Verizon DBIR Reveals Third-Parties Involved in 30% of Breaches

Verizon’s 2025 Data Breach Investigations Report (DBIR) puts a spotlight on the third-party risk security teams face every day. As the report puts it:

“For this year, we found third-party involvement of some sort in 30% of all breaches we analyzed, up from roughly 15% last year.”
— Verizon 2025 Data Breach Investigations Report

That’s double the rate from last year. It’s a clear sign that third-party risk is moving from the sidelines to the center of cybersecurity strategy.

At Vorlon, we saw this shift coming. For years, we’ve focused on the everyday realities of SaaS integrations, API tokens, and vendor connections that most security teams can’t easily track or control. Vorlon’s SaaS ecosystem security platform was built to help organizations manage the real risks that now show up in the DBIR’s numbers.

We give you the visibility and control to respond quickly and with confidence. That’s how you stay ahead of the third-party problem, no matter what the statistics say.

The third-party problem is more than a vendor checklist

The “third-party problem” goes far deeper than vendor selection or onboarding questionnaires. Today, every organization runs on a complex SaaS ecosystem—CRM, billing, HR, DevOps, marketing, analytics, and more—all interconnected, all exchanging sensitive data, often automatically.

The DBIR puts it plainly:

“On the more hands-off side of third-party relationships, we find a proliferation of specialized software as a service (SaaS) providers supporting specific industries and automating some of their critical processes. And although those can be beneficial from a cost-reduction and business efficiency analysis, they bring the Venn diagram overlap of cybersecurity risk and operational risk uncomfortably close to a single circle.”
— Verizon 2025 Data Breach Investigations Report

These suppliers are operational lifelines. A single over-permissioned OAuth token, a dormant API key in a public repo, or an outdated integration can quietly expand your attack surface in ways traditional security tools weren’t designed to see.

Why traditional tools aren’t enough

Legacy approaches like SaaS Security Posture Management (SSPM), Third-Party Risk Management (TPRM), and even SIEMs can help with configuration and policy, but they struggle with the dynamic, fast-moving nature of SaaS ecosystems. Here’s why:

• SSPM checks settings, but not behavior. It can’t tell you when a third-party token is suddenly used for something new, or by someone new.
• TPRM relies on point-in-time assessments, not real-time monitoring. Most breaches don’t wait for your next vendor review.
• SIEM only works with logs you actually have. Many SaaS apps don’t give you the detail or context you need, or charge extra for those logs.
• Shared responsibility doesn’t mean shared visibility. Most organizations can’t see what their vendors are doing with access, or if that access has changed.

As the DBIR notes, “third parties not only act as custodians to customers’ data, but they also underpin critical parts of organizations’ operations.” The overlap of cybersecurity risk and operational risk has never been tighter.

Real incidents, real lessons

These trends aren’t hypothetical. At Vorlon, we’ve analyzed multiple third-party incidents in the past year that mirror the DBIR’s findings:

• Oracle Health breach: PHI exposure through token misuse and third-party access.
• Silk Typhoon supply chain attack: Attackers leveraged trusted vendor relationships for deeper access.
• Grubhub data breach: Vendor compromise led to downstream exposure.
• GitHub CI/CD pipeline attack: Secrets and tokens exfiltrated via a poisoned GitHub Action.
• OAuth phishing at scale: Full repo access granted via a fake OAuth app.

Each of these attacks started as a “trusted” connection, integration, or credential—until it wasn’t.

Secrets, tokens, and the 94-day exposure window

The DBIR also highlights a quietly alarming stat:

“The median time to remediate discovered leaked secrets on a GitHub repository is 94 days.”
— Verizon 2025 DBIR

Three months is a long time for a credential to remain exposed, especially when that secret might provide access to production databases, customer records, or critical infrastructure. The DBIR found:

• JWTs made up 66% of web app secrets found
• GitLab tokens represented 50% of all leaked CI/CD secrets
• 43% of cloud infrastructure secrets were Google Cloud API keys

These are real-world entry points often missed by traditional controls.

The Vorlon approach: Context-driven, ecosystem-wide visibility

The DBIR is legendary for its rigor and reach, but even it acknowledges what’s missing: “managing credentials will likely be harder in an environment you don’t control.” That’s the SaaS ecosystem today—sprawling, fast-changing, and full of invisible, machine-to-machine interactions.

Vorlon’s DataMatrix™ technology was built for this challenge. We create a live, algorithmic model of your SaaS ecosystem by:

• Continuously mapping data flows, tokens, secrets, and permissions
• Monitoring SaaS-to-SaaS, User-to-SaaS, and third-party API behavior in real time
• Detecting drift, dormant tokens, permission changes, and anomalous activity—across all your apps and integrations
• Enabling fast, context-rich remediation (revoke, rotate, or alert) with confidence

As more breaches start with a legitimate vendor, integration, or token rather than a direct attack, you need to know what’s happening across your SaaS ecosystem in real time. That’s where Vorlon makes the difference: We help you spot risky third-party activity, so you can act with confidence, no matter how the threat evolves.

The real risk is what you’re not seeing

This year’s DBIR makes it clear that third-party risk is now a core theme for organizations of every size and sector:

“Possibly the most obvious and noteworthy among them is the role that third-party relationships play in how and why breaches occur.”
— Verizon 2025 Data Breach Investigations Report

As third-party breach incidents increase, the most dangerous risks are the ones that don’t fit neatly into a log file, a vendor questionnaire, or a compliance checkbox.

That’s why Vorlon exists: to give you the context, clarity, and confidence to protect your SaaS ecosystem as it really operates.

If your third-party risk program ends at onboarding, it’s time to upgrade.

If your visibility ends at your firewall, it’s time to expand your view.

Ready to see your SaaS ecosystem as it really is?

About the author

Amir Khayat, CEO

Amir Khayat is the CEO and co-founder of Vorlon. Amir has over 17 years of cybersecurity experience, including software development, and GTM roles. Amir served in the Israeli Defense Forces as a commander and combat soldier at the Paratrooper’s Elite Operations Unit. He graduated from Reichman University, Herzliya, Israel (IDC) with a BA in Computer Science, and he holds an MBA from the Hebrew University of Jerusalem. Amir lives in the Bay Area with his wife and three children.