Account takeover in SaaS is outpacing traditional IAM controls

At a glance

What this is: This is an explainer on account takeover in SaaS, showing how attackers use legitimate access paths to evade traditional detection and persist inside environments.

Why it matters: It matters to IAM and NHI practitioners because the same trust assumptions that govern users also govern service accounts, tokens, and OAuth links, which widen blast radius when compromised.

By the numbers:

• 83% of organizations experienced at least one ATO incident in 2024, with some reporting incidents occurring weekly or more frequently.
• Account takeover fraud reached $15.6 billion in losses across the United States in 2024, affecting 29% of U.S. adults, approximately 77 million people.
• 26% of companies face ATO attempts every single week, demonstrating the persistent, industrial-scale nature of these attacks.

👉 Read Obsidian Security's account takeover explainer for SaaS attack methods and response guidance

Context

Account takeover is a governance problem because authenticated activity is not the same as authorised activity. Once an attacker has a valid session token, compromised OAuth grant, or stolen credential, many controls treat the traffic as normal. That creates a direct NHI governance issue, because the same identity patterns that protect users now extend to tokens, service accounts, and connected applications.

SaaS makes this harder because access is federated and interdependent. One compromised account can reach email, storage, CRM, and downstream apps without tripping the same boundaries that used to contain breaches. The article's examples are typical of modern SaaS ATO, where the attacker relies on legitimacy rather than force.

Key questions

Q: How should security teams respond to account takeover in SaaS environments?

A: Prioritise containment over password changes alone. Revoke active sessions, invalidate refresh tokens, review delegated OAuth grants, and check for persistence such as forwarding rules or newly authorised apps. Then map what the compromised identity could reach through connected systems. In SaaS, the goal is to shrink the identity blast radius before the attacker uses it for fraud or lateral movement.

Q: Why do MFA controls still fail against account takeover?

A: MFA reduces password-only compromise, but it does not stop attackers who steal session tokens, hijack browsers, or obtain access through adversary-in-the-middle phishing. Once the token is issued, the service often trusts it until expiry or revocation. That means organisations need continuous session control and behavioural detection, not just stronger login prompts.

Q: What is the difference between credential theft and account takeover?

A: Credential theft is the act of stealing secrets such as passwords or session tokens. Account takeover is the resulting misuse of a legitimate account after the attacker has working access. The distinction matters because the defensive problem is not only stopping theft, but also detecting and containing the legitimate-looking activity that follows.

Q: How can organisations reduce the risk from OAuth and service account abuse?

A: Track every granted scope, expiration rule, and downstream dependency for OAuth apps and service accounts. Remove stale integrations, require reapproval for high-risk permissions, and alert on new authorisations that increase reach across applications. Treat these relationships as non-human identities with lifecycle controls, because they often become quiet persistence paths.

Technical breakdown

How session token theft bypasses MFA in SaaS environments

Session tokens are bearer credentials, which means possession is enough to act as the user until expiry or revocation. In adversary-in-the-middle phishing, the attacker sits between the user and the service, captures the token after MFA succeeds, and then reuses it from a separate session. Traditional MFA only proves the login event, not the continuing legitimacy of the session. In SaaS, that matters because tokens often survive browser closure, travel across apps, and remain valid even after password changes.

Practical implication: Treat session binding and token revocation as first-class controls, not just password and MFA policy.

OAuth consent abuse and third-party access as NHI risk

OAuth consent abuse works because users can authorise apps that inherit broad permissions without a new password challenge every time. That creates a durable non-human identity relationship between the application, its tokens, and the target SaaS tenant. The risk is not only malicious apps. It is also stale integrations, overbroad scopes, and token persistence after the initial consent event. Once a token is issued, it can become a long-lived access path that security teams overlook because it looks like a sanctioned integration.

Practical implication: Inventory OAuth grants and service-to-service connections as NHI assets, then review scopes and expiry behaviour regularly.

Why behavioural detection matters when access looks legitimate

ATO defeats rule-based controls because the attacker uses real access paths from normal infrastructure, often during business hours and from familiar IP space. Detection therefore shifts from blocking authentication to spotting behaviour that is inconsistent with the identity's normal task patterns. For human identities that means impossible travel, unusual mailbox rules, or abnormal data access. For NHI-adjacent accounts, it means sequence anomalies, new downstream application access, and changes in persistence posture. Behavioural detection is imperfect, but it is the only practical layer once valid credentials are in play.

Practical implication: Baseline activity by identity type and watch for new privilege use, not just new logins.

Threat narrative

Attacker objective: The attacker aims to turn a legitimate account into durable, low-noise access for data theft, fraud, or broader lateral movement.

