top of page
Ironqlad Logo RED.png
An AmeriSOURCE Group Company

SaaS Misconfigurations Are the New S3 Bucket Leaks: A Growing Cloud Security Threat

SWARNALI GHOSH | DATE: AUGUST 04, 2025


ree

Introduction

 

Cloud security has always been a cat-and-mouse game between defenders and attackers. In the past, misconfigured Amazon S3 buckets have been the primary culprits behind massive data leaks, exposing sensitive corporate and customer information. However, as organizations increasingly adopt Software-as-a-Service (SaaS) applications, a new threat has emerged: SaaS misconfigurations.

These misconfigurations are now leading to data breaches, compliance violations, and unauthorized access at an alarming rate. Unlike traditional infrastructure, SaaS platforms—such as Microsoft 365, Google Workspace, Slack, and Salesforce—are often managed by non-IT personnel, increasing the risk of security oversights. This article explores why SaaS misconfigurations are becoming the new S3 bucket leaks, how they happen, real-world examples, and best practices to prevent them.

 

The Legacy of S3 Bucket Leaks

 

Years like 2017–2019 featured notable exposures of sensitive data via publicly misconfigured Amazon S3 buckets: voter records, API keys, customer documents, and more were left open to the internet due to human error or weak policies, even after AWS had warned about the risks for years. Organizations such as Accenture, Verizon, and even U.S. government contractors saw serious reputational and financial damage simply because their admins had S3 buckets with “public‑read” ACLs or missing encryption. These S3 data exposure events acted as early warnings, leading cloud providers to introduce features like "Block Public Access" settings and enhanced auditing capabilities. More importantly, they marked a turning point in cybersecurity awareness, highlighting how simple configuration errors could evolve into major public incidents.

 

Enter SaaS Misconfigurations: A New Frontier


ree

Today’s SaaS misconfiguration isn’t about forgetting to block an S3 bucket—it's about granting overly broad permissions, leaving default settings in place, or misrouting APIs within SaaS services like Microsoft 365, Salesforce, Google Workspace, Slack, and GitHub.

CrowdStrike defines SaaS misconfiguration as “incorrect or insecure configuration of SaaS apps that can expose sensitive data, grant unintended access, violate compliance, or enable breaches”. This ranges from file-sharing links set to “public” by default, to lax admin console settings, disabled MFA, and APIs mapping data incorrectly between systems.

 

Why SaaS Misconfigurations Are the Next Big Security Risk

 

The Shift from IaaS to SaaS Security Challenges: In the early days of cloud adoption, Infrastructure-as-a-Service (IaaS) security risks—like exposed S3 buckets—dominated headlines. Companies learned to lock down storage permissions, but now, SaaS applications have taken center stage.

Unlike IaaS, where security is more centralized, SaaS platforms are often managed by multiple departments (HR, Marketing, Sales), leading to inconsistent security policies. A Salesforce admin might inadvertently expose customer data, or a Microsoft 365 user could share sensitive files publicly without realizing the risk.

 

The Complexity of SaaS Permissions: SaaS applications offer granular sharing controls, but this flexibility can backfire. Common misconfigurations include:

  1. Overly permissive sharing settings (e.g., "Anyone with the link" access in Google Drive).

  2. Incorrectly configured OAuth apps that have excessive permissions.

  3. Guest access abuse in collaboration tools like Microsoft Teams or Slack.

A 2023 report by Adaptive Shield found that 63% of organizations had at least one critical SaaS misconfiguration, with Microsoft 365 and Google Workspace being the most commonly misconfigured platforms.

 

Shadow IT and Unmanaged SaaS Sprawl: Many employees use unauthorized SaaS apps (Shadow IT) without IT oversight. A McKinsey study revealed that the average enterprise uses over 200 SaaS applications, with only 50% being managed by IT. Unmonitored SaaS apps increase the attack surface, making it easier for attackers to exploit weak configurations.

 

Anatomy: Five Most Common SaaS Misconfigurations

 

Permissions sprawl & excessive access: Too many users, teams, or service accounts are granted admin or edit rights, violating least-privilege principles.


ree

Disabled or absent multi-factor authentication (MFA): Accounts powered by single-factor logins are easier to compromise, especially mail or file-app admins, where the blast radius is high.

 

Misconfigured sharing or API endpoints: In the Microsoft Power Apps incident, more than 1,000 apps were left viewable online, exposing 38 million records, including PII, because shared APIs defaulted to public unless locked down manually.

