2024 SaaS Security Breaches: Lessons Learned

As 2024 draws to a close, it's evident that the SaaS landscape has become both a cornerstone of business productivity and a growing target for sophisticated cyberattacks. This year’s high-profile breaches underscore the importance of robust SaaS security strategies to protect human and non-human identities, secure SaaS-hosted data, detect misconfigurations, and monitor SaaS audit logs for potential signs of breach attempts.

What’s a SaaS Data Breach?

A SaaS data breach occurs when unauthorized entities exploit security gaps within SaaS platforms to access sensitive information. These breaches can result from misconfigurations, compromised credentials, insecure third-party integrations, risky data sharing, or other causes. The 2024 SaaS breaches we’ve observed highlight how quickly attackers can exploit even minor security lapses to cause significant harm.

Below, we explore five significant SaaS breaches from 2024 and the critical lessons security teams can take away to better protect their SaaS ecosystems.

‍

1. Microsoft Midnight Blizzard Breach: A Wake-Up Call for Holistic SaaS Security

In January 2024, the nation-state actor Midnight Blizzard exploited a series of misconfigurations within Microsoft’s environment to breach sensitive company emails. 

The attackers initiated the breach with a password spray attack on a human account lacking multi-factor authentication (MFA), gaining access to a non-production Microsoft 365 test tenant. They exploited a legacy OAuth application—an unmanaged non-human identity—with full privileges to access Microsoft’s production environment. To extend their foothold, they created additional malicious OAuth applications and granted them access using newly created user accounts. The threat actors authenticated to Exchange Online, targeting corporate email accounts while obfuscating their activity through residential proxy networks, using legitimate user IP addresses to mask their actions.

Impact: The emails accessed include the corporate email accounts of Microsoft’s senior leadership, cybersecurity, and legal teams. Sensitive emails and attached documents were exfiltrated, including high-value corporate communications likely linked to business strategies and legal matters. In a followup update posted in May, Microsoft wrote that “In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.” 

Key Lessons Learned:

• Prioritize MFA Everywhere: Human accounts without MFA remain low-hanging fruit for attackers. A "default to MFA" approach should be applied across all human identities.
• Audit Non-Human Identities: Legacy applications and tokens often go unnoticed but can provide attackers with privileged access. Regular audits to identify unused or overly permissive non-human identities are crucial.

Remove Dormant Resources: Dormant accounts, inactive data shares, and unused tokens are not benign. Security teams must proactively remove unnecessary resources to shrink the attack surface.

‍

2. Cloudflare’s Atlassian Breach: Supply Chain Risks in SaaS

After a previous Okta breach in October 2023, attackers leveraged compromised credentials to breach Cloudflare’s Atlassian platforms (Bitbucket, Confluence, and Jira), gaining access to sensitive data, including source code. 

Leveraging credentials leaked during the Okta compromise, the attackers exploited overlooked service tokens and service account credentials tied to SaaS applications, including one that granted the application Smartsheet administrative access to Cloudflare's Atlassian systems. While Cloudflare's security team conducted a comprehensive forensic analysis and rotated over 5,000 production credentials, four critical credentials tied to service tokens and SaaS integrations were overlooked, providing attackers with a pathway to escalate their access.

Key Lessons Learned:

• Enforce Privilege Management: Service accounts should follow the principle of least privilege, ensuring they only have access necessary for their tasks.
• Strengthen Third-Party Integrations: Connections between SaaS platforms should be carefully managed, and privileges reviewed frequently.

Automate Credential Rotation: Manual credential management can miss critical gaps. Automated processes for credential rotation and deprovisioning are essential to minimize risk.

‍

3. Snowflake Customer Breaches: The Importance of Shared Responsibility

This attack campaign targeted customers of Snowflake, including AT&T, Santander Bank, and Ticketmaster. While initial reports suggested a breach in Snowflake’s infrastructure due to a vulnerability, it was later clarified that the breaches were due to customer-side issues, mainly the lack of enforced MFA, allowing access with just a username and password and leaving them vulnerable to dictionary or password spray attacks.

Impact: These incidents exposed sensitive data and severely impacted customer trust and operational security:

• AT&T - Over 109 million customer call and text records were leaked, including metadata and detailed logs, in one of the largest telecom data breaches in history
• Santander Bank - Personal information for more than 12,000 U.S.-based employees, including Social Security numbers and payroll bank account details, was exfiltrated 
• Ticketmaster - Millions of customer records, including names, contact information, and additional sensitive data, were stolen

Attack Method: Snowflake clarified that its platform was not compromised. Instead, attackers exploited customer-managed accounts with weak security configurations, including:

• Stolen Credentials: Many accounts relied on single-factor authentication, allowing attackers to leverage compromised passwords to gain access
• Misconfigured Permissions: Some accounts were overly permissive, granting broad access to sensitive databases

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform…This appears to be a targeted campaign directed at users with single-factor authentication.” — Joint statement by Snowflake, CrowdStrike, and Mandiant

Snowflake later announced in response to the attack campaign that MFA will be mandatory for all new Snowflake human users starting in October 2024.

