SaaS supply chain compromises: A new headache for cyber insurers?

The recent Salesloft–Drift OAuth breach is a sharp reminder that attackers don’t always need to batter down the front door – sometimes they just borrow the keys. The campaign is thought to have taken place from about August 8 to August 18, and directly impacted about 700 organisations in total. By exploiting trusted integrations, they sidestepped MFA and turned OAuth tokens – digital keys that let apps access your account without needing your password each time – from the Drift–Salesforce connector into a free pass, accessing sensitive customer data, cloud credentials, and more.

What makes this incident stand out isn’t just the data at stake, but the unseen risk it exposes: the very connections organisations rely on to keep business moving can double as hidden backdoors, multiplying exposures across numerous organisations. While initial reporting suggested that the stolen OAuth tokens would only compromise Salesforce instances that had integrated Salesloft Drift, it is now believed that any platform that uses Drift may potentially be compromised.

For cyber insurers, supply chain risk is increasing in depth and breadth:

• Increased risk from N-th degree vendors
  Traditional vendor risk assessments aren’t able to surface Nth degree risk. Mapping supply chains beyond the 4th party is impractical without automated scanning, and manual efforts will inevitably miss assets due to fragmented visibility up the chain. As a result, underwriters may be making decisions without full visibility of hidden dependencies deep within the supply chain.
  
  

• Cross-platform integrations compound vendor risk
  Systemic vendor exposure is obscured by deep supply chains, and is exacerbated by a demand for unified workflows supporting all functions in a business. Vendors engage customers with seamless integrations into as many systems as possible, but this necessarily raises the risk of a cross-vendor system compromise.
  
  

• Losses go well beyond data theft
  In this case, attackers also harvested AWS keys and Snowflake tokens. That kind of credential compromise can quickly escalate into cloud breaches, service outages, and ransomware incidents. For insurers, that means multiple loss vectors: not just breach response and forensics, but also contractual disputes, regulatory scrutiny, reputational damage, and business interruption

What this really shows is that third-party access and SaaS integrations have to be treated as core portfolio risks. In the same way insurers track patching cycles or endpoint security, they now need visibility into how policyholders are managing vendor integrations and security as points of systemic exposure. If not understood and monitored, exposure builds up in the background until it hits portfolios.

Would you like to see if your portfolio is exposed?

At KYND, we equip insurers with powerful cyber risk insight into hidden exposures like these across entire books of business, helping them spot silent aggregations before they become costly claims.

Salesloft-Drift can quietly expand an organisation’s attack surface without obvious signs. KYND can detect its presence across a network and show you exactly where the exposure lies. Want to see KYND in action? Get in touch with our team to check a sample of your portfolio.