 

API misrouting across SaaS->SaaS or SaaS->on-prem: LinkedIn analysis by cybersecurity experts shows insecure OAuth2 flows and wildcard permissions can redirect data to unintended parties, even without stolen credentials.

 

Failure to enable logging or anomaly detection: Many SaaS platforms ship with audit tools turned off, meaning suspicious access or data exfiltration goes unflagged until post-incident.

 

Root Causes: Why These Occur So Often

 

User convenience over security: Including enabling functionality fast without reevaluating default access settings.

 

Shared‑responsibility confusion: Business units think security is built in “because it’s SaaS,” while IT assumes security is someone else’s domain.

 

Poor user interface (UI) clarity: Labels like “organization,” “public link,” or “internal only” get misinterpreted: e.g., Salesforce admin UI caused several PII leaks for community pages due to ambiguous language.

 

Lack of centralized governance: Hundreds of SaaS tools in use, but only 5–7 under the security team's observance; the rest are purchased.

 

Consequences: At Scale, Not Just Embarrassment

 

Mass data exposure at scale: 38M records in Power Apps can trigger regulatory fines (GDPR, HIPAA, CPRA).


ree

Targeted phishing / lateral movement: Exposed directories, tenant lists, or backup keys (as in the Commvault breach) reveal footholds into SaaS ecosystems.

 

Brand risk and customer distrust: Once customers learn their app/data is “public by default,” trust erodes. Unlike S3 buckets (typically backend infrastructure), SaaS UIs are often user-facing.

 

Why Current Gartner-Like Tools Aren’t Enough

 

  1. Static vulnerability scanning (e.g., prem or container scanning) doesn’t cover SaaS config drift caused by role changes or license activations.

  2. Visibility tools built into SaaS apps (e.g., Google Workspace, Microsoft 365) often lack enforcement controls or drift alerts.

  3. AppOmni reports reveal that only 13 % of organizations actually use SaaS Security Posture Management (SSPM) tools, which are purpose-built to continuously detect IPs and apply guardrails.

 

Real-World Examples of SaaS Misconfigurations Leading to Breaches

 

Microsoft 365 Misconfiguration Exposes US Defence Data (2022): A misconfigured Microsoft 365 SharePoint instance led to the exposure of sensitive US military documents, including contracts and personnel details. The files were accessible via public links without authentication.

 

Slack Workspace Leaks Employee and Customer Data (2023): A publicly accessible Slack workspace allowed unauthorized users to join and scrape internal communications, customer support tickets, and API keys. The company only realized the breach after a security researcher reported it.

 

Google Drive Exposes Healthcare Records (2021): A healthcare provider stored patient records in Google Drive with public sharing enabled, exposing thousands of medical files. The incident led to regulatory fines under HIPAA.

 

How Attackers Exploit SaaS Misconfigurations

 

Cybercriminals are increasingly targeting SaaS apps due to their widespread use and weak default settings. Common attack methods include:

 

Automated Scanning for Publicly Exposed Data: Attackers use tools like GrayhatWarfare (formerly for S3 buckets) and GitHub dorking to find open SaaS documents, calendars, and databases.

 

Phishing via OAuth Apps: Malicious OAuth apps request excessive permissions (e.g., "Read all emails" in Microsoft 365). After gaining authorization, threat actors proceed to steal sensitive information or initiate ransomware attacks.


Insider Threats via Overprivileged Users: Employees with unnecessary admin rights can accidentally (or maliciously) expose data. A Salesforce admin might share a customer database externally without proper restrictions.


Best Practices to Prevent SaaS Misconfigurations

 

Implement SaaS Security Posture Management (SSPM):

  1. Tools like Adaptive Shield, Obsidian Security, and AppOmni continuously monitor SaaS settings for misconfigurations.

 

Enforce Least Privilege Access:

  1. Regularly audit user permissions in SaaS apps.

  2. Remove unnecessary admin roles.

  3. Use role-based access control (RBAC).

 

Monitor and Restrict OAuth Apps:

  1. Review third-party app permissions monthly.

  2. Block high-risk OAuth scopes (e.g., full mailbox access).

 

Educate Employees on SaaS Security:

  1. Train staff on secure file-sharing practices.

  2. Implement Data Loss Prevention (DLP) policies to block sensitive data exposure.

 

Conduct Regular SaaS Security Audits:

  1. Use automated scanners to detect public-facing documents.

  2. Perform penetration testing on critical SaaS apps.

 

What Has Changed—and What Hasn’t?


ree

Richer default security tools: Like Block Public Access for buckets or SSPM dashboards) exist, but people still leave them disabled or misinterpret them.

