Sep 1, 2025
Attackers are rewriting the breach playbook, shifting their focus from perimeter defenses to SaaS users, applications, and integrations. Explore the attack patterns used in the recent SaaS breach surge.
.png)
If you still needed proof that SaaS security matters, this is it.
A recent series of high-profile breaches has sent a clear signal: attackers are finding new ways to exploit the SaaS ecosystem — and they’re succeeding.
What’s striking isn’t just the number of incidents but the patterns emerging across them. Stolen OAuth tokens are being misused to exploit SaaS-to-SaaS integrations, turning them into unguarded entry points. Offboarding gaps are leaving sensitive data exposed. And weak credential practices continue to expose established organizations. In too many cases, no one realizes what’s happening until the damage is already done.
Attackers are rewriting the breach playbook, shifting their focus from perimeter defenses to the ecosystem of SaaS users, applications, and integrations that organizations rely on every day. Recent incidents highlight three key patterns driving this shift; let’s explore them in more detail.
Allianz Life. Qantas. Google. And now TransUnion. Different entry points, same outcome.
In July, Allianz Life staff thought they were installing a routine Salesforce Data Loader update. It looked legitimate, the instructions seemed credible, except it wasn’t real. Within hours, attackers quietly siphoned CRM data containing regulated customer information.
The Qantas incident was different on the surface but followed the same playbook. Attackers compromised a third-party contact center by spoofing calls and using SIM-swapping tactics, ultimately exposing personal data for 5.7 million travelers.
Even Google wasn’t immune. Threat group ShinyHunters, suspected in several Salesforce-related incidents, used consent phishing and a malicious OAuth app impersonating Salesforce’s legitimate Data Loader to compromise a corporate CRM instance and quietly exfiltrate business contact data before anyone noticed.
And while the details of the TransUnion breach are still unfolding, sources have confirmed that this breach is linked to the ShinyHunters string of Salesforce attacks.
These attacks work because SaaS users believe they’re doing the right thing: installing a trusted update, approving a legitimate app, helping IT. But the trust model behind SaaS can be turned against us surprisingly subtly. Attackers aren’t forcing their way in; they’re exploiting normal SaaS behavior:
Attackers are blending into patterns we expect to see and actions we rarely question. That’s why these breaches succeed and why they’re so difficult to detect early.
CRMs are particularly attractive targets because they’re data-rich and deeply connected to the broader SaaS ecosystem. They store regulated customer information, sync with downstream systems, and often integrate with dozens of other SaaS tools. A compromise here doesn’t just expose one dataset; it creates a cascading chain of risk across every connected app.
And that’s the real challenge: when access looks legitimate and actions seem routine, traditional security controls rarely sound the alarm. By the time anyone realizes what happened, sensitive data has already left the building, quietly and at scale.
Salesloft. Drift. Workday. Different breaches, same amplification technique.
The Salesloft breach is the most recent and one of the most consequential. Attackers stole OAuth tokens, granting them authorized, persistent access to customer environments integrated with Drift. From there, they moved laterally into downstream accounts, quietly exfiltrating sensitive data without tripping traditional security alarms. What began as a compromise of one SaaS provider rippled outward, effectively becoming a supply chain breach impacting multiple organizations. Read the Salesloft breach breakdown.
Workday shows the same risk from a different angle. Attackers used voice phishing and SMS lures to trick employees into approving malicious OAuth apps or authorizing bulk data exports. The consent was legitimate — but so was the access it gave attackers. Once granted, those tokens enabled data to flow out through authorized channels, bypassing security controls entirely. Read our Workday breach analysis.
OAuth is quickly becoming one of the most silent and dangerous attack vectors in SaaS environments. OAuth was designed to make integrations effortless, but it’s also created blind spots most security teams aren’t watching:
The real risk isn’t just the initial compromise—it’s what happens after.
A single stolen token doesn’t just open one app; it opens every connected system downstream. That’s why the Salesloft incident matters: attackers didn’t need to breach Salesforce directly. They used legitimate integrations to bypass defenses entirely.
And that’s the challenge. Because OAuth abuse uses sanctioned channels, it blends perfectly into normal SaaS behavior. By the time anyone notices, attackers have already established deep, persistent access across multiple connected systems.
