Identity Is Not Enough:
Why Every Major Breach Had Valid Credentials

Instructure operates two account tiers on the same production infrastructure: institutionally-managed accounts (SSO via university IdPs) and a Free-For-Teacher self-enrollment program (no institutional IdP, no verification). ShinyHunters exploited the weaker tier — self-enrolled FFT accounts that shared production tenant access — to exfiltrate 3.65TB across 8,809 institutions over a 7-day window. The second breach occurred one week after the first, using the same vector.

This is Salesforce's problem. The platform — one of the world's largest SaaS systems by data volume — was completely blind to 3.65TB leaving its infrastructure. No exfiltration monitoring. No volume threshold. No anomaly detection. A valid session moved the equivalent of hundreds of millions of records and nothing fired.

A Vercel employee signed up for Context AI (an "AI Office Suite") using their corporate Google Workspace account with "Allow All" OAuth permissions. Context AI was later compromised via Lumma Stealer malware delivered through malicious Roblox scripts — a consumer-facing attack surface that harvested corporate OAuth tokens as a secondary effect. With the Vercel employee's Google OAuth token, the attacker accessed Vercel's internal environments and unclassified environment variables.

This is the AI-era attack surface. Consumer AI tools, personal devices, over-scoped OAuth grants, and zero enforcement of corporate app policies on third-party AI apps create a new credential exfiltration vector that traditional identity governance doesn't see.

This is not a human identity breach. The target was a non-human identity — LiteLLM's PyPI publishing API token stored in its CI/CD pipeline. A poisoned version of Trivy (a security scanning tool used in the build pipeline) exfiltrated the token to attacker group TeamPCP. With valid PyPI credentials, TeamPCP published two malicious versions of litellm (1.82.7 and 1.82.8) in a 13-minute window. The malicious payload harvested SSH keys, cloud credentials (GCP, AWS, Azure), kubeconfigs, API keys, and database passwords from every machine that installed either version.

This breach illustrates why non-human identity — API tokens, service accounts, CI/CD credentials — is the largest unmonitored attack surface in modern infrastructure. No MFA applies. No rotation policy existed. The scanning tool exfiltrated the very secret it was supposed to protect.

ShinyHunters (UNC6040) returned to ADT with the same playbook as 2024 — vishing targeting the Okta help desk — but with AI-generated call scripts that made impersonation more convincing and harder to detect in real time. The attacker again obtained a valid Okta session and pivoted to Salesforce. 5.5M customer records including names, addresses, dates of birth, and partial SSNs were confirmed in Have I Been Pwned. ShinyHunters claimed 10M+ Salesforce records.

This is the third ADT breach in 18 months. The attack vector — vishing → help desk reset → valid Okta session → Salesforce data — was identical to the 2024 incident. The 2024 breach produced no process changes sufficient to stop the 2025 attack. Same company. Same attacker group. Same entry point.

This is not a human identity breach. Threat actor UNC6395 compromised Salesloft Drift's OAuth integration credentials and used valid non-human identity tokens to authenticate directly into 700+ Salesforce customer organizations — without ever touching a human credential or MFA prompt. OAuth tokens are post-authentication artifacts: they are issued after MFA completes and grant API access without re-challenging MFA for each call.

UNC6395 ran SOQL queries across all 700 tenants, harvesting user credentials, opportunity data, and customer records — and then searched within those records for embedded AWS access keys, Snowflake tokens, and other cloud credentials. Drift was removed from the Salesforce AppExchange. All active Drift OAuth tokens were revoked August 20. The Salesforce identity layer — OAuth — did exactly what it was designed to do: it trusted the token.

ShinyHunters (UNC6040) breached ADT's Okta environment using vishing — impersonating an employee to manipulate an Okta help desk reset. The valid Okta session was then used to pivot to ADT's Salesforce instance to exfiltrate customer records. This is the same playbook ShinyHunters used across Instructure, Workday, McGraw-Hill, Amtrak, and Infinite Campus — with minor variations. The pattern is consistent enough that Mandiant has documented it as UNC6040's standard operating procedure.

UNC5537 didn't exploit a vulnerability. They logged in. Infostealers (VIDAR, RISEPRO, LummaC2) had harvested Snowflake credentials from employee devices over years — some dating to 2020. UNC5537 bought the credentials on criminal marketplaces, authenticated normally through Snowflake's login page, and ran bulk SELECT queries exporting tens of millions of records. Victims included AT&T (110M records), Ticketmaster (560M records), Santander Bank, LendingTree, and 155 others.

What stopped it: Nothing. Snowflake did not enforce MFA globally at the time — it was opt-in. No alerting existed on bulk data exports from accounts that had never previously exported anything. Snowflake's event logging was a paid add-on that most affected customers hadn't enabled.

APT29 (Cozy Bear — Russian SVR, the SolarWinds group) used password spray against a legacy, non-production OAuth test tenant that had no MFA enabled. The test account had been granted dangerously elevated OAuth permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, Application.ReadWrite.All. APT29 used those permissions to create new OAuth applications, grant Exchange Online full_access_as_app, and pivot into Microsoft's corporate email — accessing accounts of senior leadership, the cybersecurity team, and legal employees. They were specifically looking for what Microsoft knew about APT29.

Microsoft filed with the SEC under new cyber disclosure rules. CISA issued a federal alert. Attack volume escalated 10× in February 2024. The entry point: a forgotten test account with no MFA that no one had decommissioned.

This breach began with a non-human identity — a Salesforce support service account whose credentials an Okta employee had saved to their personal Chrome profile, which synced to a personal device. That device was compromised. The attacker accessed Okta's customer support portal and downloaded HAR files customers had uploaded for troubleshooting. HAR files contain raw browser session data — including active session cookies and authentication tokens in plaintext. The attacker replayed those tokens against 5 Okta customers, including BeyondTrust, Cloudflare, and 1Password.

The deepest irony in modern security: the world's largest enterprise identity provider was breached via its own support service account, and the credentials to sensitive customer data were exfiltrated in a file format that customers themselves had uploaded for support purposes.

CVE-2023-4966, "CitrixBleed," allowed attackers to extract valid authenticated session tokens directly from Citrix NetScaler ADC memory — no credentials required. The attack delivered a live, authenticated session that had already passed MFA. The attacker never touched the authentication step. Comcast was attacked between October 16–19, 2023, days after Citrix published the patch but before Comcast applied it. 35.9M customer records exposed — including hashed passwords, partial SSNs, and secret Q&A responses.

In April 2026, Comcast agreed to a $117.5M class action settlement — one of the largest data breach settlements on record. The final approval hearing is scheduled for July 7, 2026. The breach itself took four days. The recovery took three years.