Vault export equals total blast radius: a password-manager breach

A SaaS password manager concentrates production secrets, so one hijacked admin session can export them all. The lesson here is blast radius: once a shared vault has been exported, you cannot rotate the secrets one at a time fast enough.

How the attack works

An admin session is used from a never-seen device, likely from a stolen cookie. It abuses admin and SCIM capability to grant itself membership into additional shared vaults across engineering, infra, and finance, then bulk-reveals and exports the items, pulling cloud keys, database credentials, and SaaS API tokens out of the manager. Several exported credentials then authenticate to cloud and SaaS providers, confirming the cascade has begun. In ATT&CK terms this is T1555, Credentials from Password Stores, with T1078, Valid Accounts, T1552, and T1530 for the downstream collection.

Why it works

Admins legitimately manage vault membership and occasionally export items. The breach signal is the sequence compressed into minutes: an unfamiliar device self-granting into multiple shared vaults and then bulk-exporting. A concentration of long-lived static secrets reachable from one admin session is the root cause.

How to fix it

Revoke the admin session and lock the affected vaults, then treat every exported secret as compromised whether or not you have seen it used, and drive a prioritized mass-rotation across all downstream providers. Rotating only the secrets you observed leaves the rest weaponizable later. Forensics combines the manager’s read and export log with each downstream provider’s log. For the class, reduce long-lived static secrets in favor of short-lived federated credentials, scope shared-vault access tightly, require phishing-resistant MFA and session-binding for admins, and alert on SCIM and admin changes.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse cutting the session and mass-rotating the entire export, not just the observed secrets.