The SaaS Snowball: How Supply Chain Breaches Are Buried Risks for Every Enterprise

David Long
Sep 22
6 min read

Hyperreal snowball crashing toward viewer with SaaS logos frozen inside. — The SaaS snowball: small risks gather speed until they bury productivity, trust, and supply chains.

Introduction: The SaaS Snowball, How Supply Chain Breaches Are Buried Risks for Every Enterprise - when Small SaaS Risks Become Avalanches

A single misconfiguration.

A careless OAuth permission.

A vendor compromise.

On their own, they look manageable. But in SaaS, small problems rarely stay small. Like a snowball rolling downhill, risk gathers momentum. It accelerates. It picks up debris. And before long, it becomes a force that can flatten productivity, erode trust, and paralyse entire supply chains.

This year’s breaches prove the snowball effect is not theoretical. It’s happening right now and it’s reshaping how CIOs and CISOs must think about SaaS resilience.

Case Study 1: Salesloft → Drift → Salesforce

Attack chain diagram showing Salesloft compromised, Drift abused, and Salesforce environments fractured downstream. — From a single GitHub compromise at Salesloft, Drift tokens became the path into Salesforce - leaving hundreds of organisations exposed.

Between March and June 2025, attackers compromised Salesloft GitHub repositories and stole OAuth and refresh tokens linked to Drift integrations.

With those tokens in hand, they accessed hundreds of Salesforce customer environments, exfiltrating sensitive records, contacts, and even cloud secrets like AWS and Snowflake credentials.

More than 700 organisations were impacted. And here’s the critical detail: Salesforce itself was not breached. Its core platform remained secure. What failed was the web of trust that connected these SaaS applications.

This is the SaaS snowball in motion:

One vendor compromised.
A token reused.
Downstream integrations abused.
Hundreds of enterprises buried in the fallout.

Case Study 2: Airline Systems Grounded

Graphic showing Collins Aerospace cyber disruption radiating into aviation systems, symbolized by red icons and airplanes against a digital background. — When Collins Aerospace’s MUSE system was compromised, the ripple effect grounded flights and paralyzed supply chains across Europe.

In September 2025, a cyberattack struck Collins Aerospace’s MUSE system - the check-in and baggage drop software used by airlines worldwide.

The result was chaos. Heathrow, Brussels, and Berlin airports saw flights delayed, operations revert to manual, and thousands of passengers stranded.

The airlines themselves weren’t hacked. Nor were the airports. But a single vendor dependency became the weak link, and the impact rippled across continents.

This is the snowball in action:

One vendor compromised.
Critical systems disrupted.
Entire supply chains frozen.

Case Study 3: OAuth Abuse & Misconfigurations

Cybersecurity infographic showing how one OAuth token can unlock multiple SaaS apps - Google, M365, Salesforce, and Jira - with risks like shadow integration and data exfiltration. — One compromised OAuth token can cascade across your SaaS ecosystem - exposing data in Google Workspace, Microsoft 365, Salesforce, Jira, and beyond.

Not every snowball starts with a vendor breach. Sometimes it begins inside the organisation itself.

The ShinyHunters campaign (UNC6040) exploited a mix of social engineering and OAuth abuse to gain access to Salesforce environments. Attackers used fake versions of common tools, such as Data Loader, to trick users into handing over credentials. Once inside, they abused over-permissive tokens and misconfigured integrations to exfiltrate sensitive data.

The lesson? SaaS missteps are just as dangerous as external compromises:

OAuth tokens that aren’t rotated or scoped properly become skeleton keys.
Misconfigurations create unintended back doors.
Shadow integrations expand the attack surface without ever being approved.

What looked like user error quickly cascaded into systemic compromise.

Earlier Incidents: OAuth Abuse, Misconfigurations, Shadow Integrations

A glowing red digital lock labeled “OAuth Token” sits in the center of a cyber-themed corridor. Neon-lit doors line either side, each marked with SaaS logos including Microsoft 365, Google Workspace, Salesforce, and Dynamics 365. The image conveys how a single OAuth token acts as a master key, unlocking multiple cloud applications and creating systemic SaaS risk. — One Key. Every Door.

The Salesloft/Drift/Salesforce breach wasn’t the first warning shot. A string of earlier attacks already revealed how OAuth tokens and SaaS misconfigurations create open doors for attackers:

Token Theft & Abuse - Groups like ShinyHunters (UNC6040) used social engineering and fake Salesforce tools (such as counterfeit Data Loader apps) to steal OAuth tokens. With those in hand, they quietly extracted sensitive customer data without ever “breaking in” through the front door.
Shadow Integrations - Many organisations discovered too late that employees had granted third-party apps deep access into core systems. These integrations — often invisible to IT - create hidden tunnels for attackers to exploit.
Misconfigurations - Overly broad permissions, stale tokens that were never rotated, and failure to enforce least-privilege policies have been repeatedly cited as the root cause of SaaS data exposure. In cloud-first environments, configuration mistakes can be just as dangerous as zero-day exploits.

