It was the SolarWinds hack that gave internal access and potential admin rights. It's no different than if a domain controller gets compromised. The attacker has gained control of the keys to kingdom; it's an inherent risk to SSO.