Now that software as a service (SaaS) ecosystems have made building software cheaper, faster, and easier than ever, the users’ landscape has changed dramatically. Gone are the days when SaaS applications were only populated by organic human users; non-human identities are now everywhere. Third, non-human entities, such as API keys, service accounts, and automation bots are finally one of the biggest challenges. Security teams need to defend their organizations’ sensitive information and regulatory compliance requirements from these emerging threats.
Recent successful attacks against the security tokens underscoring the fragility of these non-human credentials have shown that the time for these more secure credentials is now. Unfortunately, attackers have no doubt been able to take advantage of these weak links that have led them to discover sensitive information on the multiple platforms. For instance, in one case a backdoor was used to query and exfiltrate sensitive databases, including AWS keys and Snowflake tokens.
These breaches have grave consequences that extend beyond impacted organizations themselves. The truth is, even Internet heavyweights like Cloudflare and The New York Times have suffered massive incidents themselves. As services increasingly further integrate into one seamless entity, understanding the dangerous identity-associated risks posed by non-human identities is key to protecting predictable ecosystems of SaaS environments.
The Vulnerability of Non-Human Credentials
Although they help enable automation and integrations, they bring many security challenges. OAuth applications, API keys, service accounts, and automation bots can all end up acting as conduits for attackers if we aren’t careful. Attackers exploited Cloudflare’s Atlassian stack, which includes widely used tools like Jira, Confluence, and Bitbucket. They did this by abusing an orphan token, which retained the service credentials connected to it. This case illustrates just how simple it is for attackers to exploit unattended tokens in order to access and manipulate systems.
Further, the use of third-party platforms like Drift and Salesforce brings even greater risk. Attackers hijacked integration tokens to access Salesforce CRM data across hundreds of organizations, illustrating how intertwined services can lead to widespread vulnerabilities. The 2023 Okta breach brought this danger into stark relief. This risk was magnified as compromised orphaned and unrotated service credentials served as a wake-up call for the possibility of similar breaches occurring in other organizations.
Security teams are swimming upstream as they try to secure and control these identities that aren’t human. They must ensure that about one-third of SaaS app integrations that have access to sensitive data do not exceed their needs. If you don’t constantly monitor and manage these newly adopted integrations, you risk attracting serious data breaches and losing sensitive information.
The Need for Real-Time Visibility
As SaaS ecosystems become increasingly complex, security teams lack the real-time visibility. They need to be aware of all non-human identities that are working across their SaaS stack. Without clear and complete oversight, entities do not have the ability to catch vulnerabilities that could be exploited by those with nefarious intents. Given the constantly changing environment of today’s SaaS applications, a security solution must be just as dynamic—taking an active approach to security that evolves with threats.
To meet this growing challenge, innovative solutions like Reco have come onto the market. Reco excels at automatically surfacing all your third-party app connections, service accounts, API tokens, and scripts running in each and every SaaS application. Additionally, Reco helps organizations better understand non-human identities. This makes it feasible for security teams to automate and integrate their work to better address security risks.
Additionally, companies need to move to a more proactive security approach that harnesses real-time intelligence from identity activities throughout their entire SaaS landscape. With the help of machine learning technologies, this approach can help businesses detect anomalies in real-time and act quickly to mitigate potential threats. The disruptive security paradigm stresses the reality of an ever-persistent threat of breach. It highlights how doing some regular inventorying around what permissions you’ve handed to these other identities is so critical.
Adapting SaaS Security Strategies
As public and private organizations continue to leverage SaaS applications to run their organizations, evolving security approaches are critical. A dynamic approach is essential to navigate the complex web of SaaS apps, identities, and integrations present within an organization’s environment. It’s time to get past guarding dinosaurs with shock and awe static security. It’s time for a new approach that uses agile techniques to better respond to the quickly changing pace of technology.
The recent breach of Salesloft’s SaaS platform in August 2025 just underscores the immediate need for more robust security practices. This tragic event only further highlights the danger that exists without full protection. Just last month, attackers stole OAuth access tokens for its Drift chatbot integration with Salesforce, giving attackers access to sensitive information. This event brings to light the importance of all organizations to re-evaluate their security measures from a proactive perspective, not just a reactive one.
Organizations need to conduct continuous, deep-dive audits of their entire SaaS landscape. This is especially important to help them identify any orphaned or unmonitored service accounts and API tokens. By creating highly developed credential monitoring procedures and using best practices in credential management, organizations can proactively minimize their risk exposure.