1. Entry occurs when the attacker acquires working credentials or a session token through phishing, malware, credential stuffing, or third-party compromise.
2. Escalation happens when the attacker authorises persistence mechanisms such as forwarding rules, OAuth apps, or additional access paths that survive the original login.
3. Impact follows when the attacker reads mail, downloads data, modifies payment details, or uses the account to pivot into other systems.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Account takeover is now an identity governance problem, not just a fraud problem. The attacker does not need to defeat authentication if the environment already treats valid access as trusted access. That breaks the old perimeter model and pushes IAM teams to govern sessions, grants, and downstream entitlements as one control surface. The practical conclusion is that account takeover must be managed as part of NHI governance.

Ephemeral access does not eliminate trust debt. Short-lived tokens reduce exposure windows, but they do not remove the underlying trust relationship between the identity, the session, and the application. If revocation is weak, persistence still survives long enough to cause harm. Security teams should measure how fast they can invalidate trust, not only how fast they can issue it.

OAuth and service account sprawl create identity blast radius. Every additional delegated app, integration, or privileged account increases the number of places an attacker can move without raising a new login alert. That is why ATO in SaaS often becomes a multi-system event rather than a single compromised mailbox. The governance response is to constrain blast radius before the first token is stolen.

Behavioural telemetry is becoming the decisive control layer. Static authentication checks answer whether a login was valid, but they do not answer whether the resulting activity is consistent with the identity's purpose. Teams that can baseline mailbox behaviour, token use, and application sequences will detect ATO earlier than teams relying on credential hygiene alone. The field is moving toward continuous identity validation, not one-time login assurance.

Attackers now target the trust fabric around identities, not just the identities themselves. This includes consented apps, forwarding rules, token caches, help desk resets, and third-party connectors. That broadens the attack surface beyond classic IAM and into the operational habits around identity administration. Practitioners should assume the weakest trust edge, not the strongest policy, determines the breach path.

From our research:

• 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, the protocol's first year of widespread adoption, according to the State of Secrets Sprawl 2026.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• Forward look: Readers who are mapping this risk to identity lifecycle controls should also review the Secret Sprawl Challenge for remediation patterns and control gaps.

What this signals

Identity teams should assume that any trusted integration can become a persistence path. Once an attacker has a valid token, the operational question shifts to how quickly that trust can be revoked across connected systems. The control objective is shrinking identity blast radius, not simply preventing a bad login.

With 24,008 unique secrets exposed in MCP configuration files in 2025 alone, according to the State of Secrets Sprawl 2026, the same pattern is already visible in machine and agent workflows. As AI systems and SaaS automations converge, practitioners need lifecycle governance for tokens, not just users.

Ephemeral credentials create a false sense of safety if telemetry is weak. Shorter-lived access helps, but only if teams can see issuance, usage, and revocation in near real time. That is where OWASP Non-Human Identity Top 10 style control thinking becomes operationally useful.

For practitioners

• Map session and token persistence paths Document where bearer tokens, refresh tokens, and OAuth grants live, how long they remain valid, and what revocation actually removes across SaaS applications.
• Review delegated app scopes and stale integrations Identify all OAuth-connected apps, service account links, and API integrations, then remove unused grants and narrow scopes to the minimum needed for operations.
• Harden help desk reset workflows Require stronger verification before MFA resets, email changes, or privilege escalation requests, because social engineering often enters through support processes rather than passwords.
• Baseline behaviour by identity type Build detection for mailbox rules, unusual access sequences, and downstream application changes, with separate thresholds for users, service accounts, and delegated apps.
• Test rapid containment for ATO events Practice token revocation, session invalidation, and forced reauthentication so the response team can cut off persistence before the attacker moves laterally.

Key takeaways

• Account takeover succeeds because attackers can behave like legitimate users after the initial compromise.
• The scale is already industrial, with weekly attempts and multi-billion-dollar losses showing that ATO is a standing governance problem.
• Security teams should focus on session control, OAuth hygiene, behavioural detection, and fast revocation to contain blast radius.

Key terms

• Account Takeover: Account takeover is unauthorized use of a legitimate account after an attacker obtains valid access through stolen credentials, tokens, or trusted integrations. The key security problem is that the resulting activity often looks normal to logs and controls, which makes containment and attribution harder than in a forced-entry breach.
• Session Token: A session token is a bearer credential that represents an authenticated session after login. Whoever holds it can usually act as the user until it expires or is revoked, which is why token theft and browser hijacking are so effective in SaaS environments with long-lived sessions.
• OAuth Consent Abuse: OAuth consent abuse occurs when a user authorises an application that then inherits access to data and services without repeated prompts. In practice, it can create durable non-human identity access paths that outlive the initial phishing event and become persistence mechanisms for attackers.
• Identity Blast Radius: Identity blast radius is the amount of access, data, and downstream systems a single compromised identity can reach. It is a practical measure of exposure created by delegation, overprivilege, and integration sprawl, and it is one of the clearest ways to judge whether IAM controls are actually constraining risk.

Deepen your knowledge

Account takeover, session hijacking, and OAuth abuse are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is building identity governance for SaaS and agentic workflows, this is a practical place to start.

This post draws on content published by Obsidian Security: What is Account Takeover? ATO Attacks Explained. Read the original.