Are your third-party services secure?

TL;DR

The 2025 Verizon Data Breach Investigation Report (DBIR) found that third-party involvement in data breaches doubled year over year, jumping from 15% to 30%. In this blog, we break down:

1. Why third-party breaches are increasing
2. What we can learn from the Snowflake incident
3. Practical ways to assess and secure your vendor ecosystem
4. Why MFA enforcement, token expiration, and centralized secrets management matter

______________________________________________________________________________________________________

The Verizon data breach investigations report (DBIR)

Last month, Verizon released its 2025 DBIR. The full report contains a wealth of information (117 pages!) that we recommend any interested parties check out for themselves. The Verizon team studied a collection of over 12,000 data breaches, the most this report has seen to date, surpassing last year’s record.

Aligned with trends in previous reports, the total number of data breaches increased dramatically again this year, mirroring the growing global reliance on digital infrastructure. This should come as no surprise to readers. Simply put, more digital infrastructure means more vulnerabilities, especially when you factor in the number of incidents caused by internal accidents rather than external threat actors.

Preventing breaches stemming from mistakes or accidents requires implementing appropriate security systems and training developers in their functions.

Making headlines in the 2025 report, though, is the significant increase in third-party involvement in data breaches. This category saw its relative frequency doubled from 15% to 30% compared with last year.

Why third-party breaches are increasing

While the increase in third-party breaches may be explained by the continued expansion of digital infrastructure, like the addition of integrated microservices, Software-as-a-Service (SaaS) components, or increased reliance upon established third parties for specific platform features, there are also other explanations. It would be an easy assumption that additional integrations increase the number of points of failure in a platform as a whole, but the folks at Verizon think there’s more going on.

Jumps of this frequecy are often the result of specific, widespread zero-day vulnerability exploits, causing various data breach metrics and their relative frequencies to change dramatically year to year as new vulnerabilities are discovered and patched. The analysis team identified that data from previous years was sufficiently skewed by these zero-day vulnerabilities. They decided to create the third-party involvement category to track its impact on the total number of breaches.

According to the report:

“The main motivator for this new metric [third-party breaches] was our discussion about vulnerabilities in software and all the impact caused by a handful of zero-days (which became genericized) in the MOVEit software vulnerability.”

Software development is moving so quickly that data collection and analysis are still in relative infancy. New metrics are created year to year to analyze and predict the future of data breaches. Tracking third-party involvement in data breaches gives new insight into the evolving threat landscape facing companies today.

What types of third-party breaches are most common?

81% of these breaches involved the Vocabulary for Event Recording and Incident Sharing (VERIS) Incident Classification Pattern (ICP) known as “System Intrusion,” which leverages stolen credentials, exploited vulnerabilities, and social engineering attacks like phishing. These attacks often come in conjunction with one another, such as installing malware through a phishing email, exploiting a system vulnerability to gain access to legitimate credentials, and then using those stolen credentials to appear as a valid actor within the system.

81% of attacks against third-party services were System Intrusions, an overwhelming majority. Your organization may have systems and safeguards against these attacks, but are your third-party services employing the same degree of security?

Their advice? “It was clear that having a security outcome component as part of the vendor selection process was more and more justified as we continued to see growth in the exploitation of vulnerabilities as one of our initial access actions.”

The Verizon team suggests security as a key component of vendor selection moving forward, and we agree. Data breaches can affect every step of the software supply chain, with service downtime, expensive fines and lawsuits, and loss of reputation and customer trust. It’s time to bring security to the front when choosing vendors. Certain data protection regulations, like the GDPR, require third-party services to maintain data protection standards to process protected data, extending legal liability to other related platforms.

“If you were in any other industry and a fundamental flaw was introduced in your supply chain due to defective machinery, your organization would at the very least be sending a sternly worded letter to the supplier.”

The Snowflake breach

One of the more publicized breaches of the past year, the Snowflake breach, involved accessing an account with stolen credentials. This account was not protected with multi-factor authentication (MFA) since MFA was not a mandatory feature of Snowflake at the time. The combination of its unrotated credentials, lack of MFA, and the value of the stored information made this breach almost inevitable. Realizing the vulnerability, the threat actor managed to automate the access and data exfiltration processes, leading to a major incident.

According to the report, any third-party vendor could’ve been breached in this manner, but a combination of lack of MFA enforcement, token expiration, and just plain bad luck brought it to Snowflake.

Demonstrate your commitment to security

We’ve got plenty of recommendations for anyone looking to up their security. Of course, we recommend using a centralized, standardized management system to control access to sensitive information, but there are more basic commitments to security that reduce risk factors.

Standardizing identity access management (IAM) policies helps catch potential vulnerabilities and assists in setting up multi-factor authentication (MFA) services or single sign-on (SSO) through an identity provider (IdP). Whatever your platform’s solution to secure identity management may be, it’s important to check if all connected third-party vendors demonstrate the same commitment to security.

Centralize your secrets management. Despite the account's inactivity, the credentials used in the Snowflake breach were still functional. Had the access token been created with a predetermined expiration date, the stolen credentials would no longer have granted access to sensitive information. Using ephemeral secrets or automating secrets revocation within a centralized management service would have solved this issue from the other side.

Ready to try a centralized solution that integrates with identity providers, automates secrets management, and provides comprehensive logs for tracking secrets use and access? Check out Doppler’s free trial to learn more.

FAQ