In recent times, prominent retailers such as Adidas, The North Face, Dior, Victoria’s Secret, Cartier, Marks & Spencer, and Co‑op have experienced significant security breaches. These incidents predominantly exploited identity vulnerabilities, including overprivileged access, unmonitored service accounts, and social engineering tactics. Attackers often utilized legitimate credentials and sessions to navigate through SaaS applications undetected. While specific technical details remain undisclosed, recurring patterns have emerged.
1. Adidas: Exploiting Third-Party Trust
Adidas confirmed a data breach resulting from an attack on a third-party customer service provider. Exposed customer data included names, email addresses, and order details. The breach did not involve malware or direct infiltration of Adidas’s systems but stemmed from vulnerabilities within a trusted vendor.
Mechanism in SaaS Identities:
SaaS tokens and service accounts granted to vendors often lack multi-factor authentication (MFA), have indefinite validity, and are frequently overlooked. When such access remains active beyond its necessity, it becomes a potential entry point for attackers, facilitating supply chain compromises without triggering alarms.
Security Implication:
Organizations must extend their security measures beyond internal users to include vendor access. SaaS integrations can persist longer than contractual agreements, necessitating vigilant monitoring and timely revocation of unnecessary access.
2. The North Face: From Password Reuse to Privilege Abuse
The North Face experienced a credential stuffing attack, where threat actors utilized leaked usernames and passwords to access customer accounts. This method bypassed malware and phishing, exploiting weak identity hygiene and the absence of MFA. The attackers exfiltrated personal data, highlighting significant gaps in basic identity controls.
Mechanism in SaaS Identities:
SaaS logins without MFA are prevalent. With valid credentials, attackers can access accounts directly and discreetly, avoiding endpoint protections and alerts.
Security Implication:
Credential stuffing remains a persistent threat. The North Face’s repeated breaches since 2020 underscore the critical need for MFA implementation. While many organizations enforce MFA for employees, service accounts and privileged roles often remain unprotected, presenting exploitable gaps.
3. Marks & Spencer and Co-op: Breached by Borrowed Trust
UK retailers Marks & Spencer and Co-op were reportedly targeted by the threat group Scattered Spider, known for identity-based attacks. The attackers employed SIM swapping and social engineering to impersonate employees, convincing IT help desks to reset passwords and MFA settings. This approach effectively bypassed MFA without the use of malware or phishing.
Mechanism in SaaS Identities:
After bypassing MFA, attackers target overprivileged SaaS roles or dormant service accounts to move laterally within the organization’s systems, harvesting sensitive data or disrupting operations.
Security Implication:
Organizations must implement robust verification processes for password and MFA resets, including multiple verification steps and employee training to recognize social engineering tactics.
4. Dior and Victoria’s Secret: Exploiting Overprivileged Access
Dior and Victoria’s Secret faced breaches where attackers exploited overprivileged access within their systems. By gaining control over accounts with extensive permissions, attackers could access sensitive data and critical systems without detection.
Mechanism in SaaS Identities:
Overprivileged accounts in SaaS environments provide attackers with broad access, facilitating data exfiltration and system manipulation.
Security Implication:
Organizations should enforce the principle of least privilege, regularly auditing and adjusting access rights to ensure users have only the permissions necessary for their roles.
5. Cartier: Unmonitored Service Accounts as Silent Entry Points
Cartier experienced a breach where attackers exploited unmonitored service accounts. These accounts, often created for specific tasks and then forgotten, can serve as undetected entry points for malicious actors.
Mechanism in SaaS Identities:
Dormant or unmonitored service accounts in SaaS platforms can be exploited by attackers to gain access without triggering security alerts.
Security Implication:
Regular audits of service accounts are essential. Organizations should disable or remove accounts that are no longer in use and monitor active accounts for unusual activity.
Conclusion
The recent breaches in the retail sector underscore the evolving nature of cyber threats, particularly identity-based attacks. Organizations must adopt comprehensive security strategies that include enforcing MFA, monitoring service accounts, implementing least privilege access, and educating employees on social engineering tactics. By addressing these vulnerabilities, retailers can enhance their defenses against identity-driven breaches.