Not every breach starts with sophisticated phishing kits or OAuth token theft. Sometimes, it’s the basics that open the door.
At one security company, a former employee created a Vimeo account and uploaded sensitive intellectual property. The account — and the data — were left public, exposing information no one realized was at risk.
Then there’s KNP, where compromised SaaS credentials triggered a cascading impact. Attackers leveraged a single exposed account to move deeper into business systems, and without detection tools or centralized SaaS visibility, the breach escalated quickly. The damage was so severe that KNP was forced to shut down operations entirely. Dive deeper into the KNP breach.
These incidents highlight one of SaaS security’s most overlooked problems: identity drift. As SaaS adoption accelerates, accounts, credentials, and tokens pile up faster than most teams can manage:
Attackers love these gaps because they don’t require breaking in; they just log in. Without visibility into which accounts exist, what access they hold, and where credentials are reused, these doors stay open — and the risks stay hidden — until it’s too late.
These breaches share a common thread: attackers aren’t breaking SaaS; they’re exploiting how we use it.
From tricking users into installing fake updates to abusing OAuth integrations to move laterally to leveraging weak or orphaned credentials, the risks are often hiding in plain sight.
This is exactly why we built Grip.
Grip gives security teams the visibility and control needed to reduce SaaS risk without slowing the business down:
You can’t protect what you can’t see. Grip automatically discovers every SaaS app in use, including shadow SaaS and shadow AI, and highlights which platforms are most likely to store regulated or sensitive data. This helps close one of the biggest visibility gaps in SaaS security: knowing what’s in use, what it’s connected to, and where your data lives.
OAuth tokens and SaaS-to-SaaS integrations create silent, high-impact attack paths. Grip maps all connected apps, tokens, and permissions, and flags risky scopes or unused integrations before attackers can exploit them. If permissions change or a malicious app is authorized, Grip detects abnormal data flows and surfaces suspicious behavior early, turning silent compromises like Allianz, Qantas, Google, Salesloft, and Workday into detectable events.
With SaaS, identities are the new perimeter. Grip’s ITDR 2.0 capabilities track behavioral trends across accounts and integrations, using anomaly detection to surface suspicious activity early, from unexpected bulk data exports to malicious app approvals. That’s how Grip prevents OAuth abuse and credential compromise from becoming headline breaches. Get started with ITDR with our free guide.
Grip integrates with your IdP to automate SaaS account lifecycle management, ensuring that when employees leave, their accounts — managed and unmanaged — are revoked instantly. Grip also flags weak, reused, or stale credentials before they become open doors for attackers.
Attackers are following a clear playbook:
Grip was built to disrupt that playbook. By combining deep SaaS visibility, OAuth integration monitoring, and ITDR 2.0 anomaly detection, Grip helps security teams spot patterns early, shut down unauthorized access quickly, and shrink the blast radius before it spreads. Breaches like these will keep happening, but they don’t have to happen to you. Connect with our team to discuss how Grip can help you avoid becoming a victim in the next wave of SaaS-based attacks.
A SaaS breach surge refers to the sharp increase in attacks targeting SaaS platforms and integrations. Recent incidents show attackers are shifting from perimeter breaches to exploiting OAuth tokens, app integrations, and credential weaknesses, often bypassing traditional security controls entirely.
Three primary attack patterns are emerging from recent breaches:
Traditional security tools often miss these techniques because the activity looks legitimate. Solutions like Grip’s ITDR 2.0 capabilities help by tracking behavioral trends, detecting anomalies like unexpected bulk data exports or malicious OAuth app approvals, and surfacing risks before they escalate.
SaaS and AI-related risks are far more common than most security teams realize. Grip's 2025 SaaS Security Risks Report found that organizations often have 8x more apps than IT is aware of, and apps containing sensitive data, such as financial data, were found to be managed less often. Download the report to see the full findings and benchmark your risk posture.
Grip provides complete SaaS ecosystem visibility, maps OAuth integrations and permissions, and uses ITDR 2.0 anomaly detection to flag suspicious behavior early. By automating offboarding and improving credential hygiene, Grip helps teams shrink the blast radius when incidents happen and reduces the chance of becoming the next breach headline. Book time with our team to learn more.
Breach Insights
Risk Management
Breach Insights
Operational Efficiency
Fill out the form and watch webinar's video.
