Breaches involving a third party grew another 60% over the past year and now account for nearly half of all confirmed breaches, according to Verizon’s 2026 Data Breach Investigations Report (DBIR).
That figure now stands at 48%, up from 30% in the previous year’s dataset. The growth follows a doubling between the 2024 and 2025 reports.
That trajectory makes “supply chain” less a discrete attack category than a default condition of modern incidents. The 22,000+ breaches in this year’s DBIR were drawn from 145 countries.
Verizon’s framing splits third-party exposure into three archetypes: a vendor in your software supply chain, a vendor hosting your data, or a vendor connected into your environment. Breaches now routinely involve two of those at once, and increasingly all three.
The report cites the Salesloft Drift campaign as a recent example. Attackers compromised the OAuth tokens of the Salesloft Drift application, then used those tokens to exfiltrate customer data straight from the Salesforce platform. One initial access vector, two vendor environments, one breach.
Recent Cases Make the Numbers Concrete
The trend has played out repeatedly in the months since Verizon’s data window closed.
Google Threat Intelligence Group flagged the cyber crime actor TeamPCP for poisoning the GitHub repositories behind Trivy, Checkmarx, LiteLLM, and BerriAI, harvesting AWS keys and GitHub tokens from those build pipelines, then selling the access to ransomware crews later.
Days later, the same crew compromised a GitHub employee’s workstation through a poisoned VS Code extension and exfiltrated roughly 3,800 internal repositories.
Both cases sit cleanly inside Verizon’s archetypes. The DBIR’s data quantifies the broader pattern those incidents fit into.
Cloud Hygiene Is the Hard Part
The operational story underneath the headline number is one of slow remediation. Only 23% of third-party organizations fully fix missing or improperly configured multi-factor authentication (MFA) on their cloud accounts, with half of all findings closed within a month.
For weak passwords and excessive permissions, the median time to resolve half of findings stretches to nearly eight months.
Additionally, 37% of organizations said they had at least one admin account with MFA disabled on an Infrastructure-as-a-Service (IaaS) offering, per a separate slice of point-in-time cloud exposure data.
The Verizon team’s takeaway is direct. “A strong starting point is to focus on the authentication and authorization layers,” the report says, calling out service and machine accounts in particular as the ones most likely to be leveraged in an agentic AI future.
Excessive privileges in cloud environments cut across all three flavors of cloud delivery (IaaS, PaaS, SaaS), and the difficulty of meaningfully enforcing least-privilege in IaaS environments at business velocity is part of why the eight-month tail exists.
