SaaS Threat Center

A guide to recent SaaS data breaches, SaaS threats, and SaaS misconfigurations

Assess Your SaaS Risk

This updated guide will help you stay informed about the evolving landscape of SaaS security threats with a closer look at recent breaches and high-impact misconfigurations.

Microsoft-Dragos' Sharepoint Breach

Snowflake Data Breaches

Snowflake Customers Suffer Data Breaches, Targeted Due to Lack of MFA

May 31, 2024

An attack campaign targeted Snowflake customer accounts (Ticketmaster, Santander Bank, and others). While initial reports—based on a later deleted post by a threat intelligence firm—suggested a breach of Snowflake's corporate production environment, the company clarified that no vulnerability or misconfiguration within their environment was exploited. Instead, attackers likely gained access to the Snowflake customer environments through use of stolen credentials (exposed through unrelated cyber activity), as well as due to a lack of Multi-Factor Authentication (MFA). This incident highlights the importance of the Shared Responsibility Model in SaaS security, in which the SaaS customer must enforce strong security configurations.

Read More

Microsoft-Dragos' Sharepoint Breach


Attackers Exploited Service Account, Stole Customer Data and Authentication Secrets

April 24, 2024

Dropbox Sign was breached by attackers who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The breach is the latest example of a SaaS breach in which attackers either abused or directly targeted non-human identities. Unlike human users, NHIs often lack strong security measures like multi-factor authentication, making them attractive targets. From a compromised service account, to attacker access of user authentication data like API keys and OAuth tokens, the incident illustrates that effectively securing non-human identities in SaaS remains a significant challenge.

Read More

Microsoft-Dragos' Sharepoint Breach

(post Okta Breach)

Attackers Leveraged Service Token and Account Credentials from Okta Breach

February 2, 2024

Cloudflare was impacted by a sophisticated wide-range Okta supply-chain campaign by a nation-state attacker which breached its Atlassian Bitbucket, Confluence and Jira platforms. The attackers leveraged a service token and service account credentials leaked during the Okta breach, that was granted to allow the SaaS application Smartsheet to have administrative access to Cloudflare's Atlassian. The attackers accessed its internal wiki (Confluence) and bug database (Jira) before accessing its Atlassian server. From there, they successfully hopped over to Cloudflare’s source code repositories in Bitbucket and an AWS instance where they were looking for information about their global network.

This incident highlights the importance of SaaS security best practices for both primary and third-party applications. It also reinforces the challenge of managing non-human identities and service accounts, where just because they are inactive does NOT mean they pose no security risk. It’s important to continuously audit non-human identities and SaaS-to-SaaS connections, and to revoke any privileges that are not currently needed.

Read More

Microsoft-Dragos' Sharepoint Breach

Microsoft Midnight Blizzard

Attackers Exploit a Microsoft Non-Production Test Tenant and Legacy OAuth Application

January 25, 2024

Microsoft's disclosure of the Midnight Blizzard attack reveals a sophisticated nation-state cyber siege. The threat actor, NOBELIUM or APT29, exploited a non-production test tenant and a legacy OAuth application to access corporate email accounts, targeting senior leadership and legal teams. This SaaS breach exposed MFA configurations, overprivileged OAuth applications, and the creation of new identities. The breach emphasizes the importance of holistic SaaS security, considering human and non-human identities, third-party integrations, and potential misconfigurations.

Read More

Microsoft-Dragos' Sharepoint Breach

Google Drive Misconfiguration

Misconfiguration Exposes Google Drive Files

January 2, 2024

Ateam, a Japanese game developer, made a simple Google Drive misconfiguration that put the personal information of nearly one million individuals at risk for over 6 years. The misconfiguration in Ateam's Google Drive allowed anyone with the URL link to access files, potentially exposing files created, stored, and shared between March 2017 and November 22, 2023. Ateam confirmed that 935,779 individuals had their data exposed, with 98.9% being customers, the rest being business partners, employment candidates, and several thousand employees. This data breach could have resulted in identity theft, fraud, or other malicious activities.

The misconfiguration could have been prevented by a security configuration that sets Google Drive folders and files to private by default. Additionally, permissions should be explicitly granted to those who need access.

