
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Firas Fatnassi

When most people think about account takeover, they think about stolen credentials, phishing, password spraying, or SQL injections. Those attack paths still matter, but during real-world assessments, a different class of account takeover emerge.
In modern SaaS applications, especially multi-tenant platforms, account takeover often happens without stealing a password at all. Instead, attackers abuse how applications create, verify, reuse, delegate, and bind identity.
A user may authenticate correctly, password policies may be strong, the login form may be secure. Yet a threat actor may still be able to make the application believe they are another user.
This article is the first in the “When Identity Becomes the Attack Surface” series, exploring real-world identity boundary failures observed during offensive security testing across modern SaaS and multi-tenant applications.
Authentication answers one question:
Who is logging in?
Identity architecture has to answer something much harder:
What is this identity actually allowed to become, inherit, influence, or control?
And during real-world assessments, that ’s usually where testing begins:
When does an identifier become trusted?
Who actually owns this identity?
Where is this identity scoped, and where does that scope end?
Can this identity move across tenants, sessions, or devices?
Who is allowed to delegate, recover, or impersonate it?
Can one authentication method silently authorize another?
An application may correctly verify that a user is logged in, but incorrectly decide what that user is allowed to access. In a multi-tenant environment, that mistake can lead to cross-customer exposure, unauthorized access, or full account takeover.
Multi-tenant platforms are designed to serve multiple customers through a shared application. Each customer may have its own workspace, organization, portal, or tenant.
This creates a complex identity model. A single person may belong to multiple tenants. A tenant administrator may invite users. A support team may impersonate users. A user may authenticate through password login, social login, SSO, CLI tooling, or connected integrations.
Behind the scenes, the application must keep multiple concepts separate:

Account takeover vulnerabilities happen when these concepts are confused.
Cases have been observed where tenant administrators unintentionally influenced global user identities, social login providers were trusted without validating whether the underlying email was ever verified, and device or CLI sessions were bound simply because a logged-in browser opened a link.
Identity boundary failures become especially dangerous when a single identity system is trusted across multiple platforms, because one broken trust boundary can extend far beyond a single application.
A single flaw may allow an attacker to move across tenants, assume legitimate identities, influence authentication state, or extend access beyond intended boundaries.
If a platform cannot reliably separate identities, tenants, and sessions, the impact can extend beyond one user account. It can become cross-tenant data exposure.
Identity vulnerabilities are often difficult to identify through automated scanning.
Most security tools are designed to detect:
Known vulnerabilities
Misconfigurations
Exposed services
Outdated software
Injection flaws
Identity boundary failures rarely fit those categories.
Instead, they require contextual understanding of:
Business logic
Tenant architecture
Authorization models
Trust relationships
User lifecycle management
This is why manual adversarial testing remains so valuable.
Understanding how an application thinks about identity often reveals risks that automated tools cannot easily identify.
The vulnerability may not exist in the code itself; it may exist in the assumptions the application makes about trust.
Across numerous assessments, it is often found that the application's login and registration flows are implemented securely. The real issue usually appears in the features built around them.
When one of those workflows becomes slightly over-permissive or behaves more openly than intended, it can create a chain of trust failures that ultimately makes even a secure authentication flow irrelevant. Attackers do not always break authentication.
More often, they manipulate features that were intentionally built by design like invitation workflows, impersonation tools, account recovery flows, device authorization, or delegated access. The real risk appears when those features are used in ways the developers never expected. If those edge cases were never considered those same features can become the entry point to account takeover.
As SaaS ecosystems continue growing, identity is becoming the new perimeter.
Users now move continuously between:
Browsers
Mobile applications
Cloud services
Identity providers
Third-party integrations
APIs
Devices
Organizations
Every transition requires trust.
Every trust decision creates potential risk.
The challenge for defenders is no longer simply verifying that a user can log in.
The challenge is ensuring that identity remains correctly scoped, authorized, and constrained across every workflow that follows.
Modern SaaS applications are built around identity: users move between tenants, devices, integrations, browsers, and authentication providers every day. Every transition creates another opportunity for trust to be misplaced.
The most dangerous account takeover vulnerabilities are no longer always found in passwords, login forms, or authentication protocols.
Increasingly, they emerge from the business logic that determines how identities are created, linked, delegated, recovered, and trusted.
As applications become more interconnected and identity systems become more complex, security teams must look beyond authentication alone.
Because when identity becomes the attack surface, an attacker doesn't need to break in: instead, they only need the application to trust the wrong thing.