Your Company Uses Hundreds of Cloud Apps. Security Teams Can See Inside Almost None of Them.

Three real breaches show how misconfigured software-as-a-service tools leak customer records, private messages, and source code, all without anyone breaking down a single door.

ThreatVectr Newsdesk· 4 min read
A digital representation of cybersecurity shields and email icons, illustrating the concept of email security
Share

Key points

  • In 2023, Salesforce Community sites belonging to government agencies, banks, and healthcare providers exposed Social Security numbers and home addresses because administrators had set guest access permissions too broadly.
  • In April 2022, GitHub disclosed that attackers used stolen OAuth tokens (permission passes that let one app talk to another) to download private code repositories from dozens of organisations, including npm, the world's largest software package library.
  • In 2023, researchers at Wiz found that Microsoft's own AI team had left 38 terabytes of internal data, including over 30,000 private Teams messages, exposed through a single misconfigured access token for nearly two years.
  • Research published by AppOmni in 2024 found that 49 percent of Microsoft 365 organisations believed they had fewer than ten external apps connected to their accounts, when the real average was over one thousand.
  • Security teams typically have clear visibility into roughly one in ten of the cloud apps their organisation actually runs.

Most companies have spent serious money on cybersecurity. Antivirus software, round-the-clock monitoring, cloud safety checks: the works. And yet, ask a security team who currently holds administrator access inside their Salesforce account (the popular customer-management platform used by thousands of businesses), and you will often get silence.

Not negligence. Genuine blindness.

This is the SaaS blind spot. SaaS stands for Software as a Service, meaning software you rent over the internet rather than install on your own computers. Think Salesforce, Microsoft 365, GitHub, Slack, Workday. Your staff use these tools every day. Your customer records, financial reports, and source code live inside them. And the security tools most organisations rely on were simply never designed to look inside them.

How did attackers get into systems that were never technically hacked?

In each of the three cases below, nobody smashed through a firewall. The door was already open.

Salesforce, 2023. Salesforce Communities is a feature that lets companies build customer-facing websites powered by Salesforce data. Administrators can grant "guest" access to outside visitors, but if those permissions are set too generously, anyone who knows the right web address can query the underlying database directly. That is what happened. Over 150,000 companies were potentially sitting in that window, exposing Social Security numbers, bank account details, and home addresses. Salesforce confirmed the platform itself was not at fault. Administrators had misconfigured the guest settings, and nobody had gone back to check.

GitHub, 2022. When your team connects a third-party tool to GitHub (the platform where developers store and share code) it receives an OAuth token, essentially a permission pass that lets the two services talk to each other. In April 2022, attackers obtained OAuth tokens belonging to two popular developer tools, Heroku and Travis CI, both of which organisations had connected to their GitHub accounts. GitHub's own systems were untouched. The attackers walked in through the third-party tools, which had been quietly broken into, and downloaded private code repositories from dozens of companies.

Microsoft, 2023. Wiz Research discovered that a Microsoft AI research team had shared a link to a training dataset on GitHub. The link contained an Azure access token, a kind of digital key, that was configured far too broadly. Instead of opening one folder, it unlocked an entire storage account holding 38 terabytes of data, private encryption keys, passwords, and more than 30,000 internal Teams chat messages. That token had sat exposed since October 2021. Nearly two years, inside one of the world's best-resourced technology companies.

The pattern across all three is identical. A configuration set slightly too permissive, often under time pressure, never revisited.

Traditional security tools, the kind that watch servers and network traffic, are not built to inspect whether a Salesforce guest profile has too much access, or whether a GitHub OAuth token granted two years ago still needs to exist. A category of software called SSPM (SaaS Security Posture Management, meaning tools specifically designed to monitor the settings inside cloud apps) addresses this gap. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged exactly this blind spot in its Secure Cloud Business Applications guidance.

You do not need specialist software immediately to start reducing the risk. Four practical steps help right away:

  • Audit every third-party app connected to your main cloud platforms, and revoke any whose business purpose you cannot immediately explain.
  • Review guest and external sharing permissions in Salesforce and Microsoft SharePoint (Microsoft's document-sharing platform).
  • Confirm that legacy sign-in methods are switched off in Microsoft 365. These older methods bypass multi-factor authentication, the security step that asks for a second confirmation beyond a password.
  • Run a quarterly review of who holds high-level admin access in your cloud apps, not just once a year.

If your organisation's customer data, employee records, or financial information lives inside a cloud app, knowing what that app can share, and with whom, is a reasonable place to start.

© 2026 Threat Vectr