COMMENTARY: Invisible connections drive the modern enterprise. Today, beneath every automated workflow lies a complex web of API keys, OAuth tokens, and service accounts that let sensitive data move across apps and services.
Many organizations are dangerously exposed.
Recent high-profile breaches reveal a disturbing pattern: attackers target app-to-app access to move laterally and remain undetected. With third-party breaches surging to 30% of all incidents , recent events at GitHub and Snowflake confirm that non-human credentials are cybercriminals' new frontier.
The rise of AI usage amplifies the challenge. AI tools and agents often inherit the same API access as humans, but they operate at machine speed and scale. They process vast data and trigger complex, multi-service workflows, all while flying under the radar of legacy security monitoring.
Consider an AI productivity tool connected to Google Workspace, Salesforce, and Slack. The AI agent holds tokens granting it access to emails, customer data, and communications. If these tokens are compromised, the attacker gains a rapid, cross-application foothold across the entire SaaS and AI ecosystem, often without triggering the human-focused behavioral analytics designed to spot suspicious activity.
The security community has invested heavily in monitoring and enforcing constraints around activities based on human identities. Now it’s time we increase visibility and control over the more prevalent and insidious non-human i
Source: https://www.scworld.com/perspective/seven-ways-to-manage-nhis
StepSecurity cybersecurity rating report: https://www.rankiteo.com/company/step-security
"id": "STE1764701205",
"linkid": "step-security",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Technology',
'location': None,
'name': 'GitHub',
'size': None,
'type': 'Technology / Software '
'Development'},
{'customers_affected': None,
'industry': 'Technology',
'location': None,
'name': 'Snowflake',
'size': None,
'type': 'Cloud Data Warehousing'}],
'attack_vector': 'Compromised API keys, OAuth tokens, and '
'service accounts',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Possible',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Possible',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Emails',
'Customer data',
'Communications']},
'description': 'Attackers target app-to-app access using API '
'keys, OAuth tokens, and service accounts to move '
'laterally and remain undetected. Recent breaches '
'at GitHub and Snowflake highlight the growing '
'threat of non-human credentials being exploited. '
'AI tools and agents amplify the risk by '
'operating at machine speed with broad access to '
'sensitive data across SaaS and AI ecosystems.',
'impact': {'brand_reputation_impact': 'High (due to third-party '
'breach exposure)',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Sensitive data (emails, customer '
'data, communications)',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (if PII is compromised)',
'legal_liabilities': None,
'operational_impact': 'Lateral movement across '
'applications, undetected '
'persistence',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Google Workspace, Salesforce, '
'Slack, AI productivity tools'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Compromised non-human '
'credentials',
'high_value_targets': 'AI productivity '
'tools, SaaS '
'applications',
'reconnaissance_period': None},
'lessons_learned': 'Non-human credentials (API keys, OAuth '
'tokens, service accounts) are a critical '
'attack vector. Legacy security monitoring '
'focused on human identities is insufficient. '
'AI tools and agents amplify risks due to '
'their broad access and machine-speed '
'operations.',
'motivation': 'Data exfiltration, lateral movement, persistence',
'post_incident_analysis': {'corrective_actions': 'Implement '
'enhanced '
'monitoring for '
'non-human '
'identities, '
'enforce '
'least-privilege '
'access for AI '
'tools, segment '
'network access '
'for critical '
'applications',
'root_causes': 'Insufficient '
'monitoring of '
'non-human '
'credentials, '
'over-reliance on '
'human-focused '
'behavioral analytics, '
'broad access granted '
'to AI tools and '
'agents'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Increase visibility and control over '
'non-human credentials. Implement monitoring '
'for app-to-app access. Enhance security '
'measures for AI tools and agents to prevent '
'lateral movement and data exfiltration.',
'references': [{'date_accessed': None,
'source': 'Third-party breach statistics',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': 'Increased visibility and '
'control over non-human '
'credentials',
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Non-Human Credential Exploitation in App-to-App Access',
'type': 'Data Breach / Lateral Movement',
'vulnerability_exploited': 'Insufficient monitoring and control '
'over non-human credentials'}}