How Did a Stolen OAuth Token Bypass MFA in the $2M Supply Chain Attack?

The theft of an OAuth session token enabled MFA bypass during a $2 million supply chain attack on Vercel. Attackers used a stolen OAuth session token from an infected personal device to replay authentication and access internal systems without triggering MFA. The breach exposed about 580 employee records and featured a $2 million ransom demand linked to exposure of customer environment variables. Network Threat Detection notes that attackers are targeting OAuth trust chains and rely on token replay to bypass MFA. The analysis frames the breach as part of a broader pattern affecting the supply chain, rather than a single incident. It cites industry figures: a 3,750% increase in OAuth phishing and a 61% rate of organizations affected by third-party breaches, with 1,000+ SaaS environments impacted. The sequence described by investigators shows Lumma Stealer infecting a personal device, harvesting a Google OAuth token, replay enabling access, and MFA being bypassed, allowing data access and ransom. Traditional defenses can fail when session tokens are compromised because MFA protects login events but not active tokens. The report emphasizes an industry-wide shift toward protecting identity trust chains between vendors rather than relying solely on credentials.