They Didn’t Hack You — They Hacked Your Vendor, Then You
Your firewall is perfect. Your passwords are long. Your MFA is unbreakable.
None of it matters. Because the attacker didn’t come through you. They came through your email provider. Your CRM. Your cloud host. The little SaaS tool your marketing team signed up for last year and forgot about.
SolarWinds. MOVEit. Okta. Every major breach this decade started with a third party. Your security is only as strong as your weakest supplier, and you haven’t checked theirs.
You can have perfect security and still get destroyed by a vendor you trusted. The attacker doesn’t break your door. They walk through your partner’s open window.
The Greatest Hits of Supply Chain Carnage
Russian attackers inserted backdoor into Orion software updates. 18,000 customers installed the backdoor themselves. FireEye, Microsoft, Intel, Cisco — all breached through a single software update.
Cl0p ransomware gang exploited a zero-day in Progress Software’s MOVEit file transfer tool. 2,600+ organizations exposed. 80+ million individuals’ data stolen. All because one vendor had a SQL injection bug.
Attackers compromised a third-party customer support engineer’s laptop. Accessed Okta’s internal systems. Then pivoted to Okta’s customers — Cloudflare, 1Password, BeyondTrust. Your identity provider became the attacker’s identity provider.
A subsidiary with no MFA. One compromised credential. The entire US healthcare payment system shut down for weeks. 1 in 3 Americans’ data exposed. All because a vendor ignored basic security.
🔹 Attacker compromises a vendor (often through phishing, unpatched software, or weak credentials)
🔹 Attacker moves laterally inside vendor’s network
🔹 Attacker steals access to customer environments (API keys, session tokens, admin creds)
🔹 Attacker enters your network — using keys you gave them
You didn’t get hacked. Your vendor did. Then you.
Your Vendor List Is Your Attack Surface
Let’s play a game. Open your corporate credit card statement. Count every SaaS subscription. Slack, Zoom, Atlassian, Salesforce, HubSpot, Zendesk, Auth0, Twilio, Mailchimp, GitHub, Stripe, PagerDuty, DataDog, Monday.com, Asana, Notion, Figma — the list never ends.
Each of those vendors holds some piece of your data. Each of them has access to your environment. Each of them has their own security posture — which you have never audited.
You don’t know their security. You don’t know their subprocessors. You don’t know if they require MFA for their employees. You don’t know if they segregate customer data. You don’t know if they’ve been breached last week.
But you trust them anyway. Because convenience > security. Until it isn’t.
What You Can Actually Do About It
1. Inventory every vendor with access to your data or systems
You can’t secure what you don’t track. Start with finance (who gets paid), then SSO logs (who has access), then your cloud audit trails.
2. Ask the hard questions
- Do you have SOC2 Type II? Can I see the latest report?
- Do you require MFA for all employees?
- Do you segment customer data? How?
- Do you have a bug bounty program?
- When was your last penetration test?
- Do you share my data with subcontractors? Which ones?
If they can’t answer these in writing, you have a problem.
3. Enforce least privilege for vendor integrations
Does your Slack integration really need admin rights? Does your GitHub action need write access to production? Does your CRM need to read your entire customer database?
4. Assume breach — segment your vendor access
Put vendor integrations in a separate network segment. Monitor them like you’d monitor an external attacker. If a vendor gets hacked, you want them to only access the decoy, not the crown jewels.
5. Get a third-party risk assessment (yes, that’s a pentest for your vendors)
A proper penetration test doesn’t stop at your firewall. It maps your entire supply chain — the vendors, their APIs, their OAuth integrations, and the blast radius if they fall.
• Inventory all third-party integrations (20-50 tools)
• Review OAuth token permissions and age
• Test vendor API boundaries (what can actually be accessed?)
• Simulate a vendor breach: can you pivot from a compromised vendor API key into production?
• Map the blast radius: if X gets hacked, what does the attacker get?
You’re not testing your security. You’re testing the security you outsourced.
The 2026 Shift: Regulators Are Coming for Your Supply Chain
NIS2 in Europe. SEC rules in the US. New cyber disclosure laws in Australia. All of them require you to manage third-party risk.
SolarWinds’s stock dropped 40% after the breach. The CEO resigned. They’re still paying legal fees. And you’re still using software from companies you’ve never audited.
Pick your top 5 most critical vendors (email, cloud host, CRM, identity provider, support desk).
Send them a security questionnaire. Ask for their SOC2. Ask for their last pentest date.
If they can’t produce it — start looking for alternatives. Your business depends on it.
The Bottom Line
SolarWinds. MOVEit. Okta. Change Healthcare. Every major breach of the last five years followed the same剧本: the attacker hacked a vendor, not the final target.
You can spend millions on your own security. It won’t matter if your email provider has a 22-year-old intern who disables MFA on the master admin account.
Your security is only as strong as your weakest supplier. And you haven’t checked theirs.
A supply chain penetration test is not a luxury. It’s the only way to know if your vendors are securing your data — or just holding it for the next attacker.
Stop trusting. Start testing.
Full AI agent pentest: €3,000. AI Red Team: €5,000. Supply chain risk assessment: custom quote.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your vendor risk.
Leave a Reply