defended orgs can suffer silent exposure. Ongoing auditing and session management are essential for defending cloud email ecosystems.
Episource Healthcare SaaS Breach Exposes Sensitive Data of 5.4 Million Patients
February 2025
Between January 27 and February 6, 2025, attackers accessed the SaaS billing systems of Episource, exposing sensitive health and personal data of more than 5.4 million individuals. The breach involved names, dates of birth, medical records, and insurance data—raising serious HIPAA and compliance implications. Healthcare SaaS platforms, especially those involved in billing and record processing, remain high-value targets due to the volume and sensitivity of the data they hold. This incident underscores the need for rigorous identity access controls, encryption, and audit trails in industry-specific SaaS tools where patient and financial data intersect.
Exposed GitLab Token Grants Attackers Broad Access to Pearson’s Cloud and SaaS Systems
January 2025
An exposed GitLab token published to a public repository gave attackers unauthorized access to Pearson’s internal systems—including AWS, GCP, Snowflake, and Salesforce. The token allowed deep access across cloud and SaaS platforms, raising concerns about secrets hygiene in development workflows. While no active exploitation was confirmed, the potential blast radius was immense. As more organizations adopt multi-cloud and multi-SaaS strategies, token management must evolve—especially in DevOps pipelines. This event reinforces that even a single leaked token can bridge access between cloud infrastructure and SaaS apps, putting sensitive data at serious risk.
Sensitive Data Breached From Fortinet's SaaS SharePoint Server
September 12, 2024
Fortinet confirmed a data breach following a hacker's claim of leaking 440GB of internal files. The compromised data allegedly included sensitive customer information, as well as financial, marketing, and HR records. Though the exact method of access is still unknown, the attacker reportedly gained access to a cloud-hosted Microsoft SharePoint server. This breach highlights the critical need to protect sensitive data within SaaS applications, especially as they continue to store business-critical information. It also serves as reminder of the importance of SaaS security best practices related to security configurations, identities, data, integrations, and threat monitoring.
Snowflake Customers Suffer Data Breaches, Targeted Due to Lack of MFA
May 31, 2024
An attack campaign targeted Snowflake customer accounts (Ticketmaster, Santander Bank, and others). While initial reports—based on a later deleted post by a threat intelligence firm—suggested a breach of Snowflake's corporate production environment, the company clarified that no vulnerability or misconfiguration within their environment was exploited. Instead, attackers likely gained access to the Snowflake customer environments through use of stolen credentials (exposed through unrelated cyber activity), as well as due to a lack of Multi-Factor Authentication (MFA). This incident highlights the importance of the Shared Responsibility Model in SaaS security, in which the SaaS customer must enforce strong security configurations.
CISA confirmed in 2024 that Sisense’s self-hosted GitLab environment was breached, with attackers exfiltrating access tokens, passwords, and SSL certificates. These credentials could be used to compromise Sisense customers or connected services, raising major concerns around software supply chain security. While this wasn’t a breach of the core SaaS product, the development environment served as a launchpad for wider impact. This attack emphasizes the need to treat SaaS dev environments—including self-hosted tools—with enterprise-grade security. Token storage, CI/CD configurations, and artifact repositories should all be protected like production infrastructure.
Attackers Exploited Service Account, Stole Customer Data and Authentication Secrets
April 24, 2024
Dropbox Sign was breached by attackers who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The breach is the latest example of a SaaS breach in which attackers either abused or directly targeted non-human identities. Unlike human users, NHIs often lack strong security measures like multi-factor authentication, making them attractive targets. From a compromised service account, to attacker access of user authentication data like API keys and OAuth tokens, the incident illustrates that effectively securing non-human identities in SaaS remains a significant challenge.
Salesforce Health Cloud Misconfiguration Exposed Personal Data of Millions
March 13, 2024
A serious misconfiguration was discovered in the Irish Health Service Executive's (HSE) COVID-19 vaccination portal, built on Salesforce's Health Cloud platform. This misconfiguration exposed the personal data of over 1 million Irish residents to potential public view. The misconfiguration, which was fixed in late 2021 but whose details were only revealed now, allowed anyone registering on the portal to access the health information of other users, including full names, vaccination details (reasons for vaccination or refusals), type of vaccinations received, and even internal HSE documents. While the misconfiguration remained undiscovered and unexploited by malicious actors, it highlights the potential severity of SaaS misconfigurations in healthcare, as well as the complexity of SaaS configuration management. It also underscores the importance of robust access controls and regular security audits within SaaS environments.
Attackers Leveraged Service Token and Account Credentials from Okta Breach
February 2, 2024
Cloudflare was impacted by a sophisticated wide-range Okta supply-chain campaign by a nation-state attacker which breached its Atlassian Bitbucket, Confluence and Jira platforms. The attackers leveraged a service token and service account credentials leaked during the Okta breach, that was granted to allow the SaaS application Smartsheet to have administrative access to Cloudflare's Atlassian. The attackers accessed its internal wiki (Confluence) and bug database (Jira) before accessing its Atlassian server. From there, they successfully hopped over to Cloudflare’s source code repositories in Bitbucket and an AWS instance where they were looking for information about their global network.
