Ghost logins are additional login methods than can exist simultaneously to the preferred default login method (e.g. SSO). Ghost logins often lack robust authentication controls such as MFA, meaning that stolen credentials for local logins with a username and password will remain valid even if an SSO login also exists for that account. These accounts will lack MFA unless specifically adopted by the user.

This vulnerability affects the majority of SaaS apps, including Snowflake, which was recently subject to a massive malicious campaign in which accounts belonging to over 165 Snowflake customers have been compromised.