When “Scattered LAPSUS$ Hunters” reminds us of an uncomfortable truth: SaaS security starts with you

1 billion records. 40 major companies. A single vulnerability: misplaced trust.

The recent attack on Salesforce environments orchestrated by the collective “Scattered LAPSUS$ Hunters” is not just another statistic in the history of cybercrime. It is a brutal revelation of a reality that many organizations prefer to ignore.

What the numbers don’t say (but should)

In October 2025, this cybercriminal super-group — a fusion of Scattered Spider, ShinyHunters, and LAPSUS$ — targeted giants like Google, Cisco, FedEx, Disney, Toyota, and Marriott. Their method? No sophisticated technical exploit. Classic vishing (voice phishing) and abuse of OAuth via trusted integrations like Salesloft Drift.

The average cost of a data breach in 2025? $4.44 million USD globally, but $10.22 million USD in the United States. For the financial sector, this amount climbs to $9.28 million USD per incident. These figures don’t even capture the erosion of trust, the loss of clients (38% change providers after a breach), or the average 7.5% stock market drop that follows.

But here is the question that should keep us all awake at night:

The Salesforce platform was not compromised. So, who is responsible?

This is where the discomfort lies. Salesforce explicitly stated that its infrastructure had not been breached. The attackers exploited client-side shortcomings: unforced multi-factor authentication (MFA), neglected management of OAuth integrations, excessive permissions, and a lack of detection for suspicious non-human identities.

Welcome to the uncomfortable reality of the SaaS shared responsibility model.

The dangerous illusion of “They take care of everything”

Too many organizations migrate to SaaS with the silent assumption that security is entirely delegated to the provider. Fatal error.

In a SaaS model, the provider secures:

• The physical infrastructure and the network
• The application platform itself
• Backups and service availability
• The compliance of its infrastructure

But you, the client, remain responsible for:

✓ Identity and access management: Who can access? With what privileges? Is MFA universally enforced?

✓ Application configuration and governance: Have you disabled anonymous access? Limited external sharing? Defined retention policies?

✓ Third-party integration management: Which OAuth applications have access to your data? When were they last audited?

✓ Threat monitoring and detection: Are you monitoring for anomalous logins, configuration changes, or the creation of suspicious non-human identities?

✓ Data security: Is your sensitive data classified? Do access permissions respect the principle of least privilege?

✓ Training and awareness: Can your employees identify a vishing attempt?

In the case of the Scattered LAPSUS$ Hunters attack, it was precisely these client-side responsibilities that failed.

Standardization finally arrives: CSA SSCF, a compass in the fog

Faced with this complexity, the Cloud Security Alliance (CSA) published the SaaS Security Capability Framework (SSCF) v1.0 in September 2025 — the first industry standard defining the security controls that every SaaS application should offer to its clients.

The SSCF structures 41 essential controls around 6 domains:

1. Change Control & Configuration Management: Secure change management
2. Data Security & Privacy: Data lifecycle management
3. Identity & Access Management: Strong authentication, governance of non-human identities
4. Interoperability & Portability: Control over exports and integrations
5. Logging & Monitoring: Actionable logs delivered within 24 hours
6. Security Incident Management: Incident notification and forensics

This framework does not replace SOC 2 or ISO 27001 — it complements them by translating abstract requirements into concrete, configurable capabilities.

More importantly: the SSCF would have directly addressed the flaws exploited in the Salesforce attack. Control IAM-SaaS-19 (Third-party Allowlisting) would have detected the malicious integration. Control IAM-SaaS-06 (Governance of non-human identities) would have immediately flagged the creation of suspicious OAuth applications.

Beyond the framework: game-changing tooling

Having a framework is good. Having the ability to operationalize it across dozens or hundreds of SaaS applications is better.

This is precisely the promise of SaaS Security Posture Management (SSPM) solutions like our partner AppOmni — recognized as a leader by Frost & Sullivan and ranked as a “Strong Performer” by Forrester.