This incident highlights the importance of SaaS security best practices for both primary and third-party applications. It also reinforces the challenge of managing non-human identities and service accounts, where just because they are inactive does NOT mean they pose no security risk. It’s important to continuously audit non-human identities and SaaS-to-SaaS connections, and to revoke any privileges that are not currently needed.
Attackers Exploit a Microsoft Non-Production Test Tenant and Legacy OAuth Application
January 25, 2024
Microsoft's disclosure of the Midnight Blizzard attack reveals a sophisticated nation-state cyber siege. The threat actor, NOBELIUM or APT29, exploited a non-production test tenant and a legacy OAuth application to access corporate email accounts, targeting senior leadership and legal teams. This SaaS breach exposed MFA configurations, overprivileged OAuth applications, and the creation of new identities. The breach emphasizes the importance of holistic SaaS security, considering human and non-human identities, third-party integrations, and potential misconfigurations.
Ateam, a Japanese game developer, made a simple Google Drive misconfiguration that put the personal information of nearly one million individuals at risk for over 6 years. The misconfiguration in Ateam's Google Drive allowed anyone with the URL link to access files, potentially exposing files created, stored, and shared between March 2017 and November 22, 2023. Ateam confirmed that 935,779 individuals had their data exposed, with 98.9% being customers, the rest being business partners, employment candidates, and several thousand employees. This data breach could have resulted in identity theft, fraud, or other malicious activities.
The misconfiguration could have been prevented by a security configuration that sets Google Drive folders and files to private by default. Additionally, permissions should be explicitly granted to those who need access.
Cyber threat actors utilized stolen credentials to breach Okta's support case management system. This system houses HAR files containing session cookies, which were accessed by the attackers. This unauthorized access prompted the attackers to shift their focus towards targeting Okta's customer base. Cloudflare, 1Password, and BeyondTrust confirmed that hackers used stolen session cookies from the Okta HAR files—used to impersonate real user accounts and bypass multi-factor authentication (MFA)— to target their systems as a result of the breach. In the case of Cloudflare, attackers were able to gain access to Cloudflare's sensitive data such as Jira tickets, wiki pages, source code, and potentially more data sources. This incident underscores the critical role of robust access management and vigilance against social engineering attacks in securing sensitive data in SaaS applications.
Misconfiguration Potentially Exposes ServiceNow Data
October 14, 2023
A misconfiguration within the ServiceNow platform resulted in unintended access to sensitive data by unauthenticated users, even if they don't have a login to the platform. The issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. The default configuration for these tables allows the data to be accessed remotely by unauthenticated users. If a company was breached, security experts said there would have been direct risks such as data leaks, including passwords, sensitive ticket info, and PII, as well as indirect risk for social engineering campaigns and impact on the organization’s reputation. it’s estimated that 80% of Fortune 500 companies deploy ServiceNow.
Attackers Breach MGM Employee's account in Okta and Gained Super Admin Rights
September 13, 2023
Two Las Vegas casino giants, MGM and Caesars, suffered a devastating cyberattack, leading to extensive outages and disruptions across their internal networks, including: ATMs, slot machines, digital room key cards, and electronic payment systems. The attackers utilized voice phishing tactics to initially breach an MGM employee’s account in Okta. Once inside, they gained super admin rights, and launched their ransomware attack. MGM Resorts’ IT team shut down its systems after detecting attackers had compromised its Okta servers. This supposedly resulted in MGM Resorts being locked out of its Okta tenant, while its attackers were able to retain super administrator privileges.
Attackers Hijack Okta Service Desk Personnel to Gain Super Admin Access
September 4, 2023
Attackers consistently executed social engineering attacks against IT service desk personnel to hijack highly privileged Okta Super Administrator accounts. The access was used to assign higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts, and remove second-factor requirements from authentication policies. Okta recommends enforcing phishing-resistant authentication and strengthening help desk identity verification to prevent these attacks.
Adversary Compromised Microsoft to Gain Access to 25 Other Companies
June 2023
On June 16, 2023, a Microsoft 365 customer alerted Microsoft to some anomalous email activity they had detected. Microsoft began investigating and found that an external adversary had compromised the email of 24 other customers as well. The attack began 32 days prior, on May 15, 2023.
A China-based adversary (Storm-0558) chose to compromise Microsoft to get access to these 25 companies, instead of trying to attack each organization individually. Azure AD tokens were forged, used to generate access tokens, which were then used to steal email via the Outlook Mail API. In the months following the attack, Microsoft received strong criticism from private industry experts and US politicians alike.
