In August 2025, researchers tracked a major supply chain attack in which threat actor UNC6395 used stolen OAuth tokens from Drift’s Salesforce integration to access customer environments across more than 700 organizations. The attacker needed no exploit and no phishing. The activity looked legitimate because it came from a trusted SaaS connection rather than a compromised user account.

‍

Similar patterns surfaced throughout the year. IBM’s 2025 Cost of a Data Breach Report found that the global average breach cost fell to $4.44 million, the first decline in five years. Verizon’s 2025 Data Breach Investigations Report showed that third-party involvement in breaches doubled year over year. The perimeter did not disappear, but mattered less as attackers targeted the trust relationships between cloud applications.

‍

‍

This report examines six incidents that shaped how AI and SaaS security risks evolved throughout 2025.

‍

1. Salesloft/Drift | OAuth Token Abuse

‍

Impact: 700+ organizations potentially compromised, including large enterprise customers

‍

In August, threat actor UNC6395 used stolen OAuth tokens from Drift's Salesforce integration to access customer environments. They did not exploit a vulnerability. They used legitimate third-party access that looked routine and slipped past user-focused monitoring.

‍

Attack chain:

‍
Compromised GitHub account → Drift's AWS environment → Extracted OAuth tokens → Custom Python scripts queried customer Salesforce instances → Exfiltrated contacts, opportunities, AWS keys, Snowflake tokens.

‍

One integration became a doorway into everything connected to it. By September, Salesforce temporarily removed Drift from AppExchange and reinstated it weeks later with updated OAuth requirements.

‍

What most teams miss: Security teams track employee access obsessively, yet the non-human identities that sit between sanctioned SaaS apps often run unmonitored. These app-to-app connections rely on long-lived tokens and broad permissions, and traditional tools were never built to map or evaluate sanctioned SaaS communicating with other sanctioned SaaS.

‍

Most organizations cannot quickly determine which third-party apps have active access to their CRM, HR, or finance systems. If that answer takes more than a few minutes, the environment is governed by assumption rather than control.

‍

The insight: OAuth misuse is becoming a preferred entry method. Treat tokens as privileged credentials. Monitor non-human identities continuously. Audit third-party permissions on a regular schedule.

‍

2. PowerSchool | SaaS Credential Compromise

‍

Impact: 62.4 million students, 9.5 million teachers, 6,505 school districts

‍

The breach began in late 2024, but the ransom payment, sentencing, and renewed extortion attempts pushed its full impact into 2025. A 19-year-old attacker used compromised credentials to access PowerSchool’s customer support portal. No sophisticated exploit was involved. The portal lacked an MFA.

‍

The exposed data included SSNs, medical records, special education information, and even restraining order details dating back to the 1960s. PowerSchool paid $2.85 million in ransom, according to Department of Justice filings. Despite the payment, extortion attempts against individual districts resumed in May 2025.

‍

What most teams miss: Organizations invest heavily in securing public-facing systems, while internal tools with broad data access often run on weaker controls. Support and admin portals routinely become the softest entry point, even though they guard the most sensitive information.

‍

Zero trust is often discussed as a philosophy or theory, yet a support portal protecting the records of more than 60 million children with nothing more than a single password is not zero trust. It makes zero sense.

‍

The insight: The breach did not begin with malware. It began with a trusted administrative session that should have required more than a password.

‍

3. Microsoft Copilot EchoLeak | Prompt Injection

‍

Impact: CVE-2025-32711, CVSS 9.3 (Critical), patched June 2025

‍

EchoLeak introduced a new vulnerability class: a zero-click prompt injection flaw that enabled data exfiltration without any user interaction. Microsoft addressed the issue before evidence of mass exploitation emerged.

‍

How it worked: Attacker sends email with hidden instructions → Copilot ingests malicious prompt → AI extracts sensitive data (OneDrive, SharePoint, Teams) → Data exfiltrated via trusted Microsoft domains → Zero clicks required.

‍

No one noticed. No alert surfaced. The activity moved through approved channels with no visibility at the application or identity layers.

‍

The insight: Granting AI assistants broad access creates pathways that traditional controls cannot see. Limit the AI assistant's scope and enforce strict boundaries around automated data retrieval.

‍

4. Deepfake Fraud | AI-Powered Social Engineering

‍

Impact: Estimated $200 million in Q1 2025, with more than 160 reported incidents.

‍

Voice cloning now requires only three to five seconds of sample audio, and human detection accuracy for high-quality deepfakes remains at just 24.5%. In 2025, a voice clone of the Italian Defense Minister extracted nearly €1 million, and multiple financial institutions were targeted with synchronized impersonations.

‍

We built verification on the belief that seeing and hearing someone proves identity. That assumption died in 2025.