A modern SSPM offers:

🔍 Unified visibility: A consolidated view of your SaaS security posture across all your applications

⚙️ Configuration drift detection: Automatic identification of deviations from security baselines

🔐 Identity and access governance: Monitoring of excessive permissions and access to sensitive data

🔗 OAuth integration management: Inventory and assessment of third-party applications

📊 Log normalization: Standardized event streams for threat detection

⚡ Remediation automation: Guided workflows for the rapid correction of vulnerabilities

The question is no longer “if”, but “when”

The Scattered LAPSUS$ Hunters attack is not an isolated case. It is a symptom of an accelerating trend.

Let’s look at the facts from 2024-2025:

Snowflake (Mid-2024): 165 organizations compromised

• Victims: AT&T (109 million records), Ticketmaster, Santander Bank, LendingTree, Neiman Marcus
• Attack vector: Stolen credentials via infostealers, lack of MFA
• Amount extorted: $2.7 million USD confirmed
• The flaw? Not the Snowflake platform, but client configurations: MFA not enabled, credentials not renewed since 2020, absence of authorized IP lists

Microsoft / Midnight Blizzard (January 2024): Russian state-sponsored attack

• Target: Emails of Microsoft executives, cybersecurity, and legal teams
• Attack vector: Password spray on an unprotected test account, then abuse of a legacy OAuth application with full_access_as_app permissions
• Impact: Access to internal correspondence, source code exfiltration
• The flaw? Legacy test account without MFA, obsolete OAuth application with unaudited excessive permissions

Cloudflare (November 2023): Exfiltration via Atlassian

• Attack vector: OAuth tokens from a previous breach reused to access the Atlassian instance
• Impact: Access to internal code repositories, exfiltration of source code related to operational technologies
• The flaw? OAuth tokens not revoked after the previous incident, unmonitored OAuth permissions

Dropbox Sign (April 2024): Compromise of non-human identities

• Attack vector: Access to an automated configuration tool, compromise of a highly privileged service account
• Impact: Access to the Dropbox Sign customer database
• The flaw? Inadequate monitoring of non-human identities (service accounts, API keys)

The pattern is clear: Attackers are no longer trying to “hack” the infrastructure. They simply walk through the front door by exploiting:

• The absence or non-enforcement of MFA
• Poorly governed OAuth applications and integrations
• Unmonitored non-human identities (service accounts, API tokens)
• Dormant or legacy accounts that have not been deprovisioned
• Unaudited excessive permissions

Cybercriminals have understood that SaaS applications, which host your most sensitive data, often remain the weakest link in your security architecture. And unlike traditional network attacks, these flaws are entirely within your scope of responsibility.

Cloud migration has moved the data. It is time for security maturity to follow.

Three concrete actions right now:

1. Audit your SaaS posture: Start with your critical applications (Salesforce, Microsoft 365, Workday, ServiceNow). What are your current configurations? Who has access to what?

2. Evaluate your applications against the SSCF: Use the CSA framework as a baseline. Do your SaaS providers offer the necessary controls? Are you using them?

3. Invest in an SSPM: Manual management doesn’t scale. Solutions like AppOmni allow you to move from a reactive approach to a proactive SaaS security posture.

💡 SaaS security is not an option — it is your fiduciary responsibility to your clients, your employees, and your shareholders.

🔗 Discover the CSA SSCF framework: https://cloudsecurityalliance.org/artifacts/saas-security-capability-framework-sscf

🛡️ Interested in AppOmni and SSPM solutions? Contact me for a personalized demonstration and an audit of your current SaaS posture.

Sources:

• IBM Cost of a Data Breach Report 2025
• Cloud Security Alliance SaaS Security Capability Framework v1.0
• Google Threat Intelligence Group reports on UNC6040/UNC6395
• Forrester Wave: SaaS Security Posture Management Q4 2023