> My guess is their local workstation was compromised
Honestly I don't think it was even that complicated, considering when I needed to spend money on some SaaS product the "chief accountant" (because there was no CFO) straight up sent me a photo of the corporate credit card and said "delete that when you're done".
Sure, but to be fair, credit cards really aren't that dangerous of a credential to wave around. You can cancel your card at anytime, and even dispute the charges. Its like instant key rotation, with a way to also roll back time.
Honestly I don't think it was even that complicated, considering when I needed to spend money on some SaaS product the "chief accountant" (because there was no CFO) straight up sent me a photo of the corporate credit card and said "delete that when you're done".