From overprivileged admin roles to long-forgotten vendor tokens, these attackers are slipping by means of the cracks of belief and entry. This is how 5 retail breaches unfolded, and what they reveal about…
In latest months, main retailers like Adidas, The North Face, Dior, Victoria’s Secret, Cartier, Marks & Spencer, and Co‑op have all been breached. These assaults weren’t refined malware or zero-day exploits. They have been identity-driven, exploiting overprivileged entry and unmonitored service accounts, and used the human layer by means of ways like social engineering.
Attackers did not want to interrupt in. They logged in. They moved by means of SaaS apps unnoticed, usually utilizing actual credentials and bonafide classes.
And whereas most retailers did not share all of the technical particulars, the patterns are clear and recurring.
This is a breakdown of the 5 latest high-profile breaches in retail:
1. Adidas: Exploiting third-party belief
Adidas confirmed a knowledge breach brought on by an assault on a third-party customer support supplier. The corporate stated buyer information was uncovered, together with names, e mail addresses, and order particulars. No malware. No breach on their facet. Simply the blast radius of a vendor they trusted.
How these assaults unfold in SaaS identities:
SaaS tokens and repair accounts granted to distributors usually do not require MFA, do not expire, and fly underneath the radar. As soon as entry is now not wanted however by no means revoked, they grow to be silent entry factors, good for provide chain compromises that map to ways like T1195.002, giving attackers a method in with out setting off alarms.
Safety takeaway:
You are not simply securing your customers. You are securing the entry that distributors depart behind, too. SaaS integrations stick round longer than the precise contracts, and attackers know precisely the place to look.
2. The North Face: From password reuse to privilege abuse
The North Face confirmed a credential stuffing assault (MITRE T1110.004) the place menace actors used leaked credentials (usernames and passwords) to entry buyer accounts. No malware, no phishing, simply weak identification hygiene and no MFA. As soon as inside, they exfiltrated private information, exposing a serious hole in primary identification controls.
How these assaults unfold in SaaS identities:
SaaS logins with out MFA are nonetheless all over the place. As soon as attackers get legitimate credentials, they’ll entry accounts straight and quietly, no want triggering endpoint protections or elevating alerts.
Safety takeaway:
Credential stuffing is nothing new. It was the fourth credential-based breach for The North Face since 2020. Every one is a reminder that password reuse with out MFA is a wide-open door. And whereas loads of orgs implement MFA for workers, service accounts, and privileged roles, many instances they go unprotected. Attackers understand it, and so they go the place the gaps are.
Need to go deeper? Obtain the ‘SaaS Identification Safety Information‘ to discover ways to proactively safe each identification, human or non-human, throughout your SaaS stack.
3. M&S & Co-op: Breached by borrowed belief
UK retailers Marks & Spencer and Co-op have been reportedly focused by the menace group Scattered Spider, identified for identity-based assaults. In response to experiences, they used SIM swapping and social engineering to impersonate workers and trick IT assist desks into resetting passwords and MFA, successfully bypassing MFA, all with out malware or phishing.
How these assaults unfold in SaaS identities:
As soon as attackers bypass MFA, they aim overprivileged SaaS roles or dormant service accounts to maneuver laterally throughout the group’s programs, harvesting delicate information or disrupting operations alongside the best way. Their actions mix in with reliable person habits (T1078), and with password resets pushed by assist desk impersonation (T1556.003), they quietly acquire persistence and management with out elevating any alarms.
Safety takeaway:
There is a cause identity-first assaults are spreading. They exploit what’s already trusted, and sometimes depart no malware footprint. To scale back threat, observe SaaS identification habits, together with each human and non-human exercise, and restrict assist desk privileges by means of isolation and escalation insurance policies. Focused coaching for help employees may block social engineering earlier than it occurs.
4. Victoria’s Secret: When SaaS admins go unchecked
Victoria’s Secret delayed its earnings launch after a cyber incident disrupted each e-commerce and in-store programs. Whereas few particulars have been disclosed, the influence aligns with situations involving inside disruption by means of SaaS programs that handle retail operations, like stock, order processing, or analytics instruments.
How these assaults unfold in SaaS identities:
The true threat is not simply compromised credentials. It is the unchecked energy of overprivileged SaaS roles. When a misconfigured admin or stale token will get hijacked (T1078.004), attackers do not want malware. They will disrupt core operations, from stock administration to order processing, all throughout the SaaS layer. No endpoints. Simply destruction (T1485) at scale.
Safety takeaway:
SaaS roles are highly effective and sometimes forgotten. A single overprivileged identification with entry to important enterprise functions can set off chaos, making it essential to use stringent entry controls and steady monitoring to those high-impact identities earlier than it is too late.
5. Cartier & Dior: The hidden price of buyer help
Cartier and Dior disclosed that attackers accessed buyer info by way of third-party platforms used for CRM or customer support capabilities. These weren’t infrastructure hacks; they have been breaches by means of platforms meant to assist prospects, not expose them.
How these assaults unfold in SaaS identities:
Buyer help platforms are sometimes SaaS-based, with persistent tokens and API keys quietly connecting them to inside programs. These non-human identities (T1550.003) not often rotate, usually escape centralized IAM, and grow to be straightforward wins for attackers concentrating on buyer information at scale.
Safety takeaway:
In case your SaaS platforms contact buyer information, they’re a part of your assault floor. And if you happen to’re not monitoring how machine identities entry them, you are not defending the frontlines.
Closing Thought: Your SaaS identities aren’t invisible. They’re simply unmonitored.
Your SaaS identities aren’t invisible; they’re simply unmonitored. These breaches did not want fancy exploits. They simply wanted a misplaced belief, a reused credential, an unchecked integration, or an account nobody reviewed.
Whereas safety groups have locked down endpoints and hardened SaaS logins, the true gaps lie in these hidden SaaS roles, dormant tokens, and missed assist desk overrides. If these are nonetheless flying underneath the radar, the breach already has a head begin.
Wing Safety was constructed for this.
Wing’s multi-layered platform constantly protects your SaaS stack, discovering blind spots, hardening configurations, and detecting SaaS identification threats earlier than they escalate.
It is one supply of fact that connects the dots throughout apps, identities, and dangers, so you possibly can lower by means of the noise and cease breaches earlier than they begin.
👉 Get a demo of Wing Safety to see what’s hiding in your SaaS identification layer.
