SaaS Risk & Shadow IT Research
Contact Us
Independent cybersecurity and AI research — free to browse, updated as the threat landscape moves, with no vendor sponsorship influencing the coverage.
SaaS Security Risks and Shadow IT: What the Research Shows
The attack surface for most organisations has shifted from the network perimeter to the SaaS applications their teams rely on daily. In 2025, data from SaaS applications was relevant to 23 percent of Unit 42 incident response cases — up from 18 percent in 2024, 12 percent in 2023, and just 6 percent in 2022. Attackers follow the data, and the data now lives in cloud applications connected to each other by trusted integrations built on OAuth tokens.
This page covers the mechanisms behind SaaS risk: shadow IT discovery gaps, how OAuth token attacks bypass MFA entirely, and how SaaS supply chain breaches in 2025-2026 produced blast radiuses ten times larger than equivalent direct platform attacks.
How OAuth Token Attacks Work
Most SaaS integrations authenticate using OAuth tokens rather than passwords. An OAuth token tells a platform: this application is authorised to access this data on behalf of this user. The critical difference from a password is that a valid token bypasses multi-factor authentication entirely — the token is the authentication.
Salesloft-Drift (August 2025): Attackers exploited OAuth tokens from the Drift chatbot integration to access over 700 organisations’ Salesforce CRM data between August 8 and 18, 2025. They used persistent refresh tokens with no expiration — no passwords, no MFA bypass needed. The blast radius was 10x larger than a comparable direct Salesforce attack. FINRA issued a formal cybersecurity alert to member firms. Source: ReliaQuest, Obsidian Security, FINRA cybersecurity alert, August 2025.
Vercel (April 2026): A Lumma Stealer malware infection at Context.ai — a third-party OAuth app — allowed attackers to inherit valid OAuth tokens and access Vercel internal systems. Customer API keys and source code were exfiltrated. Root compromise traced to approximately February 2026. Source: Trend Micro analysis, April 21 2026.
Klue (June 2026): Attackers used a compromised legacy credential to obtain OAuth tokens for Salesforce, gaining trusted access to connected customer CRM environments. CrowdStrike engaged for investigation. Source: SOCRadar, ThreatLocker, Obsidian Security, June 2026.
- Maintain a current inventory of every OAuth application connected to core SaaS platforms
- Review permission scopes — remove any that exceed the principle of least privilege
- Disable dormant integrations, especially those tied to former employees or discontinued vendors
- Set refresh token expiration policies — long-lived tokens are a documented root cause across multiple 2025-2026 breaches
- Monitor for behavioral anomalies: unexpected IPs, data volume spikes, unusual access timing
- Define a break-glass revocation plan before an incident — know which integrations to disable first
- SSPM (SaaS Security Posture Management) automates the inventory and anomaly-monitoring steps above
- Unit 42 2026 IR Report: SaaS data relevant to 23% of IR cases in 2025, up from 6% in 2022
What Is Shadow IT and Why Does It Create SaaS Security Risk?
Shadow IT is any technology used for work without the knowledge or approval of the IT or security team. In a SaaS-saturated environment it primarily means unauthorised applications: a marketing team adopting an AI writing tool, a developer connecting a coding assistant to company GitHub, or a sales rep installing a browser extension with access to corporate email.
The security risk is not that these tools are malicious — most are legitimate products. The risk is the gap in visibility: no way to control what data those tools can access, no audit trail if one is later compromised, and no detection when a compromised integration starts exfiltrating data across hundreds of connected downstream environments.
SaaS Security Posture Management (SSPM) is the vendor category that addresses this: continuous inventory of every connected OAuth application, the permissions it holds, which users authorised it, and behavioral monitoring to detect when an integration starts operating outside its normal pattern. The Klue and Salesloft-Drift breach response guides from Obsidian Security both start with the same instruction: audit your OAuth apps, revoke affected tokens, check for anomalies — which is exactly what SSPM is designed to surface before the incident, not after.
Shadow IT is any technology used for work without the knowledge or approval of the IT or security team. In most organisations today it primarily means unauthorised SaaS applications that employees connect to company data without formal review. The security risk is not the tool itself but the gap in visibility, access control, and audit trail it creates.
Attackers did not breach Salesforce directly. They compromised the Drift chatbot integration that Salesloft had connected to Salesforce, and used its persistent OAuth refresh tokens to access hundreds of downstream customer environments simultaneously. One compromised integration, hundreds of blast radiuses. Source: ReliaQuest, Obsidian Security, FINRA cybersecurity alert, August 2025.
MFA protects the login process: you prove identity before receiving a token. Once an attacker steals the token itself — through malware, phishing of a token-handling system, or SaaS supply chain compromise — they authenticate as a legitimate integration without ever triggering MFA. The token is the credential; stealing it skips authentication entirely.
SaaS Security Posture Management (SSPM) is a security tool category providing continuous visibility into all OAuth applications and integrations connected to an organisation's SaaS platforms. It inventories every connected app, the permissions it holds, which users authorised it, and monitors behavioral patterns to detect anomalies. It addresses the same gap that SaaS supply chain breaches exploit: the difference between what is connected and what is actively monitored.
1. Revoke all OAuth tokens and refresh tokens tied to the affected integration immediately. 2. Audit SaaS platform event logs for the exposure window — look for unusual data exports or access from unexpected infrastructure. 3. Rotate any credentials the compromised integration could have accessed. 4. Check for behavioral changes in other integrations connected to the same platform. 5. Follow the affected vendor's trust portal for specific remediation steps before re-enabling the integration.