SaaS Breaches Skyrocket 300% as Traditional Defenses Fall Short

Software as a Service (SaaS) breaches surged by 300% from in the 12 months from September 2023 as traditional security measures fail to prevent such attacks.

This according to new findings by Obsidian Security, which observed that sophisticated cybercriminal groups and nation state actors are now focusing on SaaS platforms to steal sensitive data.

Generally, organizations are increasingly relying on SaaS applications for critical operations.

These breaches serve multiple objectives, including financial gain, espionage and strategic disruption.

A recent high profile SaaS-based incident saw cybercriminals successfully compromise cloud data warehousing platform Snowflake. The incident saw over 160 companies with Snowflake deployments warned that they could be impacted, including telecoms giant AT&T. Approximately $2.5m was extorted as part of the campaign.

The healthcare sector experienced the highest number of SaaS breaches from September 2023-2024 (14%), according to Obsidian Security. This was followed by state and local government (13%) and financial services (11%).

Traditional Security Measures Fail to Prevent SaaS Attacks

The report noted that SaaS attacks are proving successful even against organizations with robust security measures.

The growing use of SaaS by enterprises means that data storage is shifting from the endpoint to SaaS applications, making SaaS accounts critical to protecting this information.

The integrated nature of SaaS platforms means a single compromised identity allows threat actors to easily move laterally across multiple applications.

In the Snowflake incident for example, multi-factor authentication (MFA) was not enabled, meaning successful authentication only required a valid username and password. Credentials had been stolen from a previous infostealer campaign.

According to Obsidian Security’s research, most SaaS breaches (85%) began with a compromised identity.

Adversary-in-the-middle (AiTM) attacks accounted for 39% of these incidents, in which attackers intercept data between two systems to access information like login and MFA credentials.

Other credential compromise techniques used to target SaaS applications included self-service password reset (24%), single-factor password guessing (14%) and push fatigue (13%).

In 84% of incidents analyzed for the report, MFA failed to stop the attackers. The researchers identified weak implementation, exceptions and techniques like AiTM as factors in making bypass possible.

“Traditional security tools, designed for on-premises systems or cloud networks, struggle to protect the complex web of SaaS applications, identities and integrations,” the researchers wrote.

The report also highlighted the rapid nature of SaaS breaches. In one observed case, it took just the attackers just nine minutes from data access to achieve exfiltration.

“Attackers don’t need to move through the network or escalate privileges – they can go straight for the data,” the researchers noted.

How to Protect SaaS Platforms

The Obsidian Security researchers expect to see a further increased targeting of SaaS platforms in 2025. They highlighted three key strategies to mitigate these attacks:

• Gain a comprehensive view of all SaaS applications and services in use to identify and manage potential vulnerabilities
• Implement least privilege access controls to reduce the ability of attackers to move laterally once they have gained initial access
• Establish a system of ongoing monitoring for SaaS environments to quickly identify and respond to vulnerabilities and threats