The breach didn’t happen inside the company at all. It happened inside a tool they’d signed up for two years earlier, used twice, and never cancelled, and it still had a full export of their customer list.

Death by a thousand logins

Like most small businesses, this e-commerce shop had accumulated dozens of SaaS accounts, email tools, analytics, a chatbot, a survey app. Each one had been granted access to customer data at some point. Nobody kept a list. When one of those vendors was breached, the attackers got a tidy CSV of names, emails, and order history.

Why small businesses are the soft target

You inherit the security posture of every vendor you connect to. A big company has a team to vet them. A 12-person shop has a founder who clicked “Authorize” on a Tuesday. Attackers know the data is the same, and the side door is wide open.

The 30-minute fix

• Inventory every SaaS tool and what data it can see.
• Revoke anything you don’t actively use, most have a one-click “remove access.”
• Prefer vendors who can show you a security posture, not just a logo.

The tools you forgot about are exactly the ones an attacker is counting on you to forget.