Home Innovation SaaS ShinyHunters Attacks Highlight...

ShinyHunters Attacks Highlight Critical Security Gaps across Expanding SaaS Ecosystem

SaaS

Business Honor
10 December, 2025

Incidents expose risks in OAuth integrations, user behavior, and third-party SaaS connections.

A series of high-profile security incidents in 2025 showcased some very critical vulnerabilities within the SaaS ecosystem. The attacks involved ShinyHunters and the compromised Salesloft Drift integration, showing how threat actors can leverage trusted connections, OAuth permissions, and user behavior to get access to corporate systems without deploying traditional malware or zero-day exploits.

The first incident involved Salesforce environments and social engineering. Posing as internal IT staff, attackers called employees at large organizations to deceive them into allowing an attacker-connected app. Once the attackers were authorized, API-level entry was gained in the environment, quietly extracting customer records, support logs, contacts, and sensitive operational data. The breach went unnoticed for weeks because it used legitimate-appearing activity, culminating in attempted extortion.

At about the same time, another supply-chain-style attack at Salesloft demonstrated the extent of risk linked to third-party SaaS integrations. After breaching Salesloft's GitHub repository, bad actors found OAuth tokens used by the Drift chatbot. Using these credentials, they accessed Salesforce environments across over 700 companies. Because the data requests appeared to be coming from an approved integration, the activity blended in with normal system behaviour.

Both incidents demonstrate the consistent security holes of SaaS. Human factor remains one of the top threats, as attackers trick employees into bypassing technical controls. Third-party apps continue to be a high-risk factor, since the over-permissioned integration will share full data access. Events have also demonstrated the difficulty of detecting attacks that rely on credentials.

For this reason, security experts stress the development of more active SaaS environment oversight, including permission management, continuous monitoring of app behavior and tighter approval processes for integrations, along with continuous employee training. As SaaS adoption accelerates, it is crucial that organizations modernize their defenses to protect data across increasingly connected cloud platforms.