Identity ≠ AI Security.
16 Breaches Where Authentication Worked Perfectly.
How RuntimeAI's Identity + Zero-Trust + Defence-in-Depth platform stops these.

An attacker hijacked TanStack's GitHub Actions runner mid-workflow and published malicious npm packages signed with TanStack's legitimate OIDC identity. Downstream npm install ran the payload, which harvested GitHub, npm, AWS, and Kubernetes service-account tokens from every victim machine — fanning the worm forward to their CI pipelines.

Why identity didn't catch it: Every signature was valid. The npm registry's trust model worked perfectly. The OIDC claim came from the real TanStack workflow — because it was the real workflow, just compromised. No password to phish. No MFA to enforce. No human in the loop to question it.

Source: Snyk writeup · Orca analysis

ShinyHunters breached Anodot — a third-party analytics SaaS — and stole the data-warehouse connector tokens Anodot held on its customers' behalf. They used those tokens to log directly into Vimeo's Snowflake and exfiltrated ~119,000 user records via routine SQL queries. Vimeo's own identity stack never saw the attacker. Snowflake's auth worked exactly as specified.

Why identity didn't catch it: The "user" was a trusted vendor's service account doing what it always does — just for the wrong party. The OAuth integration model assumes that if Anodot's token is valid, Anodot is the one using it. That assumption now ships hundreds of millions of records.

Source: SecurityAffairs · Rescana incident report

Same supply-chain path as Vimeo. ShinyHunters used Anodot's stolen connector credentials to authenticate into Rockstar Games' Snowflake and reportedly harvested ~80 million records. Two named victims so far — the actual blast radius across Anodot's customer base is almost certainly larger.

Why this matters more than the headline: One stolen NHI fans out to many downstream tenants. The breach blast radius of a compromised integration vendor is now "every customer using that integration." Salesforce/Drift was 700 tenants. Anodot is still climbing.

Source: HackRead · Bitdefender

Unknown initial vector at Anodot exposed its customers' connector credentials. Attackers used the tokens as-issued — no exploit, no MFA prompt, no anomaly. This is the root-cause incident behind the Vimeo and Rockstar disclosures above.

Why this is the textbook NHI failure: The canonical "trust the integration = trust the attacker" pattern. Most enterprises don't inventory the OAuth tokens their SaaS vendors hold on their behalf — and if you can't list them, you can't rotate them, monitor them, or revoke them on suspicion. The blast radius is the integrator's entire customer book.

Source: RH-ISAC bulletin

Lumma Stealer infected a Context.ai employee in February 2026. The attacker pivoted from the employee's laptop to Context.ai's AWS, exfiltrated OAuth refresh tokens that Vercel and other customers had granted to Context.ai, and used those tokens to log into Google Workspace at the downstream customers. Every login looked legitimate — the refresh tokens were valid and post-MFA.

The new primitive: A sanctioned third-party AI app silently becomes the attacker. The breach started on an employee laptop, propagated through AWS, and emerged at the downstream customers via OAuth grants no one had re-reviewed. "Shadow-AI OAuth scope" is the new long-tail attack surface.

Source: The Register · The Hacker News

Operators bought infostealer logs containing session cookies, then replayed those cookies through geo-matched SOCKS5 proxies to restore authenticated SSO sessions at 50 enterprises. MFA was never prompted because the session was already authenticated — they just resumed it from a location that looked like the original user's.

Why this kills the "MFA solves it" argument: MFA-protected human identity is moot once the session cookie leaves the browser. Every "MFA solves session theft" claim assumes the cookie stays on the device. It doesn't. It syncs to personal devices, ends up in HAR files, gets harvested by infostealers, and ships off to criminal marketplaces.

Source: CyberInsider · Infosecurity Magazine

Instructure operates two account tiers on the same production infrastructure: institutionally-managed accounts (SSO via university IdPs) and a Free-For-Teacher self-enrollment program (no institutional IdP, no verification). ShinyHunters exploited the weaker tier — self-enrolled FFT accounts that shared production tenant access — to exfiltrate 3.65TB across 8,809 institutions over a 7-day window. The second breach occurred one week after the first, using the same vector.

This is Salesforce's problem. The platform — one of the world's largest SaaS systems by data volume — was completely blind to 3.65TB leaving its infrastructure. No exfiltration monitoring. No volume threshold. No anomaly detection. A valid session moved the equivalent of hundreds of millions of records and nothing fired.

A Vercel employee signed up for Context AI (an "AI Office Suite") using their corporate Google Workspace account with "Allow All" OAuth permissions. Context AI was later compromised via Lumma Stealer malware delivered through malicious Roblox scripts — a consumer-facing attack surface that harvested corporate OAuth tokens as a secondary effect. With the Vercel employee's Google OAuth token, the attacker accessed Vercel's internal environments and unclassified environment variables.

This is the AI-era attack surface. Consumer AI tools, personal devices, over-scoped OAuth grants, and zero enforcement of corporate app policies on third-party AI apps create a new credential exfiltration vector that traditional identity governance doesn't see.

