New data from Black Kite’s seventh annual Third-Party Breach Report shows that third-party cyber incidents reached unprecedented scale in 2025, with 136 major breaches affecting 719 named companies and an estimated 26,000 additional downstream victims who were never publicly identified. The analysis found an average of 5.28 downstream victims per breach, highest level on record, underscoring how attackers are increasingly targeting shared platforms and high-dependency vendors, turning single compromises into cascading impacts across entire supply chains.
The report also highlights persistent structural weaknesses in the third-party ecosystem despite an overall strong average Cyber Grade among nearly 200,000 monitored organizations. More than half of companies have at least one critical vulnerability, nearly a quarter have corporate credentials circulating on the dark web, and the most relied-upon vendors within the Forbes Global 2000 ecosystem show higher exposure to known exploited vulnerabilities and credential leaks. This concentration risk, coupled with slow detection and disclosure timelines that average 10 and 73 days, respectively, creates fertile ground for…
