Analysis: Blast Radius For Third-Party Breaches Bigger Than Reported
Security Boulevard, Friday, March 6th, 2026
An analysis of 136 unique major breaches involving third-parties affecting 710 companies, published this week by Black Kite, finds approximately 26,000 additional organizations were impacted, affecting as many as 433 million individuals.
Ferhat Dikbiyik, chief research and intelligence officer for Black Kite, said the analysis shines a spotlight on the fact that the actual blast radius of a breach is much broader than generally appreciated given how interconnected most organizations actually are.
On average, the report finds there were 5.28 downstream victims per third-party breach, mainly because threat actors target shared platforms, centralized services, and organizations that have high dependencies on multiple vendors, noted Dikbiyik. As workflows become more integrated, the overall size of the blast radios of any given breach continues to expand, he added.