This is not a human identity breach. The target was a non-human identity — LiteLLM's PyPI publishing API token stored in its CI/CD pipeline. A poisoned version of Trivy (a security scanning tool used in the build pipeline) exfiltrated the token to attacker group TeamPCP. With valid PyPI credentials, TeamPCP published two malicious versions of litellm (1.82.7 and 1.82.8) in a 13-minute window. The malicious payload harvested SSH keys, cloud credentials (GCP, AWS, Azure), kubeconfigs, API keys, and database passwords from every machine that installed either version.

This breach illustrates why non-human identity — API tokens, service accounts, CI/CD credentials — is the largest unmonitored attack surface in modern infrastructure. No MFA applies. No rotation policy existed. The scanning tool exfiltrated the very secret it was supposed to protect.

ShinyHunters (UNC6040) returned to ADT with the same playbook as 2024 — vishing targeting the Okta help desk — but with AI-generated call scripts that made impersonation more convincing and harder to detect in real time. The attacker again obtained a valid Okta session and pivoted to Salesforce. 5.5M customer records including names, addresses, dates of birth, and partial SSNs were confirmed in Have I Been Pwned. ShinyHunters claimed 10M+ Salesforce records.

This is the third ADT breach in 18 months. The attack vector — vishing → help desk reset → valid Okta session → Salesforce data — was identical to the 2024 incident. The 2024 breach produced no process changes sufficient to stop the 2025 attack. Same company. Same attacker group. Same entry point.

This is not a human identity breach. Threat actor UNC6395 compromised Salesloft Drift's OAuth integration credentials and used valid non-human identity tokens to authenticate directly into 700+ Salesforce customer organizations — without ever touching a human credential or MFA prompt. OAuth tokens are post-authentication artifacts: they are issued after MFA completes and grant API access without re-challenging MFA for each call.

UNC6395 ran SOQL queries across all 700 tenants, harvesting user credentials, opportunity data, and customer records — and then searched within those records for embedded AWS access keys, Snowflake tokens, and other cloud credentials. Drift was removed from the Salesforce AppExchange. All active Drift OAuth tokens were revoked August 20. The Salesforce identity layer — OAuth — did exactly what it was designed to do: it trusted the token.

ShinyHunters (UNC6040) breached ADT's Okta environment using vishing — impersonating an employee to manipulate an Okta help desk reset. The valid Okta session was then used to pivot to ADT's Salesforce instance to exfiltrate customer records. This is the same playbook ShinyHunters used across Instructure, Workday, McGraw-Hill, Amtrak, and Infinite Campus — with minor variations. The pattern is consistent enough that Mandiant has documented it as UNC6040's standard operating procedure.

UNC5537 didn't exploit a vulnerability. They logged in. Infostealers (VIDAR, RISEPRO, LummaC2) had harvested Snowflake credentials from employee devices over years — some dating to 2020. UNC5537 bought the credentials on criminal marketplaces, authenticated normally through Snowflake's login page, and ran bulk SELECT queries exporting tens of millions of records. Victims included AT&T (110M records), Ticketmaster (560M records), Santander Bank, LendingTree, and 155 others.

What stopped it: Nothing. Snowflake did not enforce MFA globally at the time — it was opt-in. No alerting existed on bulk data exports from accounts that had never previously exported anything. Snowflake's event logging was a paid add-on that most affected customers hadn't enabled.

APT29 (Cozy Bear — Russian SVR, the SolarWinds group) used password spray against a legacy, non-production OAuth test tenant that had no MFA enabled. The test account had been granted dangerously elevated OAuth permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, Application.ReadWrite.All. APT29 used those permissions to create new OAuth applications, grant Exchange Online full_access_as_app, and pivot into Microsoft's corporate email — accessing accounts of senior leadership, the cybersecurity team, and legal employees. They were specifically looking for what Microsoft knew about APT29.

Microsoft filed with the SEC under new cyber disclosure rules. CISA issued a federal alert. Attack volume escalated 10× in February 2024. The entry point: a forgotten test account with no MFA that no one had decommissioned.

This breach began with a non-human identity — a Salesforce support service account whose credentials an Okta employee had saved to their personal Chrome profile, which synced to a personal device. That device was compromised. The attacker accessed Okta's customer support portal and downloaded HAR files customers had uploaded for troubleshooting. HAR files contain raw browser session data — including active session cookies and authentication tokens in plaintext. The attacker replayed those tokens against 5 Okta customers, including BeyondTrust, Cloudflare, and 1Password.

The deepest irony in modern security: the world's largest enterprise identity provider was breached via its own support service account, and the credentials to sensitive customer data were exfiltrated in a file format that customers themselves had uploaded for support purposes.

CVE-2023-4966, "CitrixBleed," allowed attackers to extract valid authenticated session tokens directly from Citrix NetScaler ADC memory — no credentials required. The attack delivered a live, authenticated session that had already passed MFA. The attacker never touched the authentication step. Comcast was attacked between October 16–19, 2023, days after Citrix published the patch but before Comcast applied it. 35.9M customer records exposed — including hashed passwords, partial SSNs, and secret Q&A responses.

In April 2026, Comcast agreed to a $117.5M class action settlement — one of the largest data breach settlements on record. The final approval hearing is scheduled for July 7, 2026. The breach itself took four days. The recovery took three years.