 

Threat actors are automated: Just as automated scanners once scraped public S3 buckets, now bots scour SaaS tenants looking for open file links, API endpoints, or stale OAuth tokens.

 

Attack vectors have expanded: A single misconfigured SaaS API can yield more access than a public S3 bucket ever could. Many files, mailboxes, backup sets, shared contacts, or AI model datasets may all be affected at once.

In short, the actor mindset is the same—scan, find misconfiguration, download—but the tools and speed have changed significantly.

 

Conclusion: SaaS Security Can No Longer Be Ignored

 

While S3 bucket leaks remain a concern, SaaS misconfigurations are now a leading cause of cloud breaches. With remote work and SaaS adoption accelerating, organizations must shift their security focus to identity management, access controls, and continuous monitoring.

By adopting SaaS Security Posture Management (SSPM) tools, enforcing least privilege access, and educating employees, businesses can mitigate these risks before attackers exploit them. The era of "set it and forget it" SaaS deployments is over—proactive security is the only way forward. The phrase “S3 bucket leak” once conjured images of someone leaving a data folder open on Amazon’s cloud. Today, “SaaS misconfiguration” is that evolving threat—often quieter, more complex, and potentially more damaging. Like S3 leaks before it, this problem isn’t going away. It can only be managed through a proactive security posture, automation, governance, and disciplined processes across the entire SaaS estate.

You no longer need to scan buckets by hand. Instead, search for apps with “public data links enabled,” one-click admin consoles accessible outside secure zones, or APIs emitting sensitive PII to broad audiences. If your organization has heard “S3 buckets” as a risk in the past, it’s time to extend that caution to the hundreds of cloud apps your team depends on.

 

Citations/References

  1. Venkat, A. (2023, June 6). Cloud misconfiguration causes massive data breach at Toyota Motor. CSO Online. https://www.csoonline.com/article/575483/cloud-misconfiguration-causes-massive-data-breach-at-toyota-motor.html

  2. AppOmni reports major SaaS security preparedness gaps amidst surge in breaches. (n.d.). Security Info Watch. https://www.securityinfowatch.com/cybersecurity/press-release/55303404/appomni-appomni-reports-major-saas-security-preparedness-gaps-amidst-surge-in-breaches

  3. Rights, O. F. C. (2025, July 23). Resolution agreements. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

  4. Blink, S. (n.d.). Lowe’s Market Hack: Misconfigured AWS S3 bucket leads to data breach. Heuristic Application Security Management Platform | Secure Blink. https://www.secureblink.com/cyber-security-news/lowe-s-market-hack-misconfigured-aws-s3-bucket-leads-to-data-breach

  5. Loehr, T., & Loehr, T. (2024, April 3). How to prevent AWS S3 bucket misconfigurations. Cycode. https://cycode.com/blog/how-to-prevent-aws-s3-bucket-misconfigurations/

  6. Kobialka, D. (2023, September 11). AWS S3 Cloud Data Leak by Securitas: CSPM Opportunity for MSSPs -. MSSP Alert. https://www.msspalert.com/news/amazon-s3-cloud-data-leak-securitas-exposes-nearly-1-5m-files


Image Citations

  1. Cloud Security Issues: 17 Risks, Threats, and Challenges. (2024, October 29). wiz.io. https://www.wiz.io/academy/cloud-security-challenges

  2. Securing AWS S3 Buckets: Risks and best Practices | CSA. (2024, June 10). https://cloudsecurityalliance.org/blog/2024/06/10/aws-s3-bucket-security-the-top-cspm-practices

  3. Baig, A. (2025, January 15). A comprehensive analysis of the biggest data breaches in history and what to learn from them. Securiti. https://securiti.ai/analysis-of-the-biggest-data-breaches-in-history-and-what-to-learn/

  4. What is CSPM? Everything You Need to Know in 2023. (2022, July 31). Scrut Automation. https://www.scrut.io/post/cspm-the-ultimate-guide

  5. Cymulate. (2025, June 25). Cloud Security Management. Cymulate. https://cymulate.com/cybersecurity-glossary/cloud-security-management/

 
 
 

Comments

bottom of page