Common SaaS security risks, breaches, and mitigations
With identity as the new perimeter, risks run rampant through your SaaS ecosystem. With rogue actors patiently working to exploit any vulnerability, every organization faces the same common SaaS security risks. And for an unlucky handful, ordinary risks morphed into avoidable and costly actual breaches.
Maintaining a secure SaaS stack is a group effort, requiring highly trained IT and security professionals, compliance teams, vigilant and trained end users and SaaS security software. In this article, we’ll cover:
- Security dangers that lurk everywhere
- Real-life examples that already happened
- Warning signs potentially signaling a SaaS security breach
- Mitigation tips to eliminate risk and boost SaaS security
SaaS security pitfalls and cautionary tales
In the recent Verizon’s 2025 Data Breach Investigations Report, security analysts examined more than 22,000 security incidents and 55% were confirmed to be data breaches. Of those breaches, 60% were due to human error, while 30% originated from a third-party, including SaaS apps and software vulnerabilities.
The truth is that while security incidents and breaches can come down to one, single cause, they’re usually the result of multiple inadequacies. These lapses can be related to both technology and people, as it’s generally the smallest of actions that go unnoticed until the discovery of data loss.
In this section, we go through common SaaS security problems and some recent, devastating security breaches that could have been prevented.
1. Misconfigurations
Poorly configured security settings—such as open APIs or weak authentication—can create exploitable vulnerabilities.
Recent SaaS security breach due to misconfigurations: Highlighting widespread SaaS ecosystem risk from misconfigurations and inadequate access controls, in 2023, a reporter discovered guest user access to several public-facing Salesforce Community websites. It mistakenly granted permissions to internal data that should have required authentication. Exposed sensitive data included Social Security numbers, names, addresses, phone numbers, email addresses, and bank account information.
2. Delayed offboarding of departing users
When former employees retain access to SaaS applications and data, this typical SaaS security risk may lead to exfiltrated sensitive information. Inactive or orphaned accounts also present easy targets for attackers.
Recent breach from late offboarding: There was a 2021 SaaS security breach at Cash App. It was caused by delayed offboarding involving a former employee of Cash App who, after termination, accessed and downloaded sensitive data for 8.2 million customers. Data loss included names, brokerage portfolio values, holdings, and trading activity. It took four months to discover the breach, and lead to a class-action lawsuit against them.
The breach occurred because the company failed to revoke the employee’s access permissions promptly after departure, leading to data exfiltration. Automated offboarding would have prevented it, and regular user access reviews and continuous user activity monitoring would have at least limited the breach duration.
3. Excessive administrative privileges
Users often accumulate elevated permissions over time. If these accounts are unused, lingering admin rights can pose significant security threats.
Recent excessive admin permissions breach: In 2021, a hacker collective gained access to Verkada’s systems by discovering username and password credentials for a “Super Admin” account that were publicly exposed on the internet. These credentials were reportedly found on an unencrypted subdomain used as an internal development system. For 36 hours, rogue actors had unrestricted access to all customer camera feeds, exposing live feeds from sensitive locations including the corporations, hospitals, jails, and police departments. Data loss included a customer list and internal financial information.
The company’s internal practices contributed to the breach: over 100 employees, including interns as young as 20 years old, had super admin access, and logging requirements for accessing camera feeds were routinely ignored. This real-life example shows the risks of over-provisioned access privileges and lack of least-privilege enforcement.
4. Compromised credentials
Rogue actors frequently get access through stolen credentials. This common security risk is likely via phishing or bots that crack passwords.
Recent compromised credential breach: In 2023 Okta, the trusted identity provider with thousands of customers, was breached by a hacker. The cause of the compromise originated in an Okta employee’s personal Google account.
The employee logged into a personal Google profile on a work-managed laptop and saved Okta service account credentials within that personal Google account, which likely resulted from a phishing or social engineering attack on the personal account. Attackers gained access to the stored service account credentials, then used these stolen credentials to gain unauthorized access to Okta’s customer support ticketing system, containing files for more than 100 customers.
The Okta breach shows how credential compromises third-party SaaS providers can become an attack vector and why it’s important to secure internal tools, enforce strict access controls, and protect employee credentials.
5. Overly permissive app data access
Unauthorized applications may read, write, or store sensitive data—or integrate with others that do—leading to unintentional data exposure. This typical SaaS security risk can arise from Shadow IT.
Recent excess app permission breach: In June 2025, a vulnerability in Microsoft OneDrive’s File Picker interface was discovered. This flaw enabled unauthorized access to entire OneDrive accounts through hundreds of third-party apps like Slack, ChatGPT, Trello, and Zoom. It allowed access to an entire OneDrive account when a user only intended to share a single file. The origin of the breach was identified to be the excessive permissions granted during the consent process.
6. Insecure third-party integrations
External vendors or integrations can inadvertently expose data within your SaaS environment. This is why vetting and understanding integration updates is important. Even with vetting, without limiting integration permissions, monitoring activity, and regularly reviewing connected apps, it’s hard to eliminate this common SaaS security risk.
Recent insecure third-party breach: in 2023, following the Okta breach, attackers leveraged compromised credentials to access Cloudflare’s Atlassian platforms. A service account with excessive privileges, tied to a SaaS integration, provided a pathway for attackers to escalate access and gain unauthorized data. This incident emphasizes the need for strict privilege management and regular audits of third-party integrations.
7. Improper file sharing practices
Publicly shared links are a very common SaaS security risk in all organizations. On average, while BetterCloud internal data says about 50% of files have only 1 sharing permission, there are about 25% of files that have up to 35 permissions per file. Obviously, public links to sensitive files or folders can allow unauthorized access, putting confidential information at risk.
