SaaS applications are now the beating heart of enterprise operations and attackers know it. Recently, two separate campaigns by UNC6040 (aka ShinyHunters) and UNC6395 crippled organizations across industries by exploiting OAuth mechanisms to breach Salesforce and related SaaS ecosystems. The fallout was immediate: disrupted operations, stolen customer data, and extortion attempts that impacted some of the world’s most recognizable brands.

In this fireside chat, Christie Terrill, CISO at Bishop Fox, sits down with Brian Soby, CTO and Co-Founder of AppOmni and former Director of Product Security at Salesforce, to unpack how these attacks unfolded and their impact on global enterprises. The conversation will then shift into a live, interactive Q&A where attendees can engage directly with Christie and Brian on real-world SaaS security challenges and defense strategies.

Attendees will gain:

• A concise recap of the recent SaaS breach campaigns: what happened, who was impacted, and the broader business consequences.
• Actionable guidance for mitigating risk, from enforcing least privilege to hardening integration accounts.
• Direct insights from SaaS security leaders who have built defenses at the vendor and enterprise level.
• Live Q&A time with Brian and Christie to tackle your most pressing SaaS security questions.

By the end of the discussion, participants will walk away with a sharper understanding of the SaaS threat landscape and practical steps to protect their own environments from the kind of disruptions that recently shook global enterprises.

Who Should Watch:

• CISOs and security leaders responsible for SaaS security strategy
• IT administrators managing SaaS integrations and OAuth configurations
• Vendor risk management professionals evaluating third-party applications
• Security architects designing SaaS security frameworks
• Compliance teams overseeing data protection in cloud environments
• Business leaders dependent on critical SaaS platforms like Salesforce, ServiceNow, and Microsoft 365
• DevSecOps teams implementing security controls for SaaS applications

Session Summary:

In this fireside chat, Christie Terrill (CISO at Bishop Fox) and Brian Soby (CTO of AppOmni and former Salesforce Director of Product Security) dissect two major SaaS attack campaigns that recently disrupted global enterprises. UNC6040 (ShinyHunters) utilized sophisticated phishing techniques including OAuth device code flow attacks, while UNC6395 exploited credential management weaknesses through a supply chain compromise of the Drift platform. The discussion reveals how these attacks succeeded not just due to vendor vulnerabilities, but also because of poor customer implementation practices around integration security. Both experts emphasize that while vendors bear primary responsibility for platform security, customers must implement proper access controls, IP restrictions, and least-privilege principles to mitigate the impact of inevitable vendor compromises. The conversation provides practical guidance for modernizing vendor risk management beyond traditional contract-based approaches to focus on actual technical risks present in SaaS environments.

Key Takeaways:

1. Two Major Attack Patterns Emerged: UNC6040 (ShinyHunters) focused on credential attacks and OAuth phishing using device code flow, while UNC6395 conducted a sophisticated supply chain attack through Drift's platform compromise, affecting hundreds of customers simultaneously.
2. Vendor Responsibility vs. Customer Controls: While vendors bear ultimate responsibility for platform security, customers who implemented proper IP restrictions and least-privilege access were completely protected from the Drift compromise.
3. OAuth Token Rotation is Not a Silver Bullet: Short-lived tokens and frequent rotation provide limited protection against full platform compromises, as attackers gain access to the same credential refresh capabilities as legitimate integrations.
4. IP Restrictions Are Critical: Implementing IP allow lists for SaaS integrations would have provided 100% protection against the Drift attack, as attackers accessed stolen credentials from different infrastructure than the compromised vendor.
5. Inventory is the Foundation: Organizations must discover all SaaS integrations directly from their critical platforms (Salesforce, ServiceNow, Microsoft 365) rather than relying on procurement records, as many unauthorized POCs and trials remain active with valid credentials.
6. Least Privilege Prevents Lateral Movement: Many integrations are granted excessive permissions, with applications having both data access and administrative rights when they should only have one or the other, amplifying breach impact.
7. Credential Management in SaaS is Broken: Secrets are scattered across SaaS platforms in ways that attackers understand better than the customers themselves, leading to incomplete credential rotation during incident response.
8. These Attacks Will Increase: Both attack patterns were wildly successful, making them attractive models for future threat actors to replicate and evolve, requiring organizations to prepare for similar large-scale SaaS compromises.

This fireside chat only scratches the surface of the evolving SaaS security landscape. State of the SaaS Security Union expands on the topics discussed in this session and provides additional insights into building robust SaaS security programs that can withstand the sophisticated attacks we're seeing today.