ShinyHunters shows how identity-led SaaS breaches keep scaling

At a glance

What this is: This is a practitioner-focused analysis of how ShinyHunters-style attacks turn human and non-human identities into the entry point for SaaS extortion.

Why it matters: It matters because IAM teams need to govern session tokens, OAuth apps, and privileged SaaS access as breach surfaces, not just authentication events.

By the numbers:

• ShinyHunters later claimed to be holding more than 1.5 billion Salesforce records from 760 companies pulled out of the Drift fallout.
• Already, 96% of organizations reported an identity-based incident in the past year.

👉 Read Lumos' analysis of ShinyHunters, identity-led SaaS breaches, and defensive steps

Context

ShinyHunters is a useful label for a wider problem in identity and access management: attackers do not need to break the application when they can borrow a valid identity or token and use normal SaaS functions to exfiltrate data. For IAM and NHI practitioners, the issue is not just authentication strength. It is whether session tokens, OAuth grants, and privileged service access are governed with the same discipline as interactive user access.

The Canvas, Snowflake, and Salesloft Drift cases show that the same playbook can hit schools, retailers, technology companies, and enterprise SaaS customers alike. That makes this a governance problem, not a one-off criminal campaign. The typical starting position is still weak: organizations tend to protect sign-in events more carefully than the identities and integrations that remain active after sign-in.

Key questions

Q: How should security teams implement phishing-resistant MFA for privileged SaaS access?

A: Start with the identities that can export data or change access, including IdP admins, SaaS admins, and helpdesk staff. Use FIDO2 or passkeys, not push approval, and pair MFA with device checks and token monitoring. The goal is to reduce the chance that an attacker can turn a live session into reusable access.

Q: Why do OAuth-connected apps create outsized NHI risk in SaaS environments?

A: Because a connected app acts with delegated authority, and a stolen token inherits that authority until revoked. If the app can read, write, or export data across many tenants, the blast radius grows fast. Teams should treat each grant as a non-human identity with scope, ownership, and expiry that must be governed.

Q: What do security teams get wrong about session tokens and MFA?

A: They often assume MFA closes the risk, when in practice the issued session token becomes the credential that matters. If an attacker captures that token through a proxy or AiTM flow, they can act as the user without repeating MFA. Detection must shift to post-authentication behavior, not just successful logins.

Q: What should teams do in the first 24 to 72 hours after a connected app compromise?

A: Identify the compromised integration, revoke its OAuth tokens, and search for any downstream exports or unusual API reads. Then reset adjacent credentials that may have been exposed in the same data set and notify owners of other NHIs that could have been reused. Speed matters because stolen credentials often open multiple doors.

Technical breakdown

How voice phishing turns MFA into a session-token problem

Voice phishing, or vishing, works by moving the attacker into the middle of the authentication flow. The employee still completes password entry and MFA, but the attacker captures the session token issued after authentication. That token is what the identity provider trusts for subsequent access, so the attacker no longer needs to re-trigger MFA. In practical terms, push-based MFA can be bypassed when the threat model assumes the user is talking to the real login page. For NHI governance, the key lesson is that post-authentication tokens deserve the same scrutiny as passwords because they are the real bearer credential in SaaS environments.

Practical implication: Treat session tokens as high-value secrets and monitor for replay, impossible travel, and new-device activity immediately after MFA completion.

Why OAuth-connected apps become high-blast-radius NHI

OAuth turns a connected app into a delegated identity with scoped authority inside a target environment. When an attacker steals the token, they inherit whatever the integration was allowed to do, including reads, writes, and bulk exports. The risk grows when a single vendor integration is trusted across many tenants or when scopes are broader than the business task requires. In NHI terms, the app identity is not just a technical connector. It is a non-human identity with delegated standing privilege until the token is revoked or expires. That makes token lifetime, scope, and revoke speed core controls, not admin details.

Practical implication: Inventory every OAuth grant, narrow scopes where possible, and maintain an emergency revoke path that can be executed in hours, not weeks.

How credential reuse extends a SaaS breach into adjacent systems

Credential reuse is the follow-on phase that turns one compromise into multiple incidents. Once attackers export data from a SaaS platform, they search for keys, refresh tokens, cloud credentials, and support artifacts that can still authenticate elsewhere. Those credentials often belong to service accounts, automation pipelines, or other NHIs that were not part of the original incident response. The mechanism is simple: the first breach reveals more identities, and the next breach uses those identities to reach a different environment. This is why secrets management and NHI visibility must extend beyond source control into tickets, chats, drives, and exported records.

Practical implication: Expand secret scanning and ownership tracking beyond code repositories to every place operational credentials can surface.

Threat narrative

Attacker objective: The attacker wants to use trusted identities to move data out of SaaS platforms while avoiding traditional perimeter defenses and creating follow-on access opportunities.

