
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog

Across ed-tech, healthcare credentialing, associations, and B2B distribution, a common architecture has emerged:
Marketing site (often WordPress)
Customer or member portal
Learning management system (such as Moodle)
Commerce layer (subscriptions, certifications, products)
Federated identity (SSO, OIDC, SAML)
All operating across subdomains
This is not an edge case. It is the default.
These systems are:
Loosely coupled but operationally interdependent
Supporting multiple user types (admins, partners, customers, learners)
Sharing identity, sessions, and data across boundaries
From a penetration testing perspective, this is no longer a single application.
It is a distributed system with shared trust.
Each component may be individually secure.
The risk emerges in how they are connected.
Key expansion points include:
Cross-domain authentication flows
Token and session reuse across systems
API integrations between services
Role and permission mapping across platforms
Attackers do not target components in isolation. They target transitions between them.
This includes:
Moving from a low-privilege LMS account into higher-privilege portal access
Exploiting weak session boundaries across subdomains
Leveraging inconsistencies between commerce, identity, and content systems
Modern breaches increasingly involve multiple systems and identity layers.
IBM reports that the average organization uses over 100 SaaS applications, many of which are integrated into core workflows
Data shows that large organizations commonly maintain dozens of active identity integrations per environment
Verizon DBIR consistently finds that over 60% of breaches involve credential abuse or identity misuse, often across systems
In hybrid B2B/B2C platforms, this translates into:
Multiple trust relationships
Shared authentication layers
Expanded lateral movement opportunities
The complexity is not theoretical. It is operational.
In testing, these environments tend to fail at the boundaries.
SSO is often implemented inconsistently.
Common issues include:
Token validation differences between systems
Over-trusting identity assertions
Incomplete logout or session invalidation
A user authenticated in one system may gain unintended access in another.
Different systems maintain different role models.
For example:
LMS roles (student, instructor)
Portal roles (member, admin)
Commerce roles (customer tiers, subscriptions)
Mapping between these is often:
Incomplete
Over-permissive
Poorly validated
This creates opportunities for privilege escalation across systems.
Subdomain architectures introduce complexity in:
Cookie scope and sharing
Session persistence
Cross-origin controls
Misconfigurations can allow:
Session fixation
Unauthorized session reuse
Leakage between environments
APIs connect these systems.
They often:
Trust upstream identity without re-validation
Expose sensitive functionality without sufficient authorization checks
Lack consistent rate limiting or monitoring
These become high-value targets for attackers looking to bypass UI-layer controls.
As integration depth increases, so does risk.
Gartner estimates that over 70% of new enterprise applications rely on APIs and integrations as core functionality
Salt Security reports that API attacks grew by over 400% in recent years, driven by increased reliance on interconnected services
In hybrid platforms, APIs are the glue. They are also a primary attack vector.
Despite their complexity, hybrid platforms are often tested as separate components.
Typical gaps include:
Testing the WordPress site, portal, and LMS independently
Excluding federation flows from scope
Treating APIs as secondary or partially in-scope
Failing to test cross-role and cross-system scenarios
This results in:
Good coverage of individual systems
Limited understanding of how attackers move between them
Testing remains component-focused, while risk is system-level.
Effective penetration testing in these environments requires:
Mapping full user journeys across systems
Testing identity flows end-to-end (SSO, OIDC, SAML)
Validating role transitions and privilege boundaries
Exercising APIs with real user context and token manipulation
Attempting lateral movement across subdomains and services
The objective is not to test each system independently.
It is to validate the combined attack surface.
Hybrid B2B/B2C platforms are now standard across multiple industries.
They introduce:
Multiple user types
Shared identity layers
Deep system integrations
Risk is no longer isolated.
It emerges from:
Trust relationships
Data flows
Role mappings
Security assurance must reflect this reality.
When your store, portal, and LMS are connected, your attack surface is defined by those connections.
Penetration testing that focuses only on individual systems will miss how threat actors operate.
Organizations that test across identity, integration, and user roles gain a more accurate view of risk in modern, federated environments.