A kill-chain teardown of 8 of the most consequential breaches in recent memory — and the SOC 2 controls that would have stopped every single one.

Introduction

Between 2023 and 2025, a series of breaches in the SaaS and cloud ecosystem rewrote the rules of what it means to be a "secure" company. Ticketmaster lost 560 million customer records through a Snowflake account. Cl0p exploited a single SQL injection flaw in MOVEit Transfer and compromised over 963 organizations. North Korea drained $1.46 billion from Bybit by manipulating a multisig signing interface. Okta's own support system became the entry point for attacks on 1Password, Cloudflare, and BeyondTrust. AT&T lost call metadata for nearly every US wireless customer through a Snowflake tenant that had no MFA. Citrix Bleed allowed session tokens to be siphoned out of device memory through a single malformed HTTP request. A legacy test account at Microsoft was compromised by Russian state hackers using a password spray, leading to source code exfiltration. And Cloudflare's entire Atlassian suite was accessed using credentials stolen from Okta's support system — credentials that were never rotated after the breach.

What connects all eight of these incidents is not sophisticated zero-day research. It's not exotic malware. It's the same three failures, repeated at scale:

  1. Identity controls that weren't enforced — MFA absent on service accounts, password-only authentication on critical infrastructure, session tokens stored insecurely.
  2. Third-party trust that wasn't validated — vendor credentials not rotated after breaches, integrations with admin-level access to SaaS apps, HAR files uploaded to support portals with active session tokens inside them.
  3. Dormant credentials that were never cleaned up — legacy test accounts, old integrations, service tokens for products no longer in use.

This article is a kill-chain teardown of all eight incidents, with MITRE ATT&CK mapping, SOC 2 Trust Services Criteria (TSC) control analysis, and the 30-day remediation that would have prevented each breach. It closes with a 90-day SaaS hardening roadmap and a free SOC 2 toolkit download so you can audit your own controls before an attacker does it for you.

Case Study 1: Snowflake / Ticketmaster — Service Account MFA Gap

TL;DR: StormHunters breached 165 Snowflake customer accounts using credentials stolen by infostealer malware. No MFA on any of them. Ticketmaster: 560 million records exposed. Total impact: $2–3 billion in collective breach costs.

Timeline

DateEvent
April 14, 2024First unauthorized access to AT&T's Snowflake tenant
April 25, 2024AT&T data exfiltration completed
May 28, 2024ShinyHunters advertises 560M Ticketmaster records for sale on Breach Forums
May 31, 2024Live Nation/Ticketmaster confirms breach via SEC Form 8-K
June 5, 2024TechCrunch reports 500+ Snowflake customer credentials publicly exposed
June 2024Snowflake mandates MFA enforcement on all accounts

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Enforce MFA on all Snowflake accounts. Rotate credentials for any account accessed from devices with known infostealer infections. Implement IP allowlisting on Snowflake admin accounts. Audit service accounts and rotate any credentials found in browser-stored password managers.

Cost of Breach vs. Prevention

Ticketmaster breach cost estimated at $400–600 million. The Snowflake customer campaign collectively cost organizations over $2 billion. Prevention cost for a mid-size organization: MFA enforcement, credential rotation, and automated monitoring — $15,000–$40,000.

Case Study 2: MOVEit Transfer — SQL Injection Chain

TL;DR: Cl0p exploited a critical SQL injection zero-day (CVE-2023-34362) in Progress Software's MOVEit Transfer. Over 963 organizations compromised. 58+ million individuals affected. Cl0p made an estimated $75–100 million in ransom payments. Zero ransomware deployed — pure data extortion.

Timeline

DateEvent
May 27, 2023Cl0p begins exploiting CVE-2023-34362 (Memorial Day weekend)
May 31, 2023Progress Software discloses vulnerability, releases patch
June 5, 2023CVE assigned; Microsoft attributes attack to Lace Tempest/Cl0p
June 9, 2023Second SQL injection vulnerability (CVE-2023-35036) discovered and patched
June 16, 2023Third vulnerability (CVE-2023-35708) patched
July 2023Three additional SQLi vulnerabilities patched
June 14, 2023Cl0p begins publishing victim names on dark web leak site

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Block HTTP/HTTPS traffic to MOVEit servers immediately upon CVE disclosure. Apply vendor patch within 48 hours. Deploy WAF with SQL injection protection rules. Audit Azure Blob storage access keys and rotate. Review MOVEit event logs for signs of data exfiltration dating back to May 27.