Read More

Microsoft-Dragos' Sharepoint Breach


Stolen Credentials Lead to Okta Breach

October 20, 2023

Cyber threat actors utilized stolen credentials to breach Okta's support case management system. This system houses HAR files containing session cookies, which were accessed by the attackers. This unauthorized access prompted the attackers to shift their focus towards targeting Okta's customer base. Cloudflare, 1Password, and BeyondTrust confirmed that hackers used stolen session cookies from the Okta HAR files—used to impersonate real user accounts and bypass multi-factor authentication (MFA)— to target their systems as a result of the breach. In the case of Cloudflare, attackers were able to gain access to Cloudflare's sensitive data such as Jira tickets, wiki pages, source code, and potentially more data sources. This incident underscores the critical role of robust access management and vigilance against social engineering attacks in securing sensitive data in SaaS applications.

Read More

Microsoft-Dragos' Sharepoint Breach

ServiceNow Misconfiguration

Misconfiguration Potentially Exposes ServiceNow Data

October 14, 2023

A misconfiguration within the ServiceNow platform resulted in unintended access to sensitive data by unauthenticated users, even if they don't have a login to the platform. The issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. The default configuration for these tables allows the data to be accessed remotely by unauthenticated users. If a company was breached, security experts said there would have been direct risks such as data leaks, including passwords, sensitive ticket info, and PII, as well as indirect risk for social engineering campaigns and impact on the organization’s reputation. it’s estimated that 80% of Fortune 500 companies deploy ServiceNow.

Read More

Microsoft-Dragos' Sharepoint Breach


Attackers Breach MGM Employee's account in Okta and Gained Super Admin Rights

September 13, 2023

Two Las Vegas casino giants, MGM and Caesars, suffered a devastating cyberattack, leading to extensive outages and disruptions across their internal networks, including: ATMs, slot machines, digital room key cards, and electronic payment systems. The attackers utilized voice phishing tactics to initially breach an MGM employee’s account in Okta. Once inside, they gained super admin rights, and launched their ransomware attack. MGM Resorts’ IT team shut down its systems after detecting attackers had compromised its Okta servers. This supposedly resulted in MGM Resorts being locked out of its Okta tenant, while its attackers were able to retain super administrator privileges.

Read More

Microsoft-Dragos' Sharepoint Breach


Attackers Hijack Okta Service Desk Personnel to Gain Super Admin Access

September 4, 2023

Attackers consistently executed social engineering attacks against IT service desk personnel to hijack highly privileged Okta Super Administrator accounts. The access was used to assign higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts, and remove second-factor requirements from authentication policies. Okta recommends enforcing phishing-resistant authentication and strengthening help desk identity verification to prevent these attacks.

Read More

Microsoft-Dragos' Sharepoint Breach


Adversary Compromised Microsoft to Gain Access to 25 Other Companies

June 2023

On June 16, 2023, a Microsoft 365 customer alerted Microsoft to some anomalous email activity they had detected. Microsoft began investigating and found that an external adversary had compromised the email of 24 other customers as well. The attack began 32 days prior, on May 15, 2023.

A China-based adversary (Storm-0558) chose to compromise Microsoft to get access to these 25 companies, instead of trying to attack each organization individually. Azure AD tokens were forged, used to generate access tokens, which were then used to steal email via the Outlook Mail API. In the months following the attack, Microsoft received strong criticism from private industry experts and US politicians alike.

Read More

Microsoft-Dragos' Sharepoint Breach

Microsoft-Dragos SharePoint

Compromised Employee Email Account Leads to Loss of Data and Intel Reports

May 2023

A known cybercriminal group compromised a new sales employee's email, impersonated them, and accessed cybersecurity vendor Dragos' SharePoint platform. The group downloaded general use data and 25 intel reports before failing an extortion attempt. Role-based access control (RBAC) prevented further breaches, and no other Dragos systems were compromised. The company swiftly deactivated the infiltrated account and blocked the criminals' access. Investigation is ongoing, though the stolen data may become public.

Read Announcement

Salesforce-Misconfiguration Risk

Misconfiguration Risk

Misconfigurations Leak Sensitive Info from Public Salesforce Community Websites

April 2023

Brian Krebs from Krebs on Security posted that numerous organizations, including banks and healthcare providers, are leaking sensitive info from public Salesforce Community websites due to misconfiguration. This allows unauthenticated users to access private records. Recent cases like the Vermont state and Washington D.C. government exposed sensitive data such as names, SSNs, and bank account info. Salesforce advises customers to use their Guest User Access Report Package and follow best practices when configuring guest user profiles.

