2026 Third-Party Breach Report: Managing Risk Concentration in the Era of Cascading Failures
by the Black Kite Research Group
In 2025, third-party breaches scaled because impact cascaded faster than disclosure, baseline control gaps stayed repeatable, and the most relied-upon vendors remained structurally exposed.
Third-party risk transformed from a series of isolated accidents into a systemic crisis. The story of the year is not just that more companies were breached, but that the speed of impact cascaded faster than the speed of disclosure, leaving a "shadow layer" of thousands of unnamed victims in its wake.
The data proves that cascading impact is the outcome, but concentration is the cause. The supply chain does not break at its weakest link; it breaks at its most connected one. To manage risk in 2026, we must look past the "A" grades and the breach headlines to address the structural fragility of the core.
2025 in 3 Stats:
verified third-party breach events, with 5.28 downstream victims per vendor
companies were publicly named as victims with ~26,000 additional impacted companies that were never named
days median disclosure delay. Even though attacks are detected in a median of 10 days, risk remains undisclosed for over two months, shifting exposure downstream to customers.
What Happened: 2025 Incidents & Impact
The number of verified incidents reached 136 major events. But the numbers on the surface only told half the story. While 719 companies were publicly named as victims, a much larger "shadow layer" emerged behind aggregate disclosures. In 2025, we tracked approximately 26,000 additional impacted companies that were affected but never officially named.
This visibility gap was widened by a persistent "Silent Window": while the median time to detect an intrusion was 10 days, the median delay to disclose that breach to the public was 73 days. In an environment where threat actors (who remained unknown or undisclosed in nearly 73% of cases) move with "industrialized" speed, this delay represents a massive transfer of risk from the vendor to the unsuspecting downstream customer.
named victim companies
Verified incidents reached 136 events, with 719 named victim companies, and a much larger hidden layer behind aggregate disclosures.
additional affected companies
Publicly disclosed impact reached 433M people, while vendors reported ~26,000 additional affected companies without naming them.
days
Detection is slow, disclosure is slower: median detection 10 days (79 events with timeline data), median disclosure lag 73 days (average 117).
of verified events
Attribution often collapses: in 72.8% of verified events, the threat actor is unknown or undisclosed.
What the Ecosystem Looks Like: Baseline Risk at Scale
Beyond the headlines of specific breaches lies the terrain of the broader ecosystem, the environmental conditions that enable these incidents to scale. Across a baseline of 200,000 monitored organizations, the ecosystem appears healthy on paper with an average Cyber Grade of 90.27 (A). However, this high grade creates a false sense of security that masks deep operational rot.
The reality of the terrain is defined by repeatable weaknesses: nearly 54% of organizations show patch-management failure signals, and over 23% have active stealer log exposure. This creates "Pressure Zones," particularly in Manufacturing and Professional Services, where high susceptibility and weak discipline overlap. In these zones, breaches don't emerge in a vacuum; they expand because the basic controls required to stop them are inconsistently applied.
monitored organizations
average Cyber Grade
at least one critical vulnerability detected
have corporate credentials circulating on the dark web
Across ~200k monitored organizations, the ecosystem looks “fine” on paper, with an average Cyber Grade 90.27 (A), yet failure signals are widespread: 53.77% have at least one critical vulnerability detected, and 23.34% have corporate credentials circulating on the dark web.
The ecosystem is not uniformly risky, but it has pressure zones where susceptibility and weak discipline overlap.
The scatter map on page 3 makes this visible: Manufacturing and Professional Services sit in the pressure zone (high Ransomware Susceptibility + weak patch discipline), while Finance trends toward a more controlled profile.
Where Concentration Lives: Top 50 Shared Vendors
The most connected vendors are not “safe by default.” They are often too central to ignore and too exposed to assume stability.
The top 50 vendors shared by the Forbes Global 2000 represent a concentrated point of failure. These central pillars of the global economy are not fortresses; they are stressed infrastructure.
They maintain a lower average cyber grade (83.9) than the ecosystem at large, and a staggering 70% of them have at least one vulnerability currently listed in the CISA KEV catalog. With 62% of these critical vendors showing corporate credentials in stealer logs, the "master keys" to the world's largest companies are already circulating on the dark web.
Top 50 Shared Vendors’ Key Risk Indicators (KRIs):
have at least one CISA KEV exposure; 84% have critical vulnerabilities (CVSS ≥ 8).
have corporate credentials exposed in stealer logs; 30% have breached credentials in the last 90 days.
show phishing URL exposure; 40% show active targeting signals.
have a breach history
had a breach in the last year
Why this matters right now (trend + impact)
- In 2025 we tracked 29 vulnerability-driven breach events, of which 65.5% involved zero-days.
- Speed is the defense: Black Kite investigated 93.3% of relevant KEV-listed CVEs before or on the same day, delivering an average 12.6-day head start in cases where we detected first.
About This Report
This report, prepared by the Black Kite Research Group, presents a comprehensive analysis of third-party data breaches observed in 2025. It explores how these incidents occurred, their impact on organizations, and examines the structural conditions that continue to shape third-party cyber risk at scale.
The report is organized into three main sections. The first examines key third-party breach events and dominant trends observed throughout 2025. The second evaluates the cyber posture of ~200,000 monitored companies on the Black Kite platform, providing industry-level insights into systemic security strengths and weaknesses. The final section focuses on concentration risk, assessing cyber exposure among the top 50 most heavily relied upon third parties within the Forbes Global 2000 ecosystem.
Together, these sections provide a clear, data-driven view of the third-party risk landscape in 2025, highlighting both immediate threats and broader systemic challenges.
Part I
2025 Incidents
What happened, how it propagated, and why visibility failed.
Part II
Baseline Posture (at scale)
What the ecosystem looks like before a breach forces attention.
Part III
Concentration Risk
where systemic exposure actually lives (Top 50 Shared Vendors).