1. entry via voice phishing or compromised vendor credentials that capture a valid SaaS session token or OAuth grant.
2. escalation through connected applications and over-permissioned roles that allow bulk export activity without triggering malware controls.
3. impact through data exfiltration, extortion, and reuse of stolen credentials in adjacent cloud or SaaS environments.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity-led SaaS extortion is now a governance pattern, not an edge case. The same chain keeps reappearing because organizations still trust authenticated sessions too much after sign-in. The attacker does not need to deploy malware when a valid token can perform the export for them. Practitioners should treat the pattern as a recurring control failure, not isolated bad luck.

Ephemeral credential trust debt is the right concept for this problem. A session token, OAuth grant, or refresh token can outlive the trust decision that created it, especially when revocation is slow and ownership is unclear. That creates a growing pool of credentials that remain functional after the business relationship or role has changed. Teams should reduce the lifetime and blast radius of every delegated identity.

NHI and human identity controls now fail together when governance is fragmented. The same campaign can start with a helpdesk employee and end with a service account or connected app. That means separating IAM from NHI oversight is increasingly artificial, because the attacker chains both. Security leaders should unify review, revocation, and monitoring across interactive and non-interactive identities.

Bulk export is the modern breach signal, not just suspicious login. SaaS environments often expose legitimate export functions that look routine until they are abused at scale. The practical implication is that detection must focus on identity behavior after authentication, including data volume, object selection, and time-of-day anomalies. Teams that watch only sign-in risk missing the breach in progress.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
• See how those breach patterns map to root causes in 52 NHI Breaches Analysis.

What this signals

Identity blind spots now extend well beyond login events. When attackers reuse valid SaaS sessions, the programme gap shifts to ownership, token lifetime, and export monitoring. That is why organisations need governance over the identity after authentication, not just stronger gatekeeping at the front door.

With 96% of organisations already reporting an identity-based incident in the past year, the operational question is no longer whether identity will be targeted, but whether your team can revoke, review, and recover faster than the attacker can chain access.

Identity blast radius is the practical metric to watch. If one compromised account can reach multiple SaaS apps, connected integrations, or cloud credentials, the control model is still too loose. Teams should prioritise revocation speed, scope reduction, and cross-platform visibility as programme-level indicators of maturity.

For practitioners

• Require phishing-resistant MFA for privileged SaaS roles Move helpdesk, IdP admin, Salesforce admin, and contractor admin accounts to FIDO2 or passkeys, then verify that step-up cannot be satisfied by push approval alone.
• Inventory and own every OAuth grant and service identity Assign a named owner, data scope, last-used date, and emergency revoke path to each connected app, refresh token, API key, and service account.
• Shorten the lifetime of delegated access Use just-in-time access, narrow OAuth scopes, and frequent token rotation so a stolen credential has less time and less reach.
• Expand secret scanning beyond source code Scan Slack, ServiceNow, Google Drive, support tickets, and call transcripts for leaked credentials, because attackers often harvest secrets from operational records rather than repositories.
• Test revoke-and-contain playbooks for connected apps Run tabletop exercises that simulate a compromised SaaS integration, then measure how long it takes to find, disable, and confirm removal of the token.

Key takeaways

• ShinyHunters-style activity shows that SaaS breaches increasingly begin with identity compromise, not malware or perimeter failure.
• Session tokens, OAuth grants, and reused credentials can extend one compromise into multiple incidents across unrelated systems.
• IAM and NHI teams should prioritise phishing-resistant MFA, delegated-access governance, and fast revocation paths now.

Key terms

• Session token: A session token is the credential issued after authentication that allows continued access without re-entering a password or MFA code. In SaaS attacks, stealing the token is often more useful than stealing the password because it can already represent a trusted, authenticated state.
• OAuth grant: An OAuth grant is the delegated permission a user or administrator gives a connected app to access data or perform actions on their behalf. In NHI governance, grants matter because they can outlive the business need, expand across tenants, and provide the attacker with legitimate API-level access.
• Connected app: A connected app is a third-party integration that links one service to another through authorized tokens and scopes. It behaves like a non-human identity because it can hold persistent access, move data, and operate independently of a user while still being trusted by the platform.
• Identity blast radius: Identity blast radius is the amount of data, systems, and privileges that can be reached if one identity is compromised. It is a practical way to measure how far a stolen account, token, or service credential can travel before controls stop it.

Deepen your knowledge

ShinyHunters-style identity-led SaaS breach response is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to govern sessions, tokens, and connected apps under the same model, it is worth exploring.

This post draws on content published by Lumos: What Is ShinyHunters? How One Cybercrime Group Is Behind a Dozen Major Cyber Breaches. Read the original.