Cost of Breach vs. Prevention

The MOVEit campaign cost organizations $3–4 billion in aggregate. Prevention: WAF + 72-hour patch SLA + vendor advisory subscription — $10,000–$30,000/year.

Case Study 3: Bybit — $1.46 Billion Multisig Signing UI Compromise

TL;DR: North Korea's Lazarus Group compromised Bybit's Ethereum multisig cold wallet by injecting malicious JavaScript into the Safe{Wallet} AWS S3 bucket. A spoofed signing interface made Bybit's signers approve a transaction that transferred wallet control to the attacker. 401,347 ETH ($1.46 billion) stolen. No keys stolen. No code hacked. The signing UI was compromised.

Timeline

DateEvent
February 4, 2025Attackers compromise Safe developer workstation via malicious Docker app
February 17–18, 2025Malicious JavaScript injected into Safe{Wallet} app.safe.global
February 21, 2025Bybit initiates routine cold-to-warm ETH transfer; attack executes
February 21–22, 2025Funds bridged to Solana, swapped on DEXs, layered through 53 wallets
February 24, 2025FBI attributes to North Korean "TraderTraitor" operation
72 hours post-breachBybit restores full ETH reserves via emergency loans

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Require hardware wallet display confirmation as the authoritative signing surface. Implement transaction simulation/validation that independently decodes and displays transaction payloads. Establish manual, out-of-band signing review for cold wallet operations. Use air-gapped signing devices.

Cost of Breach vs. Prevention

Bybit lost $1.46 billion in a single transaction. Prevention cost: hardware wallet signing with independent validation + MPC key management — $100,000–$500,000 for institutional implementation.

Case Study 4: Okta Support System — Session Token Harvesting

TL;DR: Attackers accessed Okta's customer support case management system using credentials stored in an Okta employee's personal Google account. They harvested HAR files containing active session tokens. Those tokens were used to hijack sessions belonging to 134 Okta customers including 1Password, BeyondTrust, and Cloudflare.

Timeline

DateEvent
Early September 2023Threat actor gains initial access
September 28 – October 17, 2023Attacker accesses HAR files, extracts session tokens
October 2, 2023BeyondTrust detects unauthorized access attempt
October 18, 2023Cloudflare detects malicious activity on its Okta tenant
October 19, 2023BeyondTrust escalates; Okta confirms breach
October 20, 2023Okta publicly discloses breach

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Rotate all Okta service account credentials. Implement credential vaulting. Block personal Google profile sign-in on all corporate devices. Enable session token binding based on network location. Audit all support case management system access. Sanitize HAR files before any vendor upload.

Cost of Breach vs. Prevention

Okta stock dropped ~3%. Regulatory scrutiny and class action lawsuit. Downstream, BeyondTrust and Cloudflare spent weeks in forensic response. Prevention: HAR sanitization + service account vaulting + personal account blocking — $5,000–$20,000.

Case Study 5: AT&T — 110 Million Call Records via Snowflake

TL;DR: As part of the same Snowflake campaign, AT&T's Snowflake tenant was accessed using stolen credentials. No MFA. 109–110 million customer records exfiltrated: call and text metadata covering May–October 2022. The DOJ asked AT&T to delay public disclosure twice due to national security concerns. AT&T reportedly paid hackers approximately $370,000 in Bitcoin to delete the stolen data.

Timeline

DateEvent
May 1 – October 31, 2022Call records created (data window of breach)
April 14–25, 2024Attackers access and exfiltrate AT&T's Snowflake tenant
April 19, 2024AT&T learns of breach via security researcher
July 12, 2024AT&T files 8-K with SEC, publicly discloses breach
October 2024Connor Riley Moucka arrested in Canada
January 2026$177 million settlement approved

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Same as Case Study 1. Treat call records as sensitive PII and apply additional encryption and access logging controls.

