Black Kite today announced the release of its seventh annual Third-Party Breach Report, which analyzes third-party data breaches in 2025, including how they occurred, organizational impact, and structural conditions shaping third-party cyber risk at scale. The report found 136 unique major incidents, affecting 719 companies, plus an estimated 26,000 additional impacted companies that were not officially named.
Black Kite’s report examines the supply chain’s interconnectedness and vulnerabilities by evaluating last year’s key third-party breach events and dominant trends, the cyber posture of approximately 200,000 monitored companies on the Black Kite platform, and the concentration risk among the top 50 most relied upon third parties within the Forbes Global 2000 ecosystem.
2025 Incidents and Impact
2025 saw a surge in verified incidents with 136 major events. However, what stood out is not that companies were breached, but rather, a significant “shadow layer” emerged behind aggregate disclosures. In fact, while 719 companies were publicly named as victims, approximately 26,000 additional impacted companies were affected but never officially named. At the individual level, publicly disclosed figures point to 433 million impacted people.
In 2025, we saw an average of 5.28 downstream victims per third-party breach, the highest level observed to date (2.56 in 2024, 3.09 in 2023, 4.73 in 2022, and 2.46 victims per incident in 2021). This uptick reflects a sharp increase in the scale and coordination of attacks, driven by threat actors targeting shared platforms, centralized services, and high-dependency vendors. As attackers move upstream, single compromises increasingly translate into multi-company impact.
The visibility gap is further exacerbated by a persistent “Silent Window”: while the median time to detect an intrusion was 10 days, the median delay to disclose that breach to the public was 73 days. This delay represents a massive transfer of risk from the vendor to the unsuspecting downstream customer.
Key findings include:
- Verified incidents surged to 136 events, with 719 named victim companies, and a much larger hidden layer behind aggregate disclosures
- Publicly disclosed impact reached 433 million people, while vendors reported approximately 26,000 additional affected companies without naming them
- Detection is slow, disclosure is slower, with median detection at 10 days (79 events with timeline data) and median disclosure lag of 73 days (average 117)
What the Third-Party Ecosystem Looks Like
Across a baseline of approximately 200,000 monitored organizations, randomly selected to understand the current state of the industry, the ecosystem appears healthy on paper with an average Cyber Grade of 90.27 (A). While a high average grade indicates that many organizations meet standard control expectations and compliance checklists, it does not guarantee that the ecosystem is resilient under real-world pressure. Third-party risk scales through common failure modes and dependency structures, so ecosystems can look strong in aggregate while remaining fragile in the specific places attackers repeatedly exploit.
For instance, the reality of the terrain is defined by repeatable weaknesses. Over 53% of organizations have at least one critical vulnerability, and 23% have corporate credentials circulating on the dark web. This creates “Pressure Zones,” particularly in manufacturing and professional services, where high susceptibility and weak discipline overlap. Notably, these sectors have been the top two hit by ransomware for four consecutive years. Education is another high-pressure sector. This is not driven by attack sophistication, but by chronic exposure. High credential leakage, inconsistent patch discipline, and operational constraints combine to create environments where compromise is easier to initiate and harder to contain.
On the other hand, finance presents a different pattern. Ransomware Susceptibility Index® (RSI™) scores remain materially lower because sustained governance pressure forces tighter control over identity, patching, and exposure management. Regulatory frameworks and continuous audit expectations raise the cost of negligence and shorten tolerance for unresolved weaknesses.
Key findings include:
- Across nearly 200,000 monitored organizations, the ecosystem appears healthy on paper, with an average Cyber Grade 90.27 (A), yet failure signals are widespread – 53.77% have at least one critical vulnerability, and 23.34% have corporate credentials circulating on the dark web.
- The ecosystem is not uniformly risky, with manufacturing and professional services sitting in the pressure zone with high Ransomware Susceptibility and weak patch discipline, while finance trends toward a more controlled profile.
