Tag: third party risk
51 articles

Ernst & Young Exposes Client Data in Third-Party Support System Hack
Ernst & Young suffered a data breach when hackers accessed a third-party support system, downloading sensitive client documents between March 28 and April 12. The breach was detected on April 23, prompting the company to alert affected clients and notify authorities.

Lidl Data Breach Exposes Customer Info Across Europe
Lidl has warned customers in Belgium and the Netherlands that a data breach exposed their personal info, after unidentified individuals briefly accessed a file containing customer data stored with a third-party IT provider. The breach affected online customers in Germany, Belgium, and the Netherlands, but Lidl stresses that its online shop system itself was not compromised.

AdaptHealth Breach Exposes Patient Data via Social Engineering Tactics
AdaptHealth recently fell victim to a data breach, where hackers used clever social engineering tactics to trick a third-party contractor into giving them access to sensitive patient information stored in the company's cloud environment. This alarming breach put a large volume of patient data at risk, prompting AdaptHealth to disclose the incident to the Securities and Exchange Commission.

Microsoft Bolsters Teams Security with Enhanced Bot Protections
Microsoft is stepping up its Teams security game with enhanced bot protections, allowing admins to block third-party bots from joining meetings without approval. This new policy gives organizations greater control over who can access their meetings, helping to prevent malicious apps and unwanted disruptions.

Human Error Exposes Security Breaches Despite AI Advances
Despite advancements in AI, human error continues to expose security breaches, as seen in a recent Salesforce supply-chain compromise where a legacy credential was exploited. A company called Klue, which integrates with Salesforce, was compromised when attackers used OAuth tokens to access customer data.

Iranian Hackers Exploit Credentials in Cal Water Breach
Cal Water swiftly sprang into action when an Iranian-linked group, Handala, claimed to have hacked their system, activating their cybersecurity response plan and launching a thorough investigation. Thankfully, experts from Mandiant found that the breach was limited to third-party accounts, containing no evidence of a larger-scale attack.

Social Engineering Attacks Target Service Desks
Service desks have become a prime target for cyber attackers, who often find it easier to manipulate staff into divulging sensitive information than to crack the technology itself. In a string of recent incidents, hackers have successfully impersonated employees to gain access to internal systems, as seen in the 2025 UK attacks on major retailers like Marks & Spencer, Co-op, and Harrods.

LastPass Breach Exposes Customer Data in Supply Chain Hack
LastPass recently discovered a security incident at Klue, a third-party platform they use, which led to an unauthorized actor accessing some customer data through its Salesforce environment. Fortunately, customer vaults and core products remain secure, and swift action has been taken to mitigate the breach.

Icarus Hack Exposes Hundreds of Firms in Supply-Chain Breach
On June 11, a massive supply chain breach occurred when hackers exploited a weak link at Klue, a market intelligence provider used by over 250,000 companies worldwide, gaining access to sensitive data across hundreds of firms. The attackers used a compromised legacy credential to obtain OAuth tokens and infiltrate connected customer environments.

Klue Breach Exposes Cybersecurity Firms to OAuth Token Abuse
A single compromised credential led to a massive security breach at Klue, allowing an unauthorized actor to exploit OAuth tokens and gain access to sensitive customer data on third-party platforms like Salesforce. This incident highlights the growing threat of OAuth token abuse and the need for robust cybersecurity measures.

Klue OAuth Breach Expands as Icarus Hackers Claim Multiple Victims
Klue's CEO Jason Smith revealed that on June 12, unauthorized activity was detected in their integration infrastructure, prompting a thorough investigation with cybersecurity experts to understand the breach and support affected customers. The incident allowed hackers to steal OAuth tokens through a compromised legacy credential, impacting connections to third-party platforms like Salesforce.