Recent public link breach: in 2023, Japanese game developer Ateam experienced a misconfiguration in their Google Drive account, leaving an “open link” sharing setting. This action inadvertently removed access controls, leaving all files publicly accessible for more than 6 years. Anyone with the link could access sensitive personal data, including names, email addresses, phone numbers, and customer management numbers,
This is a cautionary tale about the dangers of easy file or cloud storage. It can lead to significant data exposure, compounded by the fact that most public links sit inactive and unmonitored for years until a breach is discovered.
Watch 8 signs for early SaaS breach detection
Even though security alert fatigue seems more likely to be the rule and not the exception, resist temptation to ignore any of the following early warning signs. By paying attention to them, you’ll discover an incident before data loss or other damage occurs.
1. Suspicious file activity: Large downloads within a short period of time, deletions, unusual numbers of file sharing links for files containing sensitive data.
2. Configuration changes: Inappropriate security settings or unexpected API integrations
3. Unauthorized access changes: Excessive privileges, too many super admins
4. Login anomalies: Too many failed login attempts, unexplained new or user account lockouts, access from unfamiliar locations
5. Unusual user activity: User tasks or file and folder access outside normal duties
6. Former user access: Potential for insider risk if offboarding is not completed
7. Slow performance: Malicious code can impede application performance or cause app crashes.
8. Unauthorized SaaS apps: New apps that authorize and integrate to your domain that didn’t involve IT or security risk assessments
FAQs: How do I mitigate top SaaS security risks?
Of course, mitigating SaaS security risk requires knowing how you’ll rapidly respond to and remediate any breach. Just as importantly, though, limiting risk demands a proactive set of processes. In this section, we answer some of your key questions about blunting a potential security issue.
Q: How do we perform thorough SaaS vendor security risk assessments?
A: As part of SaaS buying and renewing processes, review a SaaS app’s physical data center and security infrastructure, as well as encryption for data at rest and in transit, access controls, and related processes. Evaluate SaaS apps, as well as integrations and dependent data flows. Make sure your SaaS vendors have successfully passed rigorous audits for certifications like SOC2 and track certifications using automation to ensure they’re always current and reflect the current state of them.
Q: How do I enforce multi-factor authentication?
A: Identity and access management is the foundation for SaaS security, so require MFA, regularly review permissions, and prevent users who aren’t using MFA from logging into your SaaS environment.
Q: On what security practices should we train employees?
A: There are two primary training goals for employees. First, make sure users are fully aware of the latest phishing techniques and second, teach them about responsible file sharing best practices.
Q: How do we maintain constant awareness of our SaaS security?:
A: As poor visibility underpins most SaaS security risks, it’s best to use software tools that can use automation to monitor for new unauthorized apps or Shadow IT, user access and login changes, external file sharing, and file permissions
Q: How can we limit the number of an app’s super admins?
A: During app tracking, you can build automated alerts when the numbers are exceeded.
Q: How can we automate user offboarding?
A: By using a SaaS management platform that manages all aspects of the SaaS user lifecycle, you can easily create no-code workflows that promptly and completely offboards a departing employee.
Q: How do we run regular content scans?
A: This is an automated process, too. Automated content scans identify where your sensitive data is located, and this includes files with intellectual property, customer information, healthcare data, and any kind of PII like Social Security numbers, credit card numbers, or bank account numbers.
Q: What kind of file sharing monitor should we do?
A: Use software to get automated file sharing alerts for:
- Excessive external sharing: A complete view helps identify files that have been shared too widely with external collaborators or, in some cases, kept public via an open link.
- Overly permissive access: Granular visibility into file permissions ensures files are only accessed by those who need them. This prevents accidental data leaks by negligent, but well-meaning employees.
- Inactive data shares: Visibility is the first step revoking access for former employees or contractors who shouldn’t have access to shared files, closing a common security gap.
Q: Is there a way to enforce file sharing security policies?
A: After training employees on your company’s file sharing policies, you can automate file permission cleanups on a regular basis. Run them at least monthly for all users, and more often for high-level executives and users in departments like finance or legal.
Q: What’s the best way to maintain a high SaaS security posture?
A: Use a SaaS management platform with strong SaaS security posture management capabilities. An all-in-one SMP with functionality like BetterCloud File Governance to help IT to:
- Add security policies
- Get automated alerts for improper sharing
- Run compliance checks
- Enforce policies with automated file permission cleanup cycles
- Get alerts when excessive admin permission thresholds are exceeded
- Continuous visibility and SaaS environment monitoring for maximum security
Q: Why should we have an immediate incident response and containment plan?
A: In the case of a suspected security incident or breach, a containment plan spells out how you’ll respond. Your plan should include how you’ll isolate affected apps, change passwords, disable compromised accounts, block file sharing, and more.
Q: When do we pursue a root-cause analysis plan?
A: After you’ve contained the breach, the next step is to investigate the complete extent of it. As we said earlier, while there may be one cause, there are usually multiple security lapses that contribute to the outcome. Make sure you determine any misconfiguration or patch vulnerability, initial entry, exfiltrated data, and effects on other SaaS providers and their customers.
Eliminate common SaaS security risks with BetterCloud
As a 2025 Gartner® Magic Quadrant™ Leader and consistent G2 Grid® Leader, BetterCloud is dedicated to discovering, managing, securing, and automating the SaaS user lifecycle – of all apps, vendors, users, files, contracts, spend, and budgets. Our long SaaS management expertise that goes back to 2011 – as well as trust from customers like ScottsMiracle-Gro – helps us continually innovate with changing SaaS management pain points and new demands.
Ready to learn more about managing common SaaS security risks? Download our latest report, Unlocking a Safer Stack: 10 Research-backed Practices of Security-Focused IT Teams, join our next live demo or speak with our sales team to see a demo now.
