The third-party incidents that mattered this month.
Each month we round up the third-party security, privacy, compliance, and risk incidents worth your attention and write up the ones that matter. The first edition went out in May 2026. The next one is on the way.
Three or four a month
We pick the three or four third-party incidents each month that are actually worth knowing about, across security, privacy, compliance, and risk. No noise.
Impact first
Each entry says who got hit and how, so you can size up your own exposure fast.
Full reports when it matters
When an incident has real lessons in it, we publish a write-up on what happened, who it reached, and what to do. Those are linked from the timeline.
A running log of third-party incidents
Newest at the top, grouped by month. Entries with a Coverbase report link to our full write-up.
July 2026
Sales-enablement SaaS integration abused to raid customer Salesforce orgs
A compromised legacy credential at a competitive-intelligence integration vendor let attackers steal OAuth tokens and pull CRM data from roughly 200 downstream tenants, several of them security vendors themselves.
State licensing vendor breach exposes millions of residents' IDs
Unauthorized access to the system a state agency uses to sell recreational licenses exposed driver's license and passport numbers for more than three million residents, triggering a mandated credit-monitoring offer.
Ransomware hits a Tier-1 electronics manufacturer, spilling client trade secrets
A 630GB leak from a contract manufacturer's systems included proprietary engineering and manufacturing documents from multiple OEM clients, exposing how deep supply-chain concentration risk reaches into IP protection.
Regulator finalizes a decade-long consent decree over vendor PII access failures
A ten-year enforcement order followed findings that a student-data platform never contractually restricted how its vendors could access more than 10 million students' personal information.
June 2026
Latest reportThe platform beneath your vendors: GitHub breach traces nth-party exposure
A poisoned VS Code extension compromised a GitHub employee laptop and helped expose 3,800 internal repositories for sale, showing how supply-chain risk now sits below the vendor surface.
Read: The Platform Beneath Your VendorsPackage registry namespace hijacked to ship trojanized releases
A compromised employee GitHub account pushed malicious versions of more than 30 packages with valid build provenance, reaching roughly 80,000 weekly downloads before the releases were pulled.
Workflow platform patches a reported flaw only after customers are hit
A bug-bounty report sat unfixed for six weeks while attackers probed customer instances, raising disclosure-timeline questions and breach-notification duties for affected tenants.
Hyperscaler login outage locks tenants out of their own cloud
A near eight-hour identity failure cut off console, CLI, and API access, leaving customers unable to manage their own resources or reach support for the duration.
May 2026
Inaugural editionAI gateway hands over the keys: shared LLM proxy leaks tenant credentials
A widely used AI gateway exposed downstream customers' model and cloud API keys, putting every connected tenant's data and spend at risk.
Read: When your AI gateway hands over the keysManaged file-transfer appliance zero-day exploited in the wild
An unauthenticated remote-code-execution flaw let attackers exfiltrate data from hundreds of organizations that rely on the appliance for partner data exchange.
Customer-data platform misconfiguration exposes consumer profiles
Millions of enriched consumer records were left queryable without authentication, triggering GDPR and CCPA notification duties for the brands downstream.
Cloud region outage cascades through dependent SaaS vendors
A multi-hour control-plane failure took down vendors built on the region, exposing concentration risk and triggering SLA-credit and resilience-reporting obligations.
April 2026
Hijacked build dependency ships a credential-stealing payload
A popular package was compromised to harvest CI/CD secrets, reaching thousands of downstream applications before the malicious release was pulled.
Tier-1 payments processor enters sudden financial distress
Liquidity concerns at a critical processor forced merchants to stand up contingency rails and re-underwrite a concentrated single point of failure.
HR and benefits vendor breach exposes employee PII
Social Security numbers and health-plan data for staff across many client companies were accessed, cascading breach-notification duties to every customer.
Undisclosed sub-processor breaches data-residency terms
An unannounced offshore sub-processor violated contractual residency commitments, forcing customers to pause data flows and re-paper their DPAs.
March 2026
Identity provider token theft enables tenant account takeover
Stolen support-system tokens let attackers pivot into downstream customers' tenants, reviving hard questions about over-trusting the IdP.
Backdoor discovered in a widely used open-source library
A maliciously maintained dependency nearly shipped a remote backdoor into countless production systems before a researcher caught it.
Critical logistics SaaS acquired, sunset announced
An acquirer's end-of-life notice gave dependent shippers only months to migrate, surfacing exit-readiness and concentration gaps across supply chains.
Embedded analytics SDK caught exfiltrating location data
A third-party mobile SDK quietly collected precise geolocation, exposing every app that bundled it to regulatory scrutiny and app-store removal.