Healthcare disruption without direct breach.
Belgian hospitals impacted via third-party provider compromise
β’ Patient portals offline
β’ Data access disrupted
β’ Vendor risk exposed
Third-party attack surface is expanding fast.
How are you mitigating vendor-based threats? π
Follow @technadu
Taboola Exploits Banking Sessions to Route Users to Temu Tracking Endpoint
Imagine a single line of code secretly redirecting people logged into their bank accounts to a commercial tracking site - that's what happened when a bank unknowingly approved a Taboola pixel that sent users to a Temu tracking endpoint. This sneaky exploit slipped past security controls, leaving both the bank andβ¦
#ThirdpartyRisk #SupplyChain #SessionHijacking #TrackingExploit #BankingSecurity
Healthcare Sector Tackles Third-Party AI Security Gaps with New Guidance
The healthcare sector is taking a major step towards securing its AI-powered tools with new guidance from the Health Sector Coordinating Council (HSCC) that helps tackle the growing threat of third-party AI security gaps. This playbook is a timely response to the explosion of AI-related cyber risks from vendors, andβ¦
#ThirdpartyRisk #ArtificialIntelligence #Healthcare #AiSecurity #VendorCyberRisk
McGraw Hill Breach Exposed by Salesforce Setup Flaw
A configuration error in Salesforce, a widely used customer relationship management platform, led to a data breach at McGraw Hill, exposing customer data and raising questions about vendor services and data stewardship. The incident highlights the importance of proper setup and management of third-party services to protect sensitiveβ¦
#DataBreach #Salesforce #ThirdpartyRisk #EducationSector #ConfigurationError
π Cyber Tip: Know your vendorsβ cybersecurity posture. Third party risk is real.
A weak partner can become your breach point. Vet security practices and require accountability.
Meta paused work with a $10B AI data vendor after hackers poisoned an open-source Python library called LiteLLM and walked out with four terabytes of data. So, that's bad. And the worst part? The stolen data might include the actual training methodologies that Meta, OpenAI, Anthropic, and Google paid billions to develop. Think about what that means. You can't protect your crown jewels if they're sitting inside a vendor who's connected to your three biggest competitors, all sharing the same open-source tools, all exposed by the same 40-minute window on PyPI before anyone noticed.
π― The attack chain here is worth understanding: hackers compromised a security scanner called Trivy, used that access to get credentials for a LiteLLM maintainer, then published two malicious package versions that lasted less than an hour before removal. Forty minutes. That's all it took.
πΌ Mercor is not some sloppy startup. It's 22-year-old founders, $500M annualized revenue, and clients at the very top of the AI industry. Sophistication doesn't protect you from a poisoned dependency you never thought to audit.
π The question I'd be asking right now if I were a CISO at any of these labs isn't "were we breached." It's "how many vendors in our training pipeline are running LiteLLM, and did we even know?"
Most companies audit their own software. Almost nobody audits the software their vendors use to build the data they're buying.
https://thenextweb.com/news/meta-mercor-breach-ai-training-secrets-risk
#Cybersecurity #AIRisk #SupplyChainSecurity spc #security #privacy #cloud #infosec #ThirdPartyRisk
Hims & Hers breach via third-party vendor π¨
Social engineering β support system access β customer data exposed
Vendor risk = growing attack surface
Supply chain strike? π¨
Crunchyroll breach claims β 100GB data
Third-party access = entry point
Short dwell time, massive exfil
Are vendors your weakest link? π
Follow TechNadu
#Infosec #DataBreach #ThirdPartyRisk
Third-party ecosystems are structurally exposed.
Black Kiteβs 2026 report reframes supply chain cyber risk from βweakest linkβ theory to concentration dynamics.
Key systemic indicators:
β’ 5.28 downstream victims per breach (2025 average)
β’ 10-day median detection vs. 73-day median disclosure
β’ 53%+ organizations with at least one critical vulnerability
β’ 23%+ with corporate credentials exposed
Top 50 shared vendors:
β 70% KEV exposure
β 84% CVSS β₯ 8
β 62% stealer-log credential presence
β 52% breach history
Shared infrastructure nodes are now strategic attack surfaces.
Security teams must shift toward:
Dependency mapping
Concentration analytics
Active intelligence monitoring
Exposure propagation modeling
Is your organization modeling systemic fragility β or auditing in isolation?
Engage below.
Follow TechNadu for advanced infosec, vendor risk, and threat intelligence coverage.
#Infosec #ThirdPartyRisk #VendorSecurity #ThreatIntelligence #CISAKEV #CyberExposure #Ransomware #SupplyChainSecurity #SecurityEngineering #CyberResilience #RiskAnalytics
Third-party breach, 38M impacted, European e-commerce sector.
ManoMano disclosed unauthorized access linked to a subcontracted customer support provider. Exposed data reportedly includes PII and support communications.
Authorities notified: CNIL, ANSSI.
Passwords not reportedly accessed.
Subcontractor access revoked.
Key risk vectors:
β SaaS support platforms
β Vendor access governance
β Over-retention of ticketing data
β Centralized customer communication logs
β Supply chain attack surface expansion
This case reinforces that vendor monitoring must go beyond contractual clauses β continuous assessment, least privilege enforcement, data minimization strategies.
How mature is your third-party risk telemetry?
Engage below.
Follow @technadu for high-signal infosec reporting.
Repost to amplify awareness across the security community.
#Infosec #ThirdPartyRisk #VendorSecurity #SupplyChainSecurity #DataBreach #GDPRCompliance #EcommerceSecurity #CyberRiskManagement #SecurityOperations #GRC
TechNadu
Analyst207
Zevonix
Brian Greenberg 