Key Lessons Learned:

• Understand the Shared Responsibility Model: SaaS providers are responsible for securing the application infrastructure, but customers must enforce strong security configurations, including MFA, privilege management, and strong data security practice. Read more about the Shared Responsibility Model in SaaS Security. 
• Regular Configuration Audits: Misconfigurations are a leading cause of breaches. Implement continuous monitoring to detect and remediate risky configurations.‍
• Configuration Management is Complex: The complexity of managing security across multiple SaaS applications highlights the need for specialized SaaS posture management capabilities to identify misconfigurations and enforce security best practices. The Snowflake breaches—impacting large enterprises with mature cybersecurity teams— emphasizes that even when a provider's platform is secure, improperly managed customer environments can still lead to devastating consequences.

‍

4. Dropbox Sign Breach: Non-Human Identities Under Fire

In April, attackers breached Dropbox Sign, compromising sensitive customer data and exposing security challenges in securing non-human identities (NHIs) like service accounts, API keys and OAuth tokens. 

Attack Method: The attackers gained unauthorized access to an automated system configuration tool within Dropbox Sign’s backend. They compromised a service account with elevated privileges, enabling access to the customer database. Mismanagement of this non-human identity was a key factor in the breach:

• Exploitation of Privileges: The service account's broad access permissions allowed attackers to reach sensitive systems.
• Weak NHI Protections: Insufficient authentication and monitoring for the compromised account facilitated unauthorized access.

Dropbox has since reset user passwords, logged out all Dropbox Sign users, and initiated a full rotation of API keys and OAuth tokens to mitigate further risks.

Impact: The breach affected all users of Dropbox Sign and even third parties who signed documents but never created accounts.

• Stolen Data: The attackers accessed a wide array of information, including:some text
  • For all users: Emails, usernames, and general account settings.
  • For subsets of users: Phone numbers, hashed passwords, API keys, OAuth tokens, and even multi-factor authentication (MFA) information.
  • For third parties: Names and email addresses of individuals who signed documents but were not registered Dropbox Sign users.

While no evidence suggests that attackers accessed document contents, templates, or payment information, the breach exposed a trove of metadata critical to both personal and organizational security.

Key Lessons Learned:

• Enhance NHI Security: Non-human identities, such as service accounts and API tokens, should be protected with strong authentication measures, including conditional access policies and periodic rotation.
• Monitor SaaS Audit Logs: Detailed monitoring can provide early warning signs of malicious activity involving NHIs or unauthorized data access.

Proactively Decommission Resources: Expired or unused OAuth tokens must be automatically revoked to prevent exploitation by attackers.

‍

5. Internet Archive Breach: Stolen Tokens Strike Again

The Internet Archive suffered two breaches within a two-week span, both stemming from compromised access tokens. Attackers exploited an exposed GitLab authentication token to access sensitive source code, user databases, and additional credentials, including API tokens for the organization’s Zendesk support system.

• First Breach: Involved stolen GitLab tokens exposed in a configuration file since December 2022. The attackers used this to steal user data from 33 million accounts, download 7TB of source code and related files, and even modify site functionality.
• Second Breach: Leveraged the unrotated Zendesk API token, granting access to 800,000+ support tickets dating back to 2018. Many tickets contained sensitive information, such as uploaded personal identification documents submitted for page removal requests from the Wayback Machine.

Key Lessons Learned:

• Secure Tokens at Every Stage: Token management must include encryption, secure storage, and periodic rotation to mitigate risk.
• Implement Zero Trust Principles: Assume all access attempts could be malicious, verifying user and token legitimacy for each request.
• Regular Forensic Reviews: Post-breach analysis should extend to related tokens and accounts to uncover any lingering vulnerabilities.

‍

Key Themes from 2024 SaaS Breaches

1. Configuration Management is Non-Negotiable
   Misconfigurations, often overlooked, remain a top vector for attacks. Automated tools can help security teams maintain compliance with SaaS security best practices.
2. Non-Human Identities are a Major Threat Vector
   As breaches targeting NHIs like OAuth tokens and API keys increase, robust identity governance must extend beyond human users.
3. Shared Responsibility Requires Shared Accountability
   SaaS providers and customers must collaborate to enforce a strong security posture. Customers must be vigilant in securing their environments while leveraging the tools and guidance provided by SaaS vendors.
4. Proactive Monitoring and Threat Detection are Crucial
   Monitoring SaaS audit logs for anomalous activity and implementing threat detection mechanisms are essential to mitigate evolving risks.

‍

The Path Forward: Securing SaaS in 2025

As organizations expand their SaaS usage, the attack surface grows. Security teams must adopt a comprehensive SaaS security strategy that includes:

• Continuous monitoring and automated remediation of misconfigurations.
• Robust identity governance for human and non-human identities
• Least-privilege access controls and regular reviews of privileges
• Enhanced token and credential management
• Employee training on SaaS security best practices

The breaches of 2024 serve as a stark reminder of the dynamic SaaS threat landscape. By learning from these incidents, organizations can strengthen their defenses and build resilient SaaS ecosystems for the challenges of 2025 and beyond.

‍

Explore How Valence Can Help Secure Your SaaS Applications

The 2024 SaaS breaches underscore the growing complexity of securing modern SaaS environments. Valence Security empowers organizations to address these challenges head-on, offering tools to uncover misconfigurations, manage non-human identities, and enforce security best practices across your SaaS ecosystem.

Request a demo and see how Valence can help you identify risks, simplify remediation, and build a more resilient SaaS security posture for 2025 and beyond.