CheckRed Editorial
2024 in SaaS Breaches – A Recap
Throughout 2024, the Software as a Service (SaaS) landscape saw significant growth, with businesses increasingly relying on these platforms for efficiency and collaboration. However, this expansion also led to a rise in security vulnerabilities, making SaaS applications prime targets for cyberattacks. The year was marked by several high-profile breaches that exposed sensitive data, disrupted services, and highlighted the critical need for stronger cybersecurity measures. In this blog, we’ll take a look back at the most notable SaaS breaches of 2024, explore their causes, and discuss the lessons learned to help organizations better protect themselves against evolving threats.
Two Breaches that Served as a Stark Wake-up Call
In 2024, two SaaS breaches stood out for their widespread impact and the severity of the damage they caused. These incidents not only affected thousands of businesses but also raised alarms about the security practices of even the most trusted providers. Let’s examine how they unfolded, and explore the far-reaching consequences they had on both the affected organizations and their customers.
How a Small Breach Snowballed into a Major Attack on Microsoft
In January 2024, the Midnight Blizzard attack exposed critical vulnerabilities within Microsoft’s infrastructure, illustrating how even the most secure environments can be compromised. The attackers began with a password spray attack on a human account that lacked multi-factor authentication (MFA), giving them access to a non-production environment. From there, they used a legacy OAuth app, an unprotected NHI, to obtain complete access to the production environment. They also created more malicious OAuth applications, further infiltrating the system and gaining access to corporate email accounts, including those of Microsoft’s senior leadership, legal, and cybersecurity teams. They used residential proxy networks and legitimate user IPs to mask their activity and avoid detection, enabling them to move deeper into the system.
The impact of the breach was severe, with sensitive corporate emails and documents—likely tied to business strategies and legal matters—exfiltrated from the compromised accounts. Microsoft later confirmed that the stolen information was being used to attempt unauthorized access to the company’s internal systems and source code repositories. However, there was no evidence that customer-facing systems had been compromised. This incident is a crucial reminder of the importance of robust security measures, particularly around legacy accounts and systems that may no longer be adequately secured. The breach showcases why one needs strict enforcement of security policies, including MFA, regular audits of all accounts, and the deprovisioning of unused or outdated access points.
Credential-Based Attacks: How Misconfigurations Exposed Snowflake Customers
In 2024, a series of attacks targeted Snowflake customers, including AT&T, Santander Bank, and Ticketmaster, exposing the vulnerabilities of customer-side configurations rather than a breach in Snowflake’s infrastructure. The attacks were primarily enabled by the lack of enforced multi-factor authentication (MFA), which allowed attackers to exploit weak accounts protected only by usernames and passwords. Attackers used credential-based techniques like dictionary or password spray attacks to gain access to sensitive data. Snowflake clarified that the breaches were not caused by any vulnerability in their platform, but rather by misconfigurations in customer-managed accounts, such as overly permissive permissions and reliance on single-factor authentication.
The impact of these attacks was far-reaching, with massive data exfiltration incidents. AT&T faced one of the largest telecom breaches in history, with over 109 million customer records exposed. Santander Bank had personal data of more than 12,000 employees leaked, including sensitive payroll information, while Ticketmaster saw millions of customer records stolen. This series of breaches deliver a critical lesson: attackers can bypass complex security systems if fundamental protections, like MFA and proper account management, are not in place. Snowflake’s response—mandating MFA—reflects the growing need for organizations to reassess their security policies and address the risks posed by misconfigurations in SaaS environments.
Managing SaaS Misconfigurations in 2025
As we look ahead to 2025, the lessons from the breaches of 2024 are clear: SaaS misconfigurations are a persistent and evolving threat that organizations must actively address. The rapid adoption of SaaS applications has significantly expanded the attack surface, making it critical for businesses to adopt a proactive approach to security. Proper configuration management, including continuous monitoring and automated remediation, is no longer optional—it’s a necessity. Misconfigurations, whether in identity governance, permissions, or access controls, continue to be a primary target for cybercriminals. Both human and non-human identities require rigorous oversight, and the growing complexity of APIs and OAuth tokens adds additional layers of risk.
The shared responsibility model between SaaS application providers and customers highlights the importance of collaboration. While vendors must offer secure platforms and robust security tools, customers must take responsibility for securing their specific environments. This means applying the best practices provided by vendors, conducting regular security audits, and embracing a culture of vigilance. Moreover, organizations must invest in threat detection systems that can identify and mitigate suspicious activity in real time. By focusing on these key areas—configuration management, identity governance, and proactive monitoring—businesses can fortify their defenses and ensure they are ready to face SaaS security challenges of the future.
Secure Your SaaS Applications with CheckRed
Protecting your SaaS applications is crucial, and CheckRed makes it simple to manage your security posture. With our powerful SSPM platform, you can easily identify and fix misconfigurations, manage access controls, and automate compliance. Let CheckRed help you safeguard your data, minimize vulnerabilities, and stay ahead of potential threats with a comprehensive, proactive approach to SaaS security.
See CheckRed in Action
Dive into the future with our interactive demo
and explore the possibilities.
Related Posts
