From overprivileged admin roles to long-forgotten vendor tokens, these attackers are slipping via the cracks of belief and entry. Here is how 5 retail breaches unfolded, and what they reveal about…
In latest months, main retailers like Adidas, The North Face, Dior, Victoria’s Secret, Cartier, Marks & Spencer, and Co‑op have all been breached. These assaults weren’t subtle malware or zero-day exploits. They had been identity-driven, exploiting overprivileged entry and unmonitored service accounts, and used the human layer via techniques like social engineering.
Attackers did not want to interrupt in. They logged in. They moved via SaaS apps unnoticed, typically utilizing actual credentials and legit classes.
And whereas most retailers did not share all of the technical particulars, the patterns are clear and recurring.
Here is a breakdown of the 5 latest high-profile breaches in retail:
1. Adidas: Exploiting third-party belief
Adidas confirmed a knowledge breach brought on by an assault on a third-party customer support supplier. The corporate mentioned buyer information was uncovered, together with names, electronic mail addresses, and order particulars. No malware. No breach on their facet. Simply the blast radius of a vendor they trusted.
How these assaults unfold in SaaS identities:
SaaS tokens and repair accounts granted to distributors typically do not require MFA, do not expire, and fly underneath the radar. As soon as entry is not wanted however by no means revoked, they grow to be silent entry factors, excellent for provide chain compromises that map to techniques like T1195.002, giving attackers a manner in with out setting off alarms.
Safety takeaway:
You are not simply securing your customers. You are securing the entry that distributors depart behind, too. SaaS integrations stick round longer than the precise contracts, and attackers know precisely the place to look.
2. The North Face: From password reuse to privilege abuse
The North Face confirmed a credential stuffing assault (MITRE T1110.004) the place risk actors used leaked credentials (usernames and passwords) to entry buyer accounts. No malware, no phishing, simply weak id hygiene and no MFA. As soon as inside, they exfiltrated private information, exposing a serious hole in primary id controls.
How these assaults unfold in SaaS identities:
SaaS logins with out MFA are nonetheless in all places. As soon as attackers get legitimate credentials, they’ll entry accounts straight and quietly, no want triggering endpoint protections or elevating alerts.
Safety takeaway:
Credential stuffing is nothing new. It was the fourth credential-based breach for The North Face since 2020. Each is a reminder that password reuse with out MFA is a wide-open door. And whereas loads of orgs implement MFA for workers, service accounts, and privileged roles, many occasions they go unprotected. Attackers understand it, they usually go the place the gaps are.
Need to go deeper? Obtain the ‘SaaS Id Safety Information‘ to discover ways to proactively safe each id, human or non-human, throughout your SaaS stack.
3. M&S & Co-op: Breached by borrowed belief
UK retailers Marks & Spencer and Co-op had been reportedly focused by the risk group Scattered Spider, identified for identity-based assaults. Based on experiences, they used SIM swapping and social engineering to impersonate staff and trick IT assist desks into resetting passwords and MFA, successfully bypassing MFA, all with out malware or phishing.
How these assaults unfold in SaaS identities:
As soon as attackers bypass MFA, they aim overprivileged SaaS roles or dormant service accounts to maneuver laterally inside the group’s methods, harvesting delicate information or disrupting operations alongside the way in which. Their actions mix in with official consumer conduct (T1078), and with password resets pushed by assist desk impersonation (T1556.003), they quietly achieve persistence and management with out elevating any alarms.
Safety takeaway:
There is a cause identity-first assaults are spreading. They exploit what’s already trusted, and sometimes depart no malware footprint. To cut back threat, monitor SaaS id conduct, together with each human and non-human exercise, and restrict assist desk privileges via isolation and escalation insurance policies. Focused coaching for assist employees may also block social engineering earlier than it occurs.
4. Victoria’s Secret: When SaaS admins go unchecked
Victoria’s Secret delayed its earnings launch after a cyber incident disrupted each e-commerce and in-store methods. Whereas few particulars had been disclosed, the influence aligns with situations involving inside disruption via SaaS methods that handle retail operations, like stock, order processing, or analytics instruments.
How these assaults unfold in SaaS identities:
The true threat is not simply compromised credentials. It is the unchecked energy of overprivileged SaaS roles. When a misconfigured admin or stale token will get hijacked (T1078.004), attackers do not want malware. They will disrupt core operations, from stock administration to order processing, all inside the SaaS layer. No endpoints. Simply destruction (T1485) at scale.
Safety takeaway:
SaaS roles are highly effective and sometimes forgotten. A single overprivileged id with entry to crucial enterprise purposes can set off chaos, making it essential to use stringent entry controls and steady monitoring to those high-impact identities earlier than it is too late.
5. Cartier & Dior: The hidden price of buyer assist
Cartier and Dior disclosed that attackers accessed buyer info through third-party platforms used for CRM or customer support features. These weren’t infrastructure hacks; they had been breaches via platforms meant to assist clients, not expose them.
How these assaults unfold in SaaS identities:
Buyer assist platforms are sometimes SaaS-based, with persistent tokens and API keys quietly connecting them to inside methods. These non-human identities (T1550.003) not often rotate, typically escape centralized IAM, and grow to be simple wins for attackers concentrating on buyer information at scale.
Safety takeaway:
In case your SaaS platforms contact buyer information, they’re a part of your assault floor. And if you happen to’re not monitoring how machine identities entry them, you are not defending the frontlines.
Closing Thought: Your SaaS identities aren’t invisible. They’re simply unmonitored.
Your SaaS identities aren’t invisible; they’re simply unmonitored. These breaches did not want fancy exploits. They only wanted a misplaced belief, a reused credential, an unchecked integration, or an account nobody reviewed.
Whereas safety groups have locked down endpoints and hardened SaaS logins, the actual gaps lie in these hidden SaaS roles, dormant tokens, and ignored assist desk overrides. If these are nonetheless flying underneath the radar, the breach already has a head begin.
Wing Safety was constructed for this.
Wing’s multi-layered platform constantly protects your SaaS stack, discovering blind spots, hardening configurations, and detecting SaaS id threats earlier than they escalate.
It is one supply of reality that connects the dots throughout apps, identities, and dangers, so you may reduce via the noise and cease breaches earlier than they begin.
👉 Get a demo of Wing Safety to see what’s hiding in your SaaS id layer.
