Software as a Service (SaaS) breaches have seen a significant surge, increasing by 300% in the 12 months from September 2023, as reported by Obsidian Security. This rise in breaches is attributed to the failure of traditional security measures to effectively prevent these attacks, leading to cybercriminal groups and nation-state actors targeting SaaS platforms to steal sensitive data.
Organizations are increasingly relying on SaaS applications for critical operations, making them prime targets for cyber attacks. These breaches serve multiple objectives, including financial gain, espionage, and strategic disruption. A recent high-profile incident involved cybercriminals compromising the cloud data warehousing platform Snowflake, resulting in over 160 companies with Snowflake deployments being warned of potential impacts, including major telecoms company AT&T. The cybercriminals were able to extort approximately $2.5 million as part of their campaign.
According to Obsidian Security, the healthcare sector experienced the highest number of SaaS breaches from September 2023-2024, accounting for 14% of the total breaches. This was followed by state and local government (13%) and financial services (11%).
The report highlighted that traditional security measures are failing to prevent SaaS attacks, even against organizations with robust security measures in place. The shift towards using SaaS applications for data storage means that protecting SaaS accounts is crucial to safeguarding sensitive information. The integrated nature of SaaS platforms allows threat actors to easily move laterally across multiple applications with just a single compromised identity.
In the case of the Snowflake incident, the lack of multi-factor authentication (MFA) enabled the attackers to gain access with just a valid username and password, which had been obtained from a previous infostealer campaign. Obsidian Security’s research found that most SaaS breaches (85%) originated from a compromised identity.
Various credential compromise techniques were used to target SaaS applications, including Adversary-in-the-middle (AiTM) attacks, self-service password reset, single-factor password guessing, and push fatigue. Despite the use of MFA in many instances, 84% of the analyzed incidents showed that MFA failed to prevent the attackers from gaining access, due to weak implementation and bypass techniques like AiTM.
The researchers emphasized the need for organizations to gain a comprehensive view of all SaaS applications and services in use, implement least privilege access controls, and establish ongoing monitoring for SaaS environments to mitigate these attacks effectively. As the targeting of SaaS platforms is expected to increase in 2025, proactive measures to secure these platforms are crucial in protecting sensitive data from cyber threats.