SaaS is no longer secure

A wave of security incidents is hitting major SaaS platforms. Vercel was breached after a third-party tool (contacts.ai) used by an employee was compromised, allowing attackers to access Google Workspace credentials and environment variables. The breach chain connects to Delvé, a YC-backed compliance company accused of faking SOC 2 audits. Lovable exposed user codebases, database credentials, and AI chat histories to any free account — a bug reported 48 days prior that went unaddressed. Notion has a years-old vulnerability leaking editor email addresses from public pages, reported in 2022 and still unpatched. Both Lovable and Notion were previously showcased as Delvé compliance customers. The author argues SaaS security is deteriorating as AI models make exploitation easier, predicting more breaches among the ~500 companies allegedly covered by Delvé's rubber-stamped audits.