Security experts have revealed that the impact of third-party data breaches is more extensive than previously believed. Last year, over 433 million individuals were affected by 136 separate incidents.
Black Kite has released its seventh annual Third-Party Breach Report, which is based on verified public breach disclosures from 2025, external cyber risk telemetry, and supply chain intelligence.
The report indicates that each of the 136 confirmed breaches involved an average of 5.28 publicly identified downstream victims per vendor, leading to a total of 719 companies and 433 million individual customers impacted.
Furthermore, Black Kite noted that affected vendors reported an additional 26,000 corporate victims without specifying their names. This suggests that the total number of individuals affected downstream could be even higher.
The primary sources of these breaches were software services vendors, which were responsible for 38 incidents, representing 28% of the total. Other significant contributors included professional and technical services with 14 breaches and healthcare providers with 10.
When examining downstream corporate victims, the healthcare sector experienced the most breaches, with 258 affected entities. This was followed by the education sector, which had 140, and financial services with 101 incidents.
The report explains, “These sectors tend to combine high data sensitivity with heavy reliance on external platforms, placing them downstream in complex dependency chains.” It further emphasizes that breach impacts accumulate in data-rich sectors at the edges of the supply chain, while the risks originate upstream within a smaller group of centralized service providers.
Less Visibility, More Risk
The report also pointed out significant delays in breach detection and public disclosure. On average, vendors took 68 days to identify an intrusion, with a median detection time of 10 days.
This suggests ongoing issues with threat detection, but the delays in notifying affected parties also raise concerns about forensics and incident response. The median time to inform customers was 73 days, with an average of 117 days.
The report stated, “Let’s be clear: 73 days is not an ‘investigation period.' In the context of active exploitation, it is an eternity.” The delay prevents downstream customers from taking necessary actions such as revoking access, resetting credentials, or securing their systems. The report concluded that “transparency delayed is risk transferred.”
The likelihood of future breaches remains high. Among the 200,000 organizations monitored by Black Kite, over half, or 54%, had at least one critical vulnerability, and 23% had corporate credentials circulating on the dark web.
Analysis of the top 50 most shared vendors among Forbes Global 2000 customers revealed several alarming statistics:
- 70% have at least one exposure related to CISA KEV, and 84% have critical vulnerabilities.
- 80% are exposed to phishing URLs, while 40% show signs of active targeting.
- 62% have corporate credentials exposed in stealer logs, and 30% have had breached credentials in the past 90 days.
- 52% have a history of breaches, with 18% experiencing an incident within the last year.
Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, emphasized the urgency of addressing these issues, stating, “Traditional third-party risk management is not keeping pace with the reality of today’s threats. Over the past year, these risks have transformed from a series of isolated accidents into a systematic crisis.”