‍

The insight: Trusted communication channels are now attack vectors. Implement code words, callback verification, and mandatory secondary approval.

‍

5. Shadow AI | Unmonitored Data Exposure

‍

Impact: 20% of organizations suffered shadow AI breaches, with costs averaging $670,000 more than traditional incidents.

‍

IBM’s 2025 Cost of a Data Breach Report introduced shadow AI as a material breach vector:

‍

‍

Shadow AI breaches also took longer to detect, averaging 247 days compared to 241, and disproportionately affected customer PII at 65% and intellectual property at 40%.

‍

What most teams miss: This is not malware, and it is not phishing. It is an OAuth-connected, workplace-integrated AI moving laterally without triggering alerts. Employees are not trying to expose the organization. The models they use simply do not know what should be obvious.

‍

97% of organizations that experienced AI-related breaches lacked basic access controls. We are giving AI the keys to the kingdom and acting surprised when something walks out with the crown jewels.

‍

The insight: AI adoption has outpaced security maturity. Deploy enterprise AI with DLP integration, and assume that at least 20% of your organization is already using unauthorized tools.

‍

6. GTG-1002 | AI-Orchestrated Cyber Espionage

‍

Impact: Approximately 30 organizations targeted, including tech companies, financial institutions, and government agencies

‍

Anthropic’s November 2025 report detailed how Chinese state-sponsored actors manipulated Claude Code to automate the majority of their intrusion activity. The model handled between 80-90% of each operation, though researchers note the autonomy claims should be interpreted cautiously.

‍

AI handled: Reconnaissance, exploit development, credential harvesting, lateral movement, and data extraction - leaving only four to six human decision points across an entire campaign.

‍

The insight: Offensive operations have moved into semi-autonomous execution. Any modern defense strategy must assume adversaries already operate with AI systems that execute the bulk of their workload independently.

‍

2025 Statistics

‍

‍

What 2025 Taught Us

‍

The breach patterns of 2025 shared a common theme: attackers exploited trust rather than vulnerabilities.

• SaaS-to-SaaS lateral movement bypassed endpoint security entirely.
• AI tools functioned simultaneously as an attack surface and an attack facilitator.
• Non-human identities remained invisible while human access was monitored to exhaustion.

‍

The organizations that avoided major incidents were not the ones with the largest budgets. They were the ones with real visibility into how their SaaS applications behaved and which connections they maintained.

‍

The full picture appears in the visualization below, which includes our curated set of 16 significant AI and SaaS breaches from 2025, organized by attack category. It captures additional incidents beyond the six highlighted in this report.

‍

‍

Across all 16 incidents, one pattern stood out: the most dangerous attacks did not break in. They logged in.

‍

The 5-Minute SaaS OAuth Audit

‍

If these questions cannot be confidently answered for your top five SaaS apps, the risk of a Drift-style breach is already present.

‍

‍

References

1. Verizon, "2025 Data Breach Investigations Report," April 2025. https://www.verizon.com/business/resources/reports/dbir/
   
   
2. IBM Security, "Cost of a Data Breach Report 2025," July 2025. https://www.ibm.com/reports/data-breach
   
   
3. Google Cloud/Mandiant, "Widespread Data Theft Targets Salesforce Instances via Salesloft Drift," August 2025. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
   
   
4. Cloud Security Alliance, "The Salesloft Drift OAuth Supply-Chain Attack," September 2025. https://cloudsecurityalliance.org/blog/2025/09/25/the-salesloft-drift-oauth-supply-chain-attack
   
   
5. Dark Reading, "Researchers Detail Zero-Click Copilot Exploit 'EchoLeak'," June 12, 2025. https://www.darkreading.com/application-security/researchers-detail-zero-click-copilot-exploit-echoleak
   
   
6. Variety, "Deepfake-Enabled Fraud Has Already Caused $200 Million in Financial Losses in 2025," April 18, 2025. https://variety.com/2025/digital/news/deepfake-fraud-caused-200-million-losses-1236372068/
   
   
7. Security Magazine, "Deepfake-enabled fraud caused more than $200 million in losses," April 21, 2025. https://www.securitymagazine.com/articles/101559-deepfake-enabled-fraud-caused-more-than-200-million-in-losses
   
   
8. Anthropic, "Disrupting the first reported AI-orchestrated cyber espionage campaign," November 13, 2025. https://www.anthropic.com/news/disrupting-AI-espionage
   
   
9. Anthropic, GTG-1002 Technical Report (PDF), November 2025. https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf
   
   
10. The Register, "Chinese spies used Claude to break into critical orgs," November 13, 2025. https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks
    ‍
11. OWASP, "Top 10 for LLM Applications 2025." https://owasp.org/www-project-top-10-for-large-language-model-applications/