Five ways identity-based attacks are violating retail

From the roles of underprivileged administrators to long-forgotten vendor tokens, these attackers have slipped through the cracks of trust and access. Here’s how the five retail violations unfolded and what they revealed…

In recent months, major retailers such as Adidas, the North Face, Dior, Secrets of Victoria, Cartier, Marks & Spencer, and Copp have all been violated. These attacks were not sophisticated malware or zero-day exploits. They used identity-driven, underprivileged access, unsupervised service accounts, and used the human layer through tactics such as social engineering.

The attacker did not have to break in. They’ve logged in. They often moved SaaS apps without realizing it, using real credentials and legitimate sessions.

And while most retailers didn’t share all the technical details, the patterns are clear and repetitive.

This is a breakdown of five recent famous infringements in retail.

1. Adidas: Abuse third party trust

Adidas has identified a data breaches caused by attacks on third-party customer service providers. The company said customer data has been made public, including its name, email address and order details. There are no malware. There are no violations on their part. Only the explosion radius of the vendor they trusted.

How these attacks unfold in SaaS identity:

Vendor-granted SaaS tokens and service accounts often do not require an MFA, do not expire, and fly under the radar. When access is no longer needed but is unsubscribed, it becomes a silent entry point, and is best suited to compromise tactically mapped supply chains like T1195.002, giving attackers a way without causing alarms.

Security Takeout:

It’s not just about protecting users. We also ensure that the vendors have access to it. SaaS integration has stuck longer than the actual contract, and attackers know exactly where to look.

2. The North Face: From password reuse to abuse privileges

North Face has seen a credential packing attack (Miter T1110.004) in which threat actors access customer accounts using leaked credentials (username and password). There is no malware, phishing, weak identity hygiene, or MFA. Once inside, they expanded their personal data and revealed a major gap in basic identity control.

How these attacks unfold in SaaS identity:

SaaS logins without MFA are still everywhere. Once an attacker has valid credentials, he or she has access to the account directly and quietly. There is no need to trigger endpoint protection or raise alerts.

Security Takeout:

Qualification fillings are not new. This was the fourth qualification-based violation on the north face since 2020. Each reminds us that reusing passwords without MFA is a wide open door. And while many organizations implement MFA for employees, service accounts and privileged roles, they are often unsecured. The attackers know that and they go where there is a gap.

Do you want to go deeper? Download the Saas Identity Security Guide to learn how to actively protect all human or non-human identities across the SaaS stack.

3. M&s&co-op: Violated by borrowed trust

British retailers Marks & Spencer and cooperatives were reportedly targeted by threat group scattered spiders known for their identity-based attacks. Reports say they used SIM swapping and social engineering to impersonate employees, and tricked it, resetting their passwords and MFAs, effectively bypassing MFAs without malware or phishing.

How these attacks unfold in SaaS identity:

When an attacker bypasses the MFA, it targets the disadvantaged SaaS role or dormant service accounts to move laterally within the organization’s system, harvesting sensitive data or destroying operations along the way. Their actions blend in with legitimate user behavior (T1078) and use password resets driven by help desk spoofing (T1556.003) to quietly gain persistence and control without raising alarms.

Security Takeout:

There is a reason why identity-first attacks are spreading. They exploit what is already trusted and often leave no malware footprint. To reduce risk, track SaaS identity behavior, including both human and non-human activities, and limit help desk privileges through isolation and escalation policies. Support staff target training can also block social engineering before it happens.

4. Victoria’s Secret: When Saas Administrators are not checked

Victoria’s secret has delayed the release of revenue after a cyber incident disrupted both e-commerce and in-store systems. Although little details are disclosed, the impact is consistent with scenarios involving internal destruction through SaaS systems that manage retail operations such as inventory, order processing, and analytical tools.

How these attacks unfold in SaaS identity:

The actual risk is not just a violation of your credentials. It is an unidentified power of the role of the underprivileged saaS. If a misunderstood administrator or an old token is hijacked (T1078.004), the attacker does not need malware. From inventory management to order processing, everything can be disrupted within the SAAS tier. There are no endpoints. Massive destruction (T1485).

Security Takeout:

The role of SaaS is strong and often forgotten. A single disadvantaged identity with access to critical business applications can cause chaos, and it becomes important to apply strict access controls and continuous surveillance to these shocking identities before it’s too late.

5. Cartier & Dior: The hidden cost of customer support

Cartier and Dior revealed that the attacker accessed customer information via CRM or third-party platforms used for customer service features. These were not infrastructure hacks. They were violating them through a platform to help them, rather than revealing them.

How these attacks unfold in SaaS identity:

In many cases, customer support platforms are SaaS-based, with persistent tokens and API keys quietly connecting to the internal system. These non-human identities (T1550.003) rarely spin, and often make them an easy victory for attackers who escape centralized IAM and target customer data at scale.

Security Takeout:

When SaaS platforms touch customer data, it is part of the attack surface. And if you don’t track how your machine’s identity is accessed, you don’t protect the frontline.

Final Thought: Your SaaS identity is invisible. They are just not being monitored.

The identity of SaaS is invisible. They are just not being monitored. These violations did not require flashy exploits. They needed misplaced trust, reused credentials, unchecked integrations, or accounts that no one reviewed.

The security team locked down endpoints and strengthened SaaS logins, but the real gap lies in their hidden SaaS roles, dormant tokens, and overlooked help desk overrides. If these are still flying under the radar, the violation is already off to a head start.

Wing security was built for this.

Wing’s multi-layer platform continuously protects SaaS stacks, discovers blind spots, hardens configurations, and detects SaaS identity threats before escalating.

This is one source of truth that connects dots of apps, identity and risk, so you can stop it before you can get through the noise and start a violation.

Get a demo of wing Wing Security to see what’s hidden in the SaaS Identity layer.