// 2 CVE · 1 EXPLOIT IN THE LAST 24H
Kaseya's 2026 SaaS Security Report reveals that guest accounts make up 69% of monitored SaaS identities across 50,000+ SMBs, while MFA is disabled for 56% of end-user accounts. Attackers are exploiting these gaps with AI-assisted enumeration and persistent OAuth tokens.

On , Kaseya released its 2026 SaaS Security Report, based on an analysis of 27.6 billion security events across more than 50,000 small and midsize business customer environments. The data shows an attack surface expanding through legitimate identities: guest accounts outnumber licensed users 2:1, multi-factor authentication is disabled for the majority of accounts, and OAuth tokens persist independently of credential lifecycles.

Key Takeaways
  • Guest accounts represent 69% of monitored SaaS accounts in the Kaseya sample, with 4.3 million guest identities versus 1.9 million licensed users.
  • 56% of monitored end-user accounts had MFA disabled or inactive; only 27% of SMB organizations enforced organization-wide MFA policies.
  • OAuth-connected applications retain persistent permissions even after password resets, as documented in the report.
  • Service principals (non-human identities) generated 20% of critical security alerts in 2025, against a backdrop of 278 million medium-to-high severity alerts.

The Facts: Guest Account Proliferation and Disabled MFA

Of the 6.2 million end-user accounts analyzed in the Kaseya sample, 4.3 million are guest identities compared to 1.9 million licensed users. This 2:1 ratio reflects the widespread use of platforms like Microsoft 365 and Google Workspace to collaborate with vendors, consultants, and business partners.

The increase is quantified at 1.9 million additional guest accounts year-over-year, per the Kaseya sample. In 45% of Microsoft 365 cases, shared files were sent outside the organization, with orphaned sharing links.

The report also documents a fracture between awareness and implementation: 56% of monitored end-user accounts had MFA disabled or inactive, and only 27% of SMB organizations enforced organization-wide MFA policies.

Analysis: Why the Perimeter Is No Longer Where You Defend

[Editorial analysis section]

Legacy defenses — firewalls, VPNs, geolocation blocking — do not track external SaaS identities. When 44% of unauthorized logins from outside North America originate from trusted infrastructure and outsourcing hubs (India 14%, Philippines 10%), geography-based controls show structural limits in the analyzed sample.

Risk amplifies with attacker use of AI. According to Kaseya, AI-assisted account enumeration makes targeting guest accounts with weak or absent MFA more efficient.

Unit 42 (Palo Alto Networks) data provides technical context: 65% of intrusions use identity-based initial access, and 99% of cloud identities have excessive permissions. As Sam Rubin, SVP Consulting and Threat Intelligence at Unit 42, stated: "They are not breaking in; they are logging in".

"They are not breaking in; they are logging in"

— Sam Rubin, SVP Consulting and Threat Intelligence, Unit 42 (Palo Alto Networks)

OAuth and Service Principals: Persistence Beyond Credentials

A specific mechanism involves third-party integrations connected via OAuth. According to the Kaseya report, these applications use persistent tokens instead of user credentials, maintaining access to data even after password resets.

In 2025, 20% of critical security alerts originated from service principal logins. These non-human identities do not follow human user onboarding and offboarding cycles. The report does not specify the volume of active OAuth tokens in the sample.

This dynamic aligns with Unit 42 documentation: OAuth misuse and token theft are vectors in identity-based attacks.

Alert Fatigue: Volume and Visibility

In the analyzed sample, 278 million medium-to-high severity alerts accumulated in 2025, with 98.9% of events classified as low severity. This distribution concentrates security team attention on a minority of high-priority signals.

Jim Lippie, Kaseya's chief product officer, observed that "today's AI-emboldened threat actors see one interconnected attack environment, whereas most organizations defend their infrastructure in pieces". He added that "the most resilient organizations will be those that embrace continuous monitoring, identity governance and automated response as foundational requirements".

What to Do Now

Specific actions documented in the report include:

  • Guest account inventory: Identifying the 4.3 million guest identities in the sample requires systematic mapping; organizations must extend this practice to their own SaaS environments.
  • MFA enforcement: The 27% organization-wide enforcement figure indicates most SMBs have not completed rollout; activation on SaaS identity providers is the step documented in the report.
  • OAuth permission review: The report flags persistent tokens as a known gap; periodic verification of connected integrations is the corresponding action for the documented mechanism.
  • Service principal monitoring: The 20% of critical alerts from non-human identities requires dedicated visibility, separate from human user monitoring.

Sample Limitations and Methodological Context

The data presented derives from a vendor self-reported report: Kaseya analyzed 27.6 billion events in 50,000+ customer environments, not a randomized or independent sample. Percentages refer to this specific sample. It is unclear whether the 69% guest account figure refers to all monitored accounts or only those with active guest access. The geographic distribution of the 50,000 environments is not specified.

Primary sources are the Kaseya report and articles covering it (Help Net Security, CyberRiskLeaders). Unit 42 data provides technical context on identity-based attacks but is not part of the same Kaseya sample.

Information is based on the Kaseya 2026 report and articles reporting on it. Data is specific to the vendor sample and does not derive from multiple independent investigations.

Information has been verified against cited sources and is current as of publication.

Sources


Sources and references
  1. kaseya.com
  2. helpnetsecurity.com
  3. cyberriskleaders.com
  4. welivesecurity.com
  5. securityweek.com