The third-party incidents that mattered this month.
Each month we round up the third-party security, privacy, compliance, and risk incidents worth your attention and write up the ones that matter. The first edition went out in May 2026. The next one is on the way.
Three or four a month
We pick the three or four third-party incidents each month that are actually worth knowing about, across security, privacy, compliance, and risk. No noise.
Impact first
Each entry says who got hit and how, so you can size up your own exposure fast.
Full reports when it matters
When an incident has real lessons in it, we publish a write-up on what happened, who it reached, and what to do. Those are linked from the timeline.
A running log of third-party incidents
Newest at the top, grouped by month. Entries with a Coverbase report link to our full write-up.
June 2026
Coming soonThe next Third Party Incident Briefing is in production. Subscribe or book a demo to get it in your inbox the day it ships.
May 2026
Inaugural editionAI gateway hands over the keys: shared LLM proxy leaks tenant credentials
A widely used AI gateway exposed downstream customers' model and cloud API keys, putting every connected tenant's data and spend at risk.
Read: When your AI gateway hands over the keysManaged file-transfer appliance zero-day exploited in the wild
An unauthenticated remote-code-execution flaw let attackers exfiltrate data from hundreds of organizations that rely on the appliance for partner data exchange.
Customer-data platform misconfiguration exposes consumer profiles
Millions of enriched consumer records were left queryable without authentication, triggering GDPR and CCPA notification duties for the brands downstream.
Cloud region outage cascades through dependent SaaS vendors
A multi-hour control-plane failure took down vendors built on the region, exposing concentration risk and triggering SLA-credit and resilience-reporting obligations.
April 2026
Hijacked build dependency ships a credential-stealing payload
A popular package was compromised to harvest CI/CD secrets, reaching thousands of downstream applications before the malicious release was pulled.
Tier-1 payments processor enters sudden financial distress
Liquidity concerns at a critical processor forced merchants to stand up contingency rails and re-underwrite a concentrated single point of failure.
HR and benefits vendor breach exposes employee PII
Social Security numbers and health-plan data for staff across many client companies were accessed, cascading breach-notification duties to every customer.
Undisclosed sub-processor breaches data-residency terms
An unannounced offshore sub-processor violated contractual residency commitments, forcing customers to pause data flows and re-paper their DPAs.
March 2026
Identity provider token theft enables tenant account takeover
Stolen support-system tokens let attackers pivot into downstream customers' tenants, reviving hard questions about over-trusting the IdP.
Backdoor discovered in a widely used open-source library
A maliciously maintained dependency nearly shipped a remote backdoor into countless production systems before a researcher caught it.
Critical logistics SaaS acquired, sunset announced
An acquirer's end-of-life notice gave dependent shippers only months to migrate, surfacing exit-readiness and concentration gaps across supply chains.
Embedded analytics SDK caught exfiltrating location data
A third-party mobile SDK quietly collected precise geolocation, exposing every app that bundled it to regulatory scrutiny and app-store removal.