We borrow trust from our cloud providers. We borrow trust from our SaaS vendors. We borrow trust from identity providers that act as the keys to our kingdoms.
This week, that foundation wobbled.
The ShinyHunters campaign against Salesforce, which hit Google, Allianz, and others, demonstrates something uncomfortable: we have connected critical data to so many third-party conduits that we no longer know where our perimeter lies. When a threat actor bypasses your defences not by hacking a firewall but by asking an employee to authorise an OAuth token, we have to admit our architectural model is broken.
We are trying to solve structural problems with behavioural training. It is failing.
The Week's Signals
1. The Salesforce Siege
ShinyHunters orchestrated a coordinated campaign against Salesforce instances across major corporations. Google confirmed its instance was compromised in June 2025, affecting 2.55 million business contact records. Allianz Life followed—1.1 million customer records exposed through the same vector.
The method: voice phishing combined with OAuth consent grants. Attackers called employees, posed as IT, and directed them to authorise a malicious application disguised as Salesforce's Data Loader. Once the user clicked "Allow," the attackers had a persistent API token that worked regardless of password changes or MFA.
Executive takeaway: You have spent a decade teaching users to protect passwords. You failed to teach them to protect permissions. An OAuth token is a key that does not expire when credentials change. Audit third-party app integrations in Salesforce, Microsoft 365, and Google Workspace. If you lack an automated policy blocking unverified apps, you are relying on the discretion of your most tired employee.
Go deeper into OAuth consent controls.
2. The Death of the SSN
National Public Data exposed 2.7 billion records—Social Security Numbers for nearly every adult in the United States, alongside personal data for citizens of the US, Canada, and the UK.
This breach ends an era. The US financial system has treated the SSN as a secret authenticator for decades. That fiction is now unsustainable. The data is out, searchable, and cheap.
Executive takeaway: Assume Knowledge-Based Authentication is dead. If your helpdesk verifies users by asking for the last four digits of their SSN or their mother's maiden name, you are verifying that the caller has internet access. Move to FIDO2 hardware keys and biometric verification.
Go deeper into post-KBA authentication.
3. Geopolitics in the Inbox
Google's Threat Analysis Group reported that APT42, an Iranian state-sponsored actor, has targeted US presidential campaigns. This is not a smash-and-grab—it is a persistence campaign. They research targets, understand communication patterns, and insert themselves into conversations.
Executive takeaway: Your executives are targets not just for their bank access but for their influence. Protection of personal email accounts for your C-suite is now a corporate security imperative. You cannot secure corporate email while leaving the personal backdoor wide open.
Go deeper into executive account protection.
Focus on: The Shadow SaaS Kill Chain
The ShinyHunters campaign represents something more than a breach. It represents the industrialisation of "Shadow SaaS" attacks.
For a decade, the architectural advice was consistent: move to the cloud, it is more secure. And in many ways, it was true. Amazon, Google, and Salesforce can patch servers faster than your internal team. We successfully outsourced infrastructure management.
But in doing so, we shifted risk from the server to the identity. The adversary has followed.
OAuth Consent Phishing operates differently from credential theft:
The lure comes via telephone—a channel with zero digital filtering
The payload asks for permissions, not passwords
The result is a token that survives password changes and bypasses MFA
Traditional defences fail because the "malware" is a cloud-to-cloud permission. Endpoint protection sees nothing. Firewalls see encrypted traffic to legitimate domains.
The control pattern:
Move from "block bad apps" to "allow good apps"—configure identity providers to block all third-party API connections by default
Audit existing OAuth grants now—revoke apps with high-impact scopes that have not been used in months
Kill the "IT calling you" trust model—implement out-of-band verification protocols
Go deeper into OAuth governance.
In the Wild
RansomHub rises. Following disruption of LockBit and ALPHV, RansomHub has consolidated displaced affiliates under one banner. Higher operational security and more ruthless negotiation should be expected.
Qilin harvests credentials. The ransomware group is stealing saved passwords and session cookies from Chrome, enabling pivot from compromised laptops into cloud infrastructure. Disable password saving in enterprise browsers.
MacStealer spreads. New malware targeting iCloud Keychain and browser cookies via fake job offers and pirated software. Developer endpoints are at particular risk.
Go deeper into active threat patterns.
AI in Practice
California's SB 1047 introduces severe liability for AI developers, mandating kill switches for large models and holding developers responsible if models cause critical harm.
The practical impact for enterprises: supply chain liability. If you build on an open-source model that later becomes non-compliant or is killed via mandatory switch, your product stops working.
Three actions:
Build model agnosticism into your architecture—create abstraction layers allowing you to swap underlying models
Document AI safety protocols and shutdown procedures now, before compliance becomes mandatory
Assess which AI dependencies sit in the "grey zone" of smaller, offshore models
Go deeper into AI liability planning.
Poll of the Week
What is your current OAuth governance posture?
The friction is the safety.
If your security architecture requires 100% human perfection to remain secure, you have failed as an architect. We need to stop blaming users for clicking links and start blaming systems that allow those links to execute. We need to stop blaming developers for typos and start blaming pipelines that allow secrets to be committed publicly.
Resilience is not about preventing errors. It is about absorbing them.
— David
Tomorrow: The Long Read expands on OAuth consent phishing, threat actor consolidation, and what "model agnosticism" looks like in practice.