The Concentration Risk Crisis: Top 50 Shared Vendors
The top 50 vendors shared by the Forbes Global 2000 represent not only a concentrated point of failure, but also, threat actors know they are the “master keys” to some of the world’s largest organizations, so they are hunting them aggressively.
Of utmost concern is that these vendors maintain a lower average Cyber Grade (83.9, B) than the ecosystem at large, and a staggering 70% of them have at least one vulnerability currently listed in the CISA KEV catalog. With 62% of them showing corporate credentials in stealer logs, this sensitive information is already circulating on the dark web.
Key findings include:
- 70% have at least one CISA KEV exposure, and 84% have critical vulnerabilities(CVSS ≥ 8)
- 80% show phishing URL exposure, and 40% show active targeting signals
- 62% have corporate credentials exposed in stealer logs, and 30% have breached credentials in the last 90 days
- 52% have a breach history, with 18% in the last year
To read the report, visit https://content.blackkite.com/ebook/2026-third-party-breach-report/.
Methodology
The findings in this report are the result of a multi-source, intelligence-led investigation conducted by the Black Kite Research Group. Black Kite combined verified public breach disclosures with the company’s external cyber risk telemetry and supply chain intelligence to analyze how third-party data breaches emerged, propagated, and concentrated across the ecosystem throughout 2025. The report covers third-party data breach events disclosed between January 1, 2025, and December 31, 2025. The breach dataset is limited to verified, publicly disclosed incidents and is designed to reflect what can be substantiated from reliable reporting and primary disclosures.
CloudSEK Uncovers Fake “Red Alert” App Campaign Exploiting Conflict-Driven Panic
Posted in Commentary with tags CloudSEK on March 3, 2026 by itnerdCloudSEK has uncovered a malicious mobile campaign spreading a fake version of Israel’s “Red Alert” emergency warning app, the legitimate alert platform operated by Israel’s Home Front Command, through spoofed SMS messages.
According to CloudSEK’s latest threat intelligence report, the trojanized Android application is designed to appear trustworthy while enabling the theft of SMS data, contact lists, and precise location information from infected devices.
The campaign emerges against the backdrop of the ongoing Israel-Iran conflict, where demand for real-time public safety information has sharply increased. CloudSEK’s researchers found that threat actors are exploiting this urgency by luring users to sideload a malicious APK outside the Google Play Store, while presenting it as an emergency update or warning application. )
According to the report, the malware mimics the user interface of the legitimate Red Alert application closely enough to reduce suspicion and can even continue delivering alert-style functionality to maintain its disguise.
The key difference appears during installation and onboarding: while the authentic app operates with basic notification access, the fake version aggressively requests high-risk permissions, including access to contacts, SMS, and location.
CloudSEK’s technical analysis found that the malicious app uses signature spoofing, installer spoofing, reflection, and multi-stage payload loading to conceal its true behaviour and bypass basic integrity checks. Once active, the malware begins harvesting data in the background and exfiltrating it to attacker-controlled infrastructure. The report identifies api[.]ra-backup[.]com/analytics/submit.php as an exfiltration endpoint and lists several associated IP addresses tied to the campaign’s infrastructure.
CloudSEK warns that this campaign carries implications beyond conventional mobile malware. In an active conflict environment, real-time location tracking and SMS interception can create serious physical security, surveillance, and intelligence-gathering risks. The report notes that location data could potentially be misused to map shelter activity, movement patterns, or concentrations of individuals during periods of heightened military escalation.
The report also underscores a larger pattern: threat actors are increasingly weaponising real-world crises and trusted institutions to distribute malware at scale. By impersonating a life-saving emergency app during a volatile geopolitical situation, the attackers behind this campaign have demonstrated how cyber operations can feed directly off civilian anxiety and information dependency.
CloudSEK has advised immediate caution around app downloads delivered through links in SMS messages, particularly in conflict-related or emergency contexts. The company recommends that users install critical public-safety applications only through official app stores and that organisations block the listed indicators of compromise and monitor for suspicious sideloaded Android packages.
For More Information, Read The Full Report Here
Leave a comment »