Cost of Breach vs. Prevention

$177 million settlement. DOJ national security delays. Same failure as Case Study 1.

Case Study 6: Citrix Bleed — Session Token Memory Leak

TL;DR: CVE-2023-4966 (Citrix Bleed) allowed unauthenticated attackers to extract active session tokens from NetScaler ADC and Gateway appliances via a single malformed HTTP request. Session tokens used to bypass MFA and hijack authenticated sessions. Over 1,200 organizations notified by CISA as running vulnerable, unpatched instances. Boeing, Comcast/Xfinity (36M customers), and government contractors confirmed as victims.

Timeline

DateEvent
July 3, 2023Mandiant reports exploitation likely began
July 18, 2023Citrix discloses CVE-2023-3519 — actively exploited
October 2023Patch for CVE-2023-4966 released
Late 2023LockBit 3.0 affiliates exploit Citrix Bleed to access Boeing
2024Boeing data published on LockBit leak site
June 2025Citrix Bleed 2 (CVE-2025-5777) disclosed

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Apply vendor patch within 72 hours for critical CVSS 9+ vulnerabilities. Kill all active sessions on affected NetScaler appliances. Restrict access to NetScaler management interfaces to known IP ranges.

Cost of Breach vs. Prevention

Boeing confirmed data published on LockBit leak site. Comcast/Xfinity: 36M customers disclosed. Prevention: automated vulnerability scanning with 72-hour SLA + session termination on patch — $8,000–$25,000/year.

Case Study 7: Microsoft Midnight Blizzard — Dormant Test Account

TL;DR: Russian state-sponsored Midnight Blizzard (Nobelium, APT29) used a password spray attack against a legacy, non-production test tenant account at Microsoft. No MFA. From that foothold, they accessed senior leadership and cybersecurity email accounts. The breach then evolved: using stolen email data, Midnight Blizzard attempted access to Microsoft source code repositories.

Timeline

DateEvent
Late November 2023Midnight Blizzard begins password spray attack
November–December 2023Test account compromised; lateral movement to corporate email
January 12, 2024Microsoft security team detects intrusion
January 19, 2024Microsoft publicly discloses breach
March 8, 2024Microsoft confirms source code repository access
February 2024Password spray attacks escalate to 10x January volume

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Enforce MFA on all accounts including test tenants and development environments. Deploy conditional access policies for sensitive resources. Implement monitoring for password spray attacks from residential proxy IPs.

Cost of Breach vs. Prevention

Microsoft declined to quantify direct costs. Source code for Windows, Office, Azure potentially accessed. Security investments post-breach ongoing.

Case Study 8: Cloudflare — Third-Party Credential Exposure

TL;DR: Following the Okta breach, a nation-state threat actor used four credentials stolen from that breach to access Cloudflare's self-hosted Atlassian suite (Jira, Confluence, Bitbucket). Two of the four credentials were never rotated after the Okta notification. The attacker accessed 14,099 Confluence pages, 2M Jira tickets, and 11,904 Bitbucket repositories. Persistence was established by creating a new Atlassian user account mimicking a regular Cloudflare employee.

Timeline

DateEvent
October 18, 2023Okta breach: Moveworks token and three service account credentials stolen
November 14, 2023Attacker begins reconnaissance
November 15, 2023Attacker accesses Atlassian Jira and Confluence
November 22, 2023Attacker establishes persistent access, accesses Bitbucket
November 23, 2023Cloudflare detects intrusion (Thanksgiving Day)
January–February 2024Remediation complete: 5,000 credentials rotated, 4,893 systems triaged

MITRE ATT&CK Mapping

Failed SOC 2 Controls

What a 30-Day Fix Would Have Looked Like

Immediately rotate ALL credentials following a vendor breach notification. Audit all service account permissions. Restrict Bitbucket access to known IP ranges. Disable service account ability to create user accounts.

Cost of Breach vs. Prevention

Cloudflare's response: 5,000 credentials rotated, 4,893 systems triaged, full network reimaged. Estimated $5–15 million in emergency response alone.