Texas Data Breach Exposes 3 Million Driver's Licenses
A massive data breach has hit Texas, exposing the driver's license information of over 3 million hunting and fishing license customers, leaving them vulnerable to identity theft and other cyber threats. The breach occurred through a third-party license system used by the Texas Parks and Wildlife Department.

Nintendo Data Breach Exposes Employee Survey Information
Nintendo of America recently experienced a data breach through a third-party survey service, exposing limited employee survey information, but fortunately, no customer or financial data was compromised. The company is working to resolve the issue and has confirmed that its own systems remain secure.

Account Takeovers Rise as Complexity Exposes Identity Vulnerabilities
As attackers increasingly target identities rather than infrastructure, account takeovers are on the rise - and with 22% of breaches involving credential abuse, it's clear that traditional username-and-password security just isn't cutting it. The explosion of identities across cloud services, SaaS apps, and remote environments has created a perfect storm of vulnerability.

Kodak Breach Exposes Sensitive Data After ShinyHunters Hack
Kodak recently suffered a data breach at the hands of hackers known as ShinyHunters, who gained temporary access to sensitive company data. The company has launched a swift investigation with external cybersecurity experts and is working closely with law enforcement to mitigate the impact.

Breach Notice Error Fuels Patient Skepticism
A simple mistake on breach notices sent by third-party vendor Xsolis sparked skepticism among patients when the letters misnamed Rochester Regional Health as "Rochester Regional Medical Center", leading many to dismiss them as scams. This misstep undermined trust and raised questions about the effectiveness of the breach notification process.

Oxford University Exposes Student Data in Career Website Breach
Oxford University recently suffered a data breach on its career support website, exposing sensitive student information, including full names, email addresses, and encrypted passwords. This incident marks the university's second disclosed data breach of the year, raising concerns about the security of third-party platforms.

SoFi Hong Kong Breach Exposes Customer Data at Third-Party Vendor
SoFi Hong Kong recently discovered a data breach at a third-party vendor that exposed customer information, with unauthorized access detected on April 30, 2026. The company's investigation is ongoing, but it confirmed the breach originated from a vendor, not its internal systems.

NYC Health Breach Exposes 1.8M Patients' Sensitive Data
A massive data breach at NYC Health + Hospitals has exposed the sensitive information of 1.8 million patients, highlighting the alarming vulnerability of personal data in the healthcare system. This incident serves as a stark reminder of the devastating consequences of a breach, especially when it comes to biometric data that can never be truly reset.

Data Breaches Surge, Exposing Sensitive Info at AI Startups, Agencies
Data breaches are surging, with AI startups and agencies exposed, as seen in the alarming theft of 10 petabytes from a Chinese supercomputer and 4 terabytes from AI startup Mercor due to a supply-chain vulnerability. These incidents highlight the hidden risks of connecting data to AI models, creating sensitive blind spots that leave large data sets vulnerable to compromise.

Vimeo Breach Exposes 119,000 Email Addresses
A data breach at Vimeo has compromised the email addresses of over 119,000 users, with hackers also accessing some metadata and technical data from a third-party analytics vendor. Fortunately, no video content, login credentials, or payment card information was stolen.

Vimeo Breach Exposes User Data After Anodot Hack
Vimeo users, be aware: a recent data breach at analytics company Anodot exposed some of your personal info, including video titles, metadata, and in some cases, email addresses. Fortunately, uploaded video content, account credentials, and payment card info remain safe.

Vercel Breach Exposes Customer Data Theft via AI Tool Compromise
A single compromised AI tool has led to a massive breach at Vercel, exposing customer data and raising serious questions about trust and security. An attacker exploited a third-party AI tool used by an employee to steal sensitive credentials and OAuth tokens, gaining access to multiple services and customer data.

Vercel Breach Traced to Compromised AI Tool
A recent Vercel breach highlights a growing concern: what happens when AI tools, meant to boost efficiency, become the weakest link in our security chain? The breach was traced back to a third-party AI tool used by an employee, blurring the lines between human error and machine vulnerability.