Read Announcement


CircleCI Compromised

CircleCI's Compromised GitHub OAuth Token Leads to Access of Production Systems

December 2022

CircleCI, a vendor specializing in CI/CD and DevOps tools, admitted that customer data had been compromised in a data breach. The inciting incident was a compromised GitHub OAuth token, an increasingly popular attack vector.

The CircleCI investigation revealed that the attackers stole a valid session token of a CircleCI engineer, enabling them to bypass two-factor authentication and gain unauthorized access to production systems. As a result, they managed to purloin customer variables, tokens, and keys.

Read Announcement


Drizly Alcohol Retailer Breach

Attacker Accesses Customer Data Through an Unrevoked Hackathon Password

October 2022

The FTC filed a data privacy lawsuit against Drizly CEO, James Rellas, for the 2020 breach that allowed an attacker to access information on 2.5 million customers. This breach stemmed from giving a company executive access to GitHub for a one-day hackathon in 2018 that was never revoked. Password complexity and MFA was not enforced for these accounts, and the executive reused a password for multiple work and personal accounts. Over two years later, the executive’s account still had access to the corporate GitHub tenant and was compromised via credential stuffing.

Read Announcement


Sharptongue/ Kimsuky

Threat Actor Deploys Malicious Extension to Steal Email Conent from Gmail and AOL

July 2022

A cyber threat actor, believed to have links with North Korea, was found deploying a malicious extension on Chromium-based web browsers to steal email content from Gmail and AOL. This malware, attributed to SharpTongue by cybersecurity firm Volexity, is particularly aimed at individuals working on topics of strategic interest to North Korea. The Sharpext extension inspects and exfiltrates data from a victim's webmail account as they browse it. The malware has been successful in stealing thousands of emails, presenting a new challenge in email data security. Google has clarified that the malicious extension was not available on the official Chrome Web Store.

Read Announcement

GitHub-Heroku/Travis CI

Heroku/ Travis CI

Attacks steal OAuth User Tokens From Third-Party Vendors of GitHub

April 2022

GitHub announced that attackers had stolen OAuth user tokens issued to third-party vendors, Heroku and Travis-CI. These tokens were then used to download private data repositories from dozens of GitHub customers, including GitHub itself and npm, who had been using Heroku and Travis-CI-maintained OAuth applications.

Github researchers suspect that secrets harvested from these data stores could potentially be used to launch much wider supply chain attacks to gain access to additional infrastructure.

Read Announcement

Okta-Oktapus Phishing Campaign

Oktapus Phishing Campaign

Hackers Mimick SSO from Okta to Gain Access to Multiple Accounts Across Different Services.

March 2022

The "0ktapus" phishing campaign potentially compromised over 130 organizations, including Twilio and DoorDash, with login credentials of nearly 10,000 individuals stolen. Hackers mimicked single sign-on service Okta, gaining access to multiple accounts across different services. Twilio's breach revealed approximately 1,900 Signal accounts, with 163 customers' data accessed and 93 users of Authy compromised. Victims were lured to a convincingly designed phishing site, where they were prompted for their login details. Despite the phishing kit being poorly configured, the massive scale of the attack affected multiple industries. Financial motives seemed to be driving the hackers.

Read Announcement

Mailchimp-Unidentified Bad Actor

Bad Actor

Bad Actor Gains Access to API Keys for Customers

March 2022

MailChimp, a leading email marketing firm, discovered that hackers had gained access to internal customer support and account management tools, which could be used to launch phishing attacks to steal customer data. Buried by the headline, however, was this even bigger eye-opener–In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.

Read Announcement



Attackers Attempted to Compromise Okta Support Engineer Account to Access Customer Data

January 2022

Okta detected an attempt to compromise the account of a customer support engineer working for a third-party provider. They alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. After analysis of the breach, they concluded that a small percentage of customers had potentially been impacted and whose data may have been viewed or acted upon. Okta identified those customers and reached out directly by email.

Read Announcement

Slack-Electronic Arts Breach

Electronic Arts Brach

Hackers Tricked Employee Over Slack to Obtain Login Token to Steal Source Code

June 2021

Game publisher Electronic Arts suffered a significant data breach perpetrated by hackers who tricked an employee over Slack to secure a login token. The hackers reportedly stole the source code for FIFA 21, the Frostbite engine, and other game development tools, totalling around 780GB of data. This breach was achieved through a multifactor authentication request to EA's IT support, granting them access to the corporate network. EA has confirmed the breach, stating that they are currently investigating the incident and have implemented security improvements. No player data was compromised in this breach according to EA's report.

Read Announcement