These are public, documented incidents where attackers exploited the same flaw SAPS fixes: password reuse, identity escalation, and MFA bypass.
Back to HomeCause: Password reuse + MFA fatigue attack
Attackers bought an employee’s reused password, spammed MFA notifications until the user approved one, and gained full internal access — Slack, admin panels, source code, everything.
SAPS Intervention Analysis: The stolen password would be useless because service‑level credentials cannot authenticate to identity. MFA fatigue becomes irrelevant when the attacker cannot reach the IdP.
Cause: Single reused VPN password
Attackers used one leaked password to access Colonial’s network, forcing shutdown of fuel pipelines across the U.S. and triggering a national emergency.
SAPS Intervention Analysis: A reused password from another service cannot authenticate to the IdP, and service‑level credentials cannot access internal systems beyond their own scope.
Cause: Developer account compromise → identity escalation
Attackers stole a developer’s credentials, accessed internal systems, and escalated into customer vault backups. One compromised identity led to global impact.
SAPS Intervention Analysis: The compromised developer credential would be isolated to its service. Under SAPS, service‑level credentials cannot access identity systems or escalate into other internal services.
Cause: Social engineering + MFA reset
Attackers impersonated an employee, reset MFA, took over Okta, and shut down casinos, hotels, ATMs, and slot machines across Las Vegas.
SAPS Intervention Analysis: Service‑level accounts cannot trigger identity resets. SAPS prevents escalation from service access into identity control, blocking the pivot that enabled the takeover.
Cause: Session token theft
Attackers stole session tokens and accessed Okta’s customer support systems, impacting multiple enterprises.
SAPS Intervention Analysis: Stolen session tokens cannot escalate into identity access. SAPS enforces strict separation between service‑level tokens and identity‑level authority.
Cause: Stolen cookies + MFA bypass
Attackers used stolen session cookies to bypass MFA, accessed Slack, social‑engineered IT, and stole source code.
SAPS Intervention Analysis: Session hijacking cannot escalate into identity. SAPS prevents stolen cookies or tokens from being used to access identity systems or privileged internal services.
Cause: Employee account compromise
Attackers breached an employee’s Slack account and accessed internal systems, leaking GTA6 development footage.
SAPS Intervention Analysis: A compromised service account (Slack) cannot pivot into identity or other internal systems. SAPS isolates each service so a breach cannot spread laterally.
Cause: Compromised open‑source package → remote code execution
Millions of AI agents were exposed when a widely used open‑source package was found to contain a critical vulnerability. Attackers could inject malicious code that AI agents executed automatically because the system trusted the package by default.
SAPS Intervention Analysis: SAPS eliminates blind trust in code execution. Under SAPS, no agent, package, or automated process can perform actions without a cryptographically bound, user‑initiated authentication event. Malicious code cannot impersonate a user, cannot authenticate, and cannot escalate. The attack chain dies at the identity boundary.