Billions of stolen and reused credentials have just made SaaS account takeover (ATO) easier than ever. In April 2025, threat-intel firm Synthient consolidated two massive troves of previously exposed credentials, from historic combo lists to malware “stealer” logs, and later provided them to Have I Been Pwned (HIBP) for public checking. HIBP indexed them as Synthient Stealer Log Threat Data (183 million unique email addresses, each tied to the site they were used on and the captured password; added on Oct 21, 2025) and Synthient Credential Stuffing Threat Data (~2 billion unique email addresses and 1.3 billion unique passwords; added on Nov 6, 2025). This was not a new breach of Gmail or any single provider; it’s a large aggregation that materially increases password-reuse and ATO risk across cloud services.
From Synthient to Midnight Blizzard: How exposed credentials enable account takeovers
Synthient’s dump turns years of Infostealer and breach debris into a weaponizable roadmap for breaking into identity providers (IdP) and SaaS apps. The credential-stuffing corpus gives attackers billions of email and password pairs to spray against login surfaces where users have reused passwords. Meanwhile, the stealer-log corpus adds valuable site context and captured passwords, often the exact SaaS or IdP URL, making targeted account takeover dramatically easier at scale. Once a single login succeeds, adversaries can mint or reuse tokens, consent to malicious OAuth apps, and fan out across connected SaaS estates, patterns that threat reports show are now among the top initial access vectors.
A good example is Microsoft’s post-incident reports that show Midnight Blizzard gained access by password spraying a legacy, non-production test tenant with no MFA—a weak credential set by any measure. Once that single-factor login succeeded, the actor leveraged the test account’s permissions and abused OAuth to grant high-privilege access (including Exchange Online “full_access_as_app”), allowing them to read corporate mailboxes for senior leaders and others.
Microsoft’s SEC filing confirms the actor “used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold,” after which emails and attachments were exfiltrated, illustrating how one weak password and missing MFA in a low-priority tenant can cascade into enterprise-wide SaaS exposure.
How do you defend SaaS apps and IdPs from credential-stuffing attacks?
To stop credential-stuffing and password-spraying against identity providers (IdPs) and SaaS platforms, organizations need layered identity defenses. That means enforcing phishing-resistant MFA, blocking breached/weak passwords at creation and reset, shutting off legacy/basic authentication, throttling and risk-gate login traffic, and continuously monitoring for spray patterns and post-compromise behaviors so you can auto-contain and reset fast.
- Enforce phishing-resistant MFA (FIDO2/WebAuthn, FastPass/security keys) for admins and high-risk apps; Require step-up on risky sign-ins.
- Screen passwords against known-compromised lists and ban weak patterns. Favor length over complexity rules.
- Disable legacy or basic authentication and app passwords: Use conditional access (device posture, geo/ASN, impossible travel) and apply smart lockout/rate-limits on login endpoints.
- Detect sprays early: Alert on wide, low-rate failures across many users/IPs; Use Entra/IdP built-ins for near-real-time password-spray detection.
- Contain success quickly: Auto-revoke sessions, reset exposed accounts, and review new OAuth consents/token grants after any suspicious login.
- Continuously re-screen user emails against public breach dumps and rotate any reused credentials discovered.
How can AppOmni protect against SaaS account takeover?
AppOmni helps organizations prevent, detect, and contain credential-based intrusions across your IdP and SaaS estate by continuously analyzing identity-, token-, and app-level activity, surfacing risky misconfigurations (like legacy/basic authentication or permissive OAuth), and automating fast, low-noise response when a sprayed or reused password succeeds.
- Configuration and drift controls: Continuously check SaaS/IdP settings (MFA requirements for admins, legacy protocols disabled, conditional access intact) and catch drift.
- Detect the attack early: Correlate low-rate failures across many accounts/IPs, sudden first-time successes, new devices/ASNs, impossible travel, and anomalous session creation.
- OAuth and third-party app governance: Inventory and risk-score apps, enforce approval workflows and least-privilege scopes, and alert on new or suspicious consents.
- See the pivot, not just the login: Trace post-login behaviors (token grants, mailbox rules, OAuth consents, admin role changes) across apps to flag true account takeover.
- Identity insight and control: Continuously map human and non-human identities across IdP and SaaS, detect risky role changes and shadow admins, flag stale/orphaned accounts and SCIM/SSO drift, enforce least-privilege with JIT/access reviews, and alert on high-risk identity events.
Defend Your SaaS Apps
With our SaaS security experts, we will unpack lessons from real-world incidents, explore how attackers are compromising organizations, and share actionable strategies to reduce risk.