The Pattern Across All 8: Three Failures, Infinite Variations

The MITRE ATT&CK mapping across all eight case studies converges on three primary techniques:

1. Identity Failures — T1078.004 (Valid Accounts: Cloud Accounts) appears in every single case study. MFA absent on Snowflake (Cases 1, 5). Session token harvested via HAR files (Case 4). Session tokens siphoned from NetScaler memory (Case 6). Legacy test account without MFA (Case 7). Stolen Okta credentials not rotated (Case 8).

2. Third-Party Risk — CC9.2 failures appear in Cases 1, 4, 5, and 8. Snowflake's shared responsibility model. Okta's support system stored HAR files with active session tokens. Cloudflare failed to rotate credentials after a vendor breach notification.

3. Dormant Credentials — Cases 7 and 8 directly illustrate the danger of abandoned or legacy accounts. Microsoft's test tenant account sat unmaintained, without MFA. Cloudflare's Moveworks token and Smartsheet account were "believed unused" but were still valid.

SOC 2 Type II Control Checklist

SOC 2 TSCControlSelf-Assessment
CC6.1MFA enforced on all user accounts (including service accounts, test accounts, and non-production environments)
CC6.1IP allowlisting or conditional access on all privileged/cloud accounts
CC6.1Automated monitoring of authentication attempts with alerting for password spray patterns
CC6.2Service account credentials stored in a credential vault, not in personal accounts or code
CC6.2MFA required for service accounts via workload identity federation
CC6.6Transaction verification occurs through an independent, out-of-band channel
CC6.7Session token binding to network location; re-authentication on network change
CC6.8Cryptographic keys protected against unauthorized modification; HSMs for production keys
CC7.1Automated vulnerability scanning with 72-hour SLA for critical CVEs
CC7.1Vendor patch testing pipeline that can deploy patches within 72 hours
CC7.2Change management integration with vulnerability remediation for actively exploited CVEs
CC8.1Formal change management process with rapid-track procedures for critical security patches
CC9.2Vendor breach notification response process with mandatory credential rotation
CC9.2Quarterly audit of service account permissions; least privilege enforced
CC9.2Third-party access reviews: all vendor integrations reviewed for overprivileged access

90-Day SaaS Hardening Roadmap

Days 1–30: Identity Foundation

Days 31–60: Monitoring and Response

Days 61–90: Architecture Hardening

Download the Free SOC 2 Toolkit

Everything in this article — the MITRE ATT&CK mapping, the SOC 2 control checklist, the 90-day roadmap, and the 8-case study reference library — is compiled in our free SOC 2 Readiness Toolkit. It includes a pre-built controls matrix, vendor risk assessment template, credential audit checklist, and 30-day implementation guide.

Download the Free SOC 2 Toolkit →

Book an Executive Security Briefing

CISO, CTO, or founder at a SaaS company? Get a 30-minute tailored briefing on your specific threat surface — SaaS vendor stack, identity posture, and third-party risk exposure — at no cost.

Schedule Your Briefing →

FAQ

Q: What is the most common initial access vector across these 8 breaches?

A: Stolen or reused credentials — specifically service accounts and SaaS accounts without MFA. This appears in every one of the eight case studies.

Q: Does having MFA prevent all of these attacks?

A: Not entirely — Citrix Bleed and Bybit demonstrate that session tokens can be harvested even from MFA-protected sessions. However, MFA prevents the majority of credential-based attacks and significantly raises the cost of attack.

Q: How does the shared responsibility model affect SOC 2 compliance for SaaS companies?

A: Under the shared responsibility model, the SaaS vendor is responsible for platform security, and the customer is responsible for configuration and access management. SOC 2 covers both sides.

Q: What is the single most impactful control to implement first?

A: MFA on all accounts — including service accounts, test tenants, and development environments. It appears in every root cause analysis.

Q: How do I manage third-party risk for a large SaaS vendor stack?

A: Start with a vendor inventory — every SaaS tool that has credentials or API access to your systems. Classify by privilege level. Implement a vendor breach notification response process with mandatory credential rotation.

Q: How does a nation-state attack differ from a criminal ransomware attack?

A: Nation-state actors typically operate with more patience, better tradecraft, and strategic rather than financial motivation. Criminal ransomware groups move faster, use automation, and focus on volume.

Sources

All figures current as of June 13, 2026. Source attribution listed above.