The lesson is clear: it’s not always a breach in the SaaS vendor itself. Often, it’s the unseen trust relationships - the tokens, permissions, and “shadow IT” integrations that open the door.

Supply Chain Blind Spots and Third-Party Failures

Even if your SaaS vendor has airtight security, their partners, repositories, or downstream integrations might not. That’s where risk multiplies.

GitHub Compromises - Attackers often target code repositories where credentials, API tokens, or integration secrets may be exposed. A weak spot in a partner’s development workflow can cascade into your SaaS environment.
Vendor’s Vendor Problem - Salesforce may be secure. Google Workspace may be secure. But what about the smaller SaaS tools connected through OAuth, APIs, or plug-ins? When one of them is compromised, the blast radius expands straight into your core business systems.
Lack of Visibility - Few organisations maintain a complete inventory of SaaS-to-SaaS connections. This “shadow web” of integrations grows faster than IT teams can track, leaving security teams blind to who or what has permission to read, write, or delete data.

The reality: your SaaS ecosystem is only as strong as its weakest integration. Attackers know this and they actively exploit it.

Incident Response and Recovery Gaps

Knowing the risks is one thing. Responding when they’re exploited is another. Too many organisations still stumble at the moment of truth:

Slow Detection – OAuth tokens and API abuse can run for weeks before alarms are raised. By then, exfiltration has already occurred.
Late Revocation – Tokens and permissions aren’t revoked promptly, leaving attackers with continued access during “response.”
Over-Permissive Scopes – Even if a token is cut, the damage is amplified because it granted more access than it ever should have.
Logs Without Insight – Security logs often exist but lack the depth to reveal what was accessed, changed, or stolen.

The result? Security teams can’t answer the most critical question: what data was touched, and can we recover it intact?

This is where resilience isn’t just about preventing incidents - it’s about proving you can restore what matters, fast and independently, when prevention fails.

Lessons Learned: What Organisations Need to Do

To stop the snowball, organisations need to act pre-emptively, not just wait for disaster. Here are tactical lessons drawn from recent breaches:

Risk Area	What Went Wrong	Key Mitigation / Preventative Action
OAuth & API Token Abuse	Stolen tokens gave attackers access across orgs; tokens deeply permissive.	Audit all third-party apps & integrations; limit scopes; enforce least privilege; rotate credentials regularly.
Visibility of Integrations	Shadow / unmonitored integrations; lack of awareness of who has access to what.	Build a SaaS inventory; map out connections; employ tools that discover third-party access; monitor unusual app-to-app behaviour.
Misconfigurations	Overly broad permissions, mis-set sharing, misconfigured policies that allow lateral movement.	Harden configuration baselines; regular audits; enforce least-privilege; use policy as code or guardrails.
Vendor / Supply Chain Oversight	Trust blindly in vendor claims; missing supply chain audits; vendor’s vendor becomes vector.	Include contractual SLAs for security, require disclosures, perform periodic risk assessments / third-party audits.
Incident Preparedness	Slow token revocation, unclear response chains, missing backup/recovery plans.	Have recovery points (immutable, off-platform), run playbooks for token/key compromise, ensure backup data is separate and rapidly accessible.
Trust & Governance	Overreliance on SaaS vendor security; assumption that “cloud = safe”.	Raise awareness at leadership; include SaaS supply chain risk in GRC (Governance Risk Compliance); treat SaaS integrations as first-class risk assets.

How FullBackup Helps You Stop the Snowball

Every breach in this year’s headlines reinforces the same truth: resilience cannot depend on the SaaS vendor alone. Their job is to keep the platform online. Your job is to ensure the data inside it survives - no matter what.

That’s why FullBackup, as an Elite Keepit Reseller, helps organisations deploy Keepit - the global leader in SaaS backup and recovery, to stop the snowball before it buries them:

Immutable Recovery - Every backup point is locked and tamper-proof. Attackers can’t encrypt it, delete it, or quietly rewrite history.
Independent Storage - Kept outside your SaaS vendor’s infrastructure. If Microsoft 365, Salesforce, or Google Workspace fail, your recovery is untouched.
Accessible When Production Is Down - Even if your identity layer is compromised or a vendor outage stalls operations, clean recovery points remain instantly available.
Compliance and Audit-Ready - Built for CPS 230, Essential Eight, and global sovereignty mandates, so you can prove resilience to regulators and auditors alike.

When prevention fails and recent breaches show it will, recovery is what keeps the business alive.

Don’t wait for the snowball to hit. Test how fast you can bounce back with a Keepit pilot

Conclusion: The Snowball Is Already Rolling

The SaaS snowball isn’t coming - it’s already here. Recent breaches prove how fast small cracks cascade into systemic failures, freezing operations and damaging trust.

CIOs and CISOs can no longer treat SaaS resilience as an IT housekeeping task. It’s a board-level priority. And the only way to stop the snowball is with immutable, independent, and accessible recovery that lives outside vendor blast radii.

With Keepit, you can prove resilience before the snowball flattens something you care about.

👉 Book your pilot and see how quickly you can recover when it matters most.