Cloudflare: service accounts widen blast radius

Cloud security has a new weak spot — not the firewall, not the password, but the machine identity sitting quietly between apps. Cloudflare’s 2026 threat report says attackers are getting better results by stealing tokens and abusing trusted SaaS integrations than by burning expensive zero-days. That matters because these credentials often belong to service accounts, bots, and integrations that nobody is actively watching. Once one gets stolen, the blast radius can get weirdly large, weirdly fast. (blog.cloudflare.com) ### What changed here? The news is Cloudflare’s inaugural 2026 Threat Report, published March 3, 2026. Its core claim is that attackers are moving away from noisy “break in” tactics and toward “log in” tactics — stolen session tokens, trusted cloud infrastructure, and over-privileged SaaS connections that already have legitimate access. Cloudflare frames this as a shift toward high-trust exploitation, (blog.cloudflare.com) to reuse the permissions that organizations already granted. (blog.cloudflare.com) ### Why do service accounts matter so much? A service account is basically a non-human identity — an account used by software, automation, or an integration instead of a person. The problem is that these accounts often keep long-lived credentials, don’t trigger the same user-facing security checks, and accumulate broad permissions over time because breaking automation is painful. If an attacker steals (blog.cloudflare.com)ange login. Cloudflare’s own docs describe service tokens as credentials for automated systems, which is exactly why they need tighter scoping and rotation than many teams give them. (developers.cloudflare.com) ### Why are SaaS integrations the blast-radius problem? Because modern SaaS tools are chained together. CRM talks to support software. Support software talks to analytics. Analytics talks to storage. Cloudflare’s report points to over-privileged SaaS integrations as the connective tissue that lets one compromise spread into many environments. T(developers.cloudflare.com)already reach them all. (blog.cloudflare.com) ### What’s the concrete example? Cloudflare keeps pointing back to the GRUB1 breach of Salesloft. In Cloudflare’s telling, that incident showed how a single compromised API connection could cascade into exposure across hundreds of corporate tenants. Cloudflare was one of the affected companies in the downstream Salesloft Drift incident, and it said the exposed Salesforce case data could include sensiti(blog.cloudflare.com)ed 104 Cloudflare API tokens in the compromised data. (blog.cloudflare.com) ### Why are stolen tokens worse than stolen passwords? Because tokens often represent a session that is already authenticated. Cloudflare explicitly calls out stolen session tokens as a higher-efficiency path than traditional intrusion. In its report materials, it also says it blocks about 230 billion threats a day, sees bots behind 94% of login attempts, and ties a large share of ransomware initial ac(blog.cloudflare.com)ants the thing that gets them past the login screen entirely. (cloudflare.net) ### Haven’t we seen this before at Cloudflare? Yes — and that is part of why this warning lands. In Cloudflare’s February 1, 2024 write-up on its Thanksgiving 2023 incident, the company said the attacker used one access token and three service account credentials stolen in the Okta compromise. Cloudflare also said its Zero Trust controls limited lateral movement once the attacker got in. So this is not a theoretical lesson for them. It is one they learned the hard way. (blog.cloudflare.com) ### So what should defenders actually do? Shrink permissions first. Rotate and expire service credentials aggressively. Treat OAuth scopes and SaaS marketplace apps like privileged access, not convenience features. And monitor token use as behavior, not just as a secret that either leaked or did not leak. The catch is that most organizations still have poor visibility into SaaS-to-SaaS(blog.cloudflare.com 1) (blog.cloudflare.com 2) ### Bottom line? The modern cloud attack is starting to look less like a break-in and more like a badge swipe. If service accounts keep broad, quiet, long-lived access, one stolen token can become an organizational problem instead of a single-app problem. (blog.cloudflare.com)