Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
My SaaS Security Breach: Why Security Should Care About Every App

My SaaS Security Breach: Why Security Should Care About Every App

Kate Turchin
Updated
April 25, 2025
May 8, 2025
4 minutes

I’ve been marketing cybersecurity software forever  eight years. I worked at a cloud security posture management (CSPM) company before CSPM was even an acronym and I was part of the Prisma Cloud launch team at Palo Alto Networks in 2019. I’m well versed in security best practices, like least privilege access, authentication policies, and the zero trust philosophy.

Which is why I’m somewhat embarrassed to admit that at one point in my career, I was the vulnerability that led to a significant cybersecurity incident at my organization.

How It Began

I needed a developer to assist with a list of straightforward tasks for my website, which was built on Hubspot. Things like improving site speed, resizing images, and enabling browser caching. I decided I would source a developer overseas to save costs, so I posted an ad on Upwork for the role.

I hired Igor from Ukraine. Igor claimed he could finish the project quickly and efficiently. I didn’t spend much time reading reviews or shopping around. I was moving fast. I was focused on higher level initiatives and this checkbox project was merely a distraction from my important KPIs. 

Next, I invited Igor to my Hubspot instance and created a role for him. Hubspot permissions look  like this:

Perhaps it was my years of touting the principle of least privilege across Marketing docs and seminars, or just my spidey senses, but I remember thinking, “I really shouldn’t give this person Publish permissions.”

But then I remembered my goals. “If I don’t give him Publish permissions,” I thought to myself, “Then I will have to manually publish over 100 pages myself.” That would be prohibitively distracting. So I opted to give him Read, Write, and Publish permissions. After all, what could go wrong?

Things Started to Get Weird

Igor promptly finished the first milestone of the project, so I paid him out on Upwork, nearly $500.

Then things started to get weird.

“I’m unable to access the funds you sent me on Upwork,” he said in a direct message. He sent me a screenshot of an error message that he received when he tried to initiate the funds transfer. “Can you send me the funds via Payoneer?”

“I already paid you,” I told him. “Go send a message to Upwork Support and I’m sure they will help you.”

In retrospect, my mental user behavior analytics should’ve flagged this as suspicious and looked into it further. After all, why would he be unable to access the funds? I had been using Upwork for many years and never had this problem with any contractor before.

But being a busy Marketing professional juggling multiple deadlines and projects, I quickly moved on to the next thing. Igor was nothing more than an annoying fly I needed to swat out of my way so I could focus on the task at hand. “That sounds like a you problem,” I thought to myself and refocused on my initiatives.

The Attack

I woke up the next morning, sluggishly made coffee, and got online. My Slack was blowing up with messages, but nevermind that, why do I have 12 messages from Igor? Ugh, Igor, what does he want now?

“I have deleted your website on Hubspot, but lucky for you I have backed it up so if you send me $5,000 in bitcoin I will restore the site,” the first message read.

I blinked. I typed in my company domain. 

Gone. 

A site that I had spent years building and optimizing. I had invested hundreds of thousands of dollars into it, and dedicated years of my life to perfecting it. It was the lifeblood of the business; the central system that enabled Sales and allowed the team to provide for their families. It was the crown jewel of our growth strategy, the foundation that allowed the business to sustain my livelihood and that of so many other employees.

404 error. Gone.

My heart sank. My pulse quickened. 

I called my boss. I told him what happened. 

“Let’s hop on a Zoom bridge with the CIO” he said.  “Don’t worry, at least nobody died.”

Recovery and Remediation

Minutes felt like hours as we navigated Hubspot’s support system, but thankfully, Hubspot had the site backed up and was able to restore it, for the most part. However, several files had been permanently deleted and could not be restored. To this day I am so grateful that Igor did not permanently delete more files. Had he done so, it would’ve taken us several months to get the business back online and would’ve cost hundreds of thousands of dollars to rebuild. 

Plus, there are things you can never get back once you lose a site, like credibility and authority with Google that increases new business generation. This can only come from building and investing in a site for a long period of time.

The Lesson: Every SaaS App Matters for Security

I share this experience with you because I want organizations to recognize the importance of SaaS security. Hubspot may not store sensitive information, but that doesn’t mean it's not critical infrastructure absolutely essential for the business to run. 

Here at Reco, I often hear prospects say that they struggle with SaaS security because app ownership is so spread out. The Marketing department owns Hubspot, the HR department owns Workday, and so on and so forth.

But it doesn’t have to be this way. And if there’s one thing to take away from my story, it’s that it shouldn’t be that way. Security needs to be involved in all SaaS deployments. Security needs to create roles and permissions, keep tabs on configurations, monitor user behavior, and be able to respond to suspicious activity. You shouldn't rely on Kate from Marketing, or any other employee for that matter, to make the best security decisions when it comes to your SaaS apps.

How Reco Can Help

Reco could’ve helped my organization avoid a security incident like this. The Reco platform alerts on overpermissioned roles, like contractors with risky permissions, so Security can intervene before an issue happens.

Reco also could've helped my company stop Igor in his tracks with identity threat detection and response. Reco flags suspicious identity behavior, like excessive file deletion, and provides Security teams with remediation guidance so they can shut this activity down before damage is done. Correlating information about the user, location, activity, and more Reco can make educated decisions about what constitutes malicious behavior versus normal behavior.

→ Read Next: How Reco Uses Identity Analytics to Detect Advanced Threats (blog)

To learn more about Reco and how it can help you protect your SaaS from insider threats like Igor, schedule a live demo today.

Kate Turchin

ABOUT THE AUTHOR

Kate Turchin is the Director of Demand Generation at Reco.

Technical Review by:
Gal Nakash
Technical Review by:
Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Request a Demo
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

5 minutes
SaaS Security
The Problems with Homegrown Threat Detection and Response for SaaS
Kate Turchin
May 7, 2025
Threat detection and response for SaaS apps is critical. But should you build it or buy it? Read this blog to learn why building a homegrown solution with your SIEM may be prohibitively complex, costly, and fall short of providing adequate protection.
6 minutes
SaaS Security
Heeding Pat Opet's Wakeup Call – The Need for Dynamic SaaS Security
Richard Conley
May 5, 2025
JPMorgan’s CISO Pat Opet issued a blunt warning that SaaS sprawl is “quietly enabling cyber attackers” and creating systemic vulnerabilities. He calls for new cybersecurity solutions and standards. Read this blog to understand why Dynamic SaaS Security is the answer.
4 minutes
SaaS Security
The Hidden Risks of Browser Extensions in SaaS Security
Gal Nakash
April 24, 2025
Discover why browser extensions can harm SaaS security, creating risks and blind spots, and how agentless, dynamic solutions offer safer, smarter protection.
See more featured resources

Ready for SaaS Security
that can keep up?

Request a demo
Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the growing gap between what you can protect and what’s outpacing your security. Reco keeps pace with SaaS sprawl, no matter how fast it evolves, by covering the entire SaaS lifecycle — cradle to grave.
Request a demo
Memberships
Industry Recognition
Solutions By Use Case
Posture ManagementApp Discovery & GovernanceIdentity & Access GovernanceThreat Detection & ResponseData Exposure ManagementShadow App DiscoveryGenerative AI DiscoveryAgentic AI SecurityReco AI Agents
Integrations By App
All Supported ApplicationsSalesforceMicrosoft 365Google WorkspaceServiceNowWorkday
ServiceNow
soon
SlackOktaVeeva
Resources
BlogLearnIT HubCustomer StoriesWebinarsSSPM ReportCISO GuideFinancial GuideHealthcare GuideSalesforce GuideMicrosoft GuideAI Security GuideShadow AI GuideState of SaaS Security Report
Company
About Reco
Careers
Hiring
NewsroomPartnersTrust CenterContact Us
Top Content
SaaS SecurityWhat is SSPM
Memberships
Industry Recognition
AICPA for RecoReco - ISO 27001
TermsPrivacy
© 2025 Reco. All Rights Reserved.