Compromised Employee Email Account Leads to Loss of Data and Intel Reports
May 2023
A known cybercriminal group compromised a new sales employee's email, impersonated them, and accessed cybersecurity vendor Dragos' SharePoint platform. The group downloaded general use data and 25 intel reports before failing an extortion attempt. Role-based access control (RBAC) prevented further breaches, and no other Dragos systems were compromised. The company swiftly deactivated the infiltrated account and blocked the criminals' access. Investigation is ongoing, though the stolen data may become public.
Misconfigurations Leak Sensitive Info from Public Salesforce Community Websites
April 2023
Brian Krebs from Krebs on Security posted that numerous organizations, including banks and healthcare providers, are leaking sensitive info from public Salesforce Community websites due to misconfiguration. This allows unauthenticated users to access private records. Recent cases like the Vermont state and Washington D.C. government exposed sensitive data such as names, SSNs, and bank account info. Salesforce advises customers to use their Guest User Access Report Package and follow best practices when configuring guest user profiles.
CircleCI's Compromised GitHub OAuth Token Leads to Access of Production Systems
December 2022
CircleCI, a vendor specializing in CI/CD and DevOps tools, admitted that customer data had been compromised in a data breach. The inciting incident was a compromised GitHub OAuth token, an increasingly popular attack vector.
The CircleCI investigation revealed that the attackers stole a valid session token of a CircleCI engineer, enabling them to bypass two-factor authentication and gain unauthorized access to production systems. As a result, they managed to purloin customer variables, tokens, and keys.
Attacker Accesses Customer Data Through an Unrevoked Hackathon Password
October 2022
The FTC filed a data privacy lawsuit against Drizly CEO, James Rellas, for the 2020 breach that allowed an attacker to access information on 2.5 million customers. This breach stemmed from giving a company executive access to GitHub for a one-day hackathon in 2018 that was never revoked. Password complexity and MFA was not enforced for these accounts, and the executive reused a password for multiple work and personal accounts. Over two years later, the executive’s account still had access to the corporate GitHub tenant and was compromised via credential stuffing.
Threat Actor Deploys Malicious Extension to Steal Email Conent from Gmail and AOL
July 2022
A cyber threat actor, believed to have links with North Korea, was found deploying a malicious extension on Chromium-based web browsers to steal email content from Gmail and AOL. This malware, attributed to SharpTongue by cybersecurity firm Volexity, is particularly aimed at individuals working on topics of strategic interest to North Korea. The Sharpext extension inspects and exfiltrates data from a victim's webmail account as they browse it. The malware has been successful in stealing thousands of emails, presenting a new challenge in email data security. Google has clarified that the malicious extension was not available on the official Chrome Web Store.
Attacks steal OAuth User Tokens From Third-Party Vendors of GitHub
April 2022
GitHub announced that attackers had stolen OAuth user tokens issued to third-party vendors, Heroku and Travis-CI. These tokens were then used to download private data repositories from dozens of GitHub customers, including GitHub itself and npm, who had been using Heroku and Travis-CI-maintained OAuth applications.
Github researchers suspect that secrets harvested from these data stores could potentially be used to launch much wider supply chain attacks to gain access to additional infrastructure.
Hackers Mimick SSO from Okta to Gain Access to Multiple Accounts Across Different Services.
March 2022
The "0ktapus" phishing campaign potentially compromised over 130 organizations, including Twilio and DoorDash, with login credentials of nearly 10,000 individuals stolen. Hackers mimicked single sign-on service Okta, gaining access to multiple accounts across different services. Twilio's breach revealed approximately 1,900 Signal accounts, with 163 customers' data accessed and 93 users of Authy compromised. Victims were lured to a convincingly designed phishing site, where they were prompted for their login details. Despite the phishing kit being poorly configured, the massive scale of the attack affected multiple industries. Financial motives seemed to be driving the hackers.
MailChimp, a leading email marketing firm, discovered that hackers had gained access to internal customer support and account management tools, which could be used to launch phishing attacks to steal customer data. Buried by the headline, however, was this even bigger eye-opener–In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.
Attackers Attempted to Compromise Okta Support Engineer Account to Access Customer Data
January 2022
Okta detected an attempt to compromise the account of a customer support engineer working for a third-party provider. They alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. After analysis of the breach, they concluded that a small percentage of customers had potentially been impacted and whose data may have been viewed or acted upon. Okta identified those customers and reached out directly by email.
Hackers Tricked Employee Over Slack to Obtain Login Token to Steal Source Code
June 2021
Game publisher Electronic Arts suffered a significant data breach perpetrated by hackers who tricked an employee over Slack to secure a login token. The hackers reportedly stole the source code for FIFA 21, the Frostbite engine, and other game development tools, totalling around 780GB of data. This breach was achieved through a multifactor authentication request to EA's IT support, granting them access to the corporate network. EA has confirmed the breach, stating that they are currently investigating the incident and have implemented security improvements. No player data was compromised in this breach according to EA's report.
