Obsidian report reveals 300% surge in SaaS breaches

Today

Obsidian Security has released its inaugural 2025 SaaS Security Threat Report, highlighting a significant 300% increase in Software as a Service (SaaS) breaches over the past year.

The report, covering the period between September 2023 to 2024, outlines how SaaS breaches have heavily impacted multiple sectors, with prominent organisations such as Microsoft and AT&T experiencing major security incidents. This rise in breaches coincides with an increased reliance on SaaS applications, where expenditure has reached hundreds of billions globally, averaging around USD $8,700 per employee for tools like Workday, Google Workspace, ServiceNow, and Office 365.

Obsidian Security, leveraging its industry-leading SaaS breach data repository and direct involvement in over 150 incident responses, has disclosed key insights that are reshaping the current understanding of security threats. The report underscores the necessity of safeguarding SaaS identities, revealing data indicating that 99% of SaaS compromises stem from the identity provider (IdP) level. Compromised IdPs can facilitate attackers in gaining lateral movement across systems, risking exposure of sensitive information.

Findings further question the sufficiency of Multi-Factor Authentication (MFA). More than 84% of breaches involved incidents where MFA failed to thwart adversaries, suggesting that MFA alone cannot counter the complexity of current cyber threats. The report advocates for robust, multi-layered security systems capable of addressing modern security challenges.

Additionally, the report highlights the rapid progression of SaaS breaches. The fastest recorded time from breach initiation to data exfiltration was noted at just nine minutes, emphasising the necessity for real-time monitoring and responsive strategies to mitigate rapid data loss risks.

Glenn Chisholm, Chief Product Officer of Obsidian Security, commented, "The data is stark and unmistakable; securing the identity and its dynamic relationship with services and applications should be the first task for every security team. Our unmatched dataset of real-life, real-time SaaS compromise telemetry, combined with our knowledge graph of identities across hundreds of large enterprises, has allowed Obsidian Security to build AI models with unmatched efficacy. These AI and LLM models continuously learn and adapt to catch attackers before they breach an organization's environment through SaaS."

Obsidian Security's research has informed updates to the MITRE ATT&CK framework, reflecting their findings on identity-based threats within SaaS contexts. Their work continues to influence global security protocols. Jim Hung, Associate Managing Director at Kroll, stated, "In our breach response and intelligence work, we're increasingly seeing that threat actors recognise the relatively vulnerable state of interconnected SaaS applications as fertile hunting grounds. The quality of malicious tradecraft is improving to rapidly exploit identity and configuration weaknesses to the fullest."

The report also discussed emerging threats, including vulnerabilities related to SaaS integrations, with abuses of Microsoft integrations becoming more common. Risks posed by AI applications and the expansion of unauthorised, "Shadow SaaS" applications pose increasing security challenges.

The average financial impact of a SaaS breach now stands at USD $4.88 million, with investment in security lagging behind the swift uptake of SaaS solutions, exacerbating these risks. The full 2025 SaaS Security Threat Report is available for those interested in detailed findings and recommendations.

Share on: