My SaaS Security Breach: Why Security Should Care About Every App


I’ve been marketing cybersecurity software forever eight years. I worked at a cloud security posture management (CSPM) company before CSPM was even an acronym and I was part of the Prisma Cloud launch team at Palo Alto Networks in 2019. I’m well versed in security best practices, like least privilege access, authentication policies, and the zero trust philosophy.
Which is why I’m somewhat embarrassed to admit that at one point in my career, I was the vulnerability that led to a significant cybersecurity incident at my organization.
How It Began
I needed a developer to assist with a list of straightforward tasks for my website, which was built on Hubspot. Things like improving site speed, resizing images, and enabling browser caching. I decided I would source a developer overseas to save costs, so I posted an ad on Upwork for the role.
I hired Igor from Ukraine. Igor claimed he could finish the project quickly and efficiently. I didn’t spend much time reading reviews or shopping around. I was moving fast. I was focused on higher level initiatives and this checkbox project was merely a distraction from my important KPIs.
Next, I invited Igor to my Hubspot instance and created a role for him. Hubspot permissions look like this:

Perhaps it was my years of touting the principle of least privilege across Marketing docs and seminars, or just my spidey senses, but I remember thinking, “I really shouldn’t give this person Publish permissions.”
But then I remembered my goals. “If I don’t give him Publish permissions,” I thought to myself, “Then I will have to manually publish over 100 pages myself.” That would be prohibitively distracting. So I opted to give him Read, Write, and Publish permissions. After all, what could go wrong?
Things Started to Get Weird
Igor promptly finished the first milestone of the project, so I paid him out on Upwork, nearly $500.
Then things started to get weird.
“I’m unable to access the funds you sent me on Upwork,” he said in a direct message. He sent me a screenshot of an error message that he received when he tried to initiate the funds transfer. “Can you send me the funds via Payoneer?”
“I already paid you,” I told him. “Go send a message to Upwork Support and I’m sure they will help you.”
In retrospect, my mental user behavior analytics should’ve flagged this as suspicious and looked into it further. After all, why would he be unable to access the funds? I had been using Upwork for many years and never had this problem with any contractor before.
But being a busy Marketing professional juggling multiple deadlines and projects, I quickly moved on to the next thing. Igor was nothing more than an annoying fly I needed to swat out of my way so I could focus on the task at hand. “That sounds like a you problem,” I thought to myself and refocused on my initiatives.
The Attack
I woke up the next morning, sluggishly made coffee, and got online. My Slack was blowing up with messages, but nevermind that, why do I have 12 messages from Igor? Ugh, Igor, what does he want now?
“I have deleted your website on Hubspot, but lucky for you I have backed it up so if you send me $5,000 in bitcoin I will restore the site,” the first message read.
I blinked. I typed in my company domain.
Gone.
A site that I had spent years building and optimizing. I had invested hundreds of thousands of dollars into it, and dedicated years of my life to perfecting it. It was the lifeblood of the business; the central system that enabled Sales and allowed the team to provide for their families. It was the crown jewel of our growth strategy, the foundation that allowed the business to sustain my livelihood and that of so many other employees.
404 error. Gone.
My heart sank. My pulse quickened.
I called my boss. I told him what happened.
“Let’s hop on a Zoom bridge with the CIO” he said. “Don’t worry, at least nobody died.”
Recovery and Remediation
Minutes felt like hours as we navigated Hubspot’s support system, but thankfully, Hubspot had the site backed up and was able to restore it, for the most part. However, several files had been permanently deleted and could not be restored. To this day I am so grateful that Igor did not permanently delete more files. Had he done so, it would’ve taken us several months to get the business back online and would’ve cost hundreds of thousands of dollars to rebuild.
Plus, there are things you can never get back once you lose a site, like credibility and authority with Google that increases new business generation. This can only come from building and investing in a site for a long period of time.
The Lesson: Every SaaS App Matters for Security
I share this experience with you because I want organizations to recognize the importance of SaaS security. Hubspot may not store sensitive information, but that doesn’t mean it's not critical infrastructure absolutely essential for the business to run.
Here at Reco, I often hear prospects say that they struggle with SaaS security because app ownership is so spread out. The Marketing department owns Hubspot, the HR department owns Workday, and so on and so forth.
But it doesn’t have to be this way. And if there’s one thing to take away from my story, it’s that it shouldn’t be that way. Security needs to be involved in all SaaS deployments. Security needs to create roles and permissions, keep tabs on configurations, monitor user behavior, and be able to respond to suspicious activity. You shouldn't rely on Kate from Marketing, or any other employee for that matter, to make the best security decisions when it comes to your SaaS apps.
How Reco Can Help
Reco could’ve helped my organization avoid a security incident like this. The Reco platform alerts on overpermissioned roles, like contractors with risky permissions, so Security can intervene before an issue happens.
Reco also could've helped my company stop Igor in his tracks with identity threat detection and response. Reco flags suspicious identity behavior, like excessive file deletion, and provides Security teams with remediation guidance so they can shut this activity down before damage is done. Correlating information about the user, location, activity, and more Reco can make educated decisions about what constitutes malicious behavior versus normal behavior.
→ Read Next: How Reco Uses Identity Analytics to Detect Advanced Threats (blog)
To learn more about Reco and how it can help you protect your SaaS from insider threats like Igor, schedule a live demo today.
