Security experts have claimed that the blast radius of third-party data breach incidents is far larger than at first thought, with more than 433 million individuals impacted by 136 events last year.

Black Kite compiled its seventh annual Third-Party Breach Report from analysis of verified public breach disclosures in 2025, external cyber risk telemetry and supply chain intelligence.

It said 136 verified breaches had 5.28 publicly named downstream victims per vendor, amounting to 719 companies and 433 million individual end customers.

However Black Kite said affected vendors also reported an additional 26,000 corporate victims without naming them. That could mean the total number of downstream individuals impacted is even greater.   

Read more on third-party breaches: SecurityScorecard Observes Surge in Third-Party Breaches.

The ground zero for these events tended to be software services vendors, which accounted for 38 (28%) of the 136 verified breaches, followed by professional and technical services (14) and healthcare services providers (10).

In terms of downstream corporate victims, most appear to be in healthcare (258), education (140) and financial services (101).

“These sectors tend to combine high data sensitivity with heavy reliance on external platforms, placing them downstream in complex dependency chains,” the report noted. “The pattern is consistent. Breach impact accumulates in data-rich sectors at the edges of the supply chain, while risk originates upstream, within a smaller set of centralized service providers.”

Less Visibility, More Risk

The report also highlighted delays in breach discovery and public disclosure. The median time for vendors to detect an intrusion was 10 days, while the average was 68 days.

While this indicates a problem with threat detection, delays in notification potentially reveal forensics and incident response issues. The report claimed that time to notify customers hit a median of 73 days and an average of 117 days.

“Let’s be clear: 73 days is not an ‘investigation period.' In the context of active exploitation it is an eternity,” the report noted. “This delay denies downstream customers the chance to revoke access, reset credentials or lock down their own systems. Transparency delayed is risk transferred.”

The chances of future breaches remain high. Of the 200,000 organizations monitored by Black Kite, over half (54%) had at least one critical vulnerability and 23% were found to have corporate credentials circulating on the dark web.

An analysis of the top 50 “most shared” vendors among Forbes Global 2000 customers found that:

• 70% have at least one CISA KEV exposure, and 84% have critical vulnerabilities
• 80% display exposure to phishing URLs, and 40% show signals of active targeting
• 62% have corporate credentials exposed in stealer logs, and 30% have breached credentials in the past 90 days
• 52% have a breach history, with 18% suffering an incident in the past year

“Traditional third-party risk management is not keeping pace with the reality of today’s threats,” argued Ferhat Dikbiyik, chief research and intelligence officer at Black Kite. “Over the past year, these risks have transformed from a series of isolated accidents into a systematic crisis.”