Software-as-a-Service breaches surge 300 percent

A new report from Obsidian Security reveals an unprecedented 300 percent year-on-year increase in SaaS breaches between September 2023 and 2024.

This surge comes as organizations increasingly rely on SaaS applications with current spend on SaaS in the hundreds of billions, or approximately $8,700 per employee for tools such as Workday, Google Workspace, ServiceNow, and Office 365.

Obsidian's data shows 99 percent of SaaS compromises originate at the identity provider (IdP). Although IdPs help manage access, if they are compromised, attackers can gain lateral movement across entire systems, putting sensitive data at risk.

While multi-factor authentication (MFA) is commonly viewed as essential, the data uncovers that MFA failed to prevent attacks in 84 percent of incident responses. This highlights that MFA alone is insufficient, highlighting the need for more robust, layered security solutions to defend against modern threats.

The fastest time from initial access to data exfiltration was as little as nine minutes. Traditional security controls can't respond quickly enough, increasing the risk of rapid data loss and necessitating real-time monitoring and response strategies.

"The data is stark and unmistakable; securing the identity and its dynamic relationship with services and applications should be the first task for every security team," says Glenn Chisholm, CPO of Obsidian Security. "Our unmatched dataset of real-life, real-time SaaS compromise telemetry, combined with our knowledge graph of identities across hundreds of large enterprises has allowed Obsidian Security to build AI models with unmatched efficacy. These AI and LLM models continuously learn and adapt to catch attackers before they breach an organization’s environment through SaaS."

The report highlights that a proliferation of third-party applications has created new attack vectors, with Microsoft integration abuse becoming increasingly prevalent. Organizations typically deploy around 100 AI applications, with 60 percent lacking proper security controls or federation behind the IdP. Unauthorized applications continue to connect to core environments too, significantly increasing security risks.

The complete 2025 SaaS Security Threat Report is available from the Obsidian site.

Image credit: Rawpixel/depositphotos.com