It seems like every day, another breach makes the headlines. Valuable data is at constant risk from malicious actors. Recent hacks, however, have revealed that these actors have begun shifting targets to vendors that aren’t directly associated with the company, prompting many to question how much they can rely on third parties to oversee data.
The breach involved 700Credit. Their business focuses on credit checks for cars, RVs, and marine dealerships, with over 18,000 dealerships using their platform to verify customers' credit scores before the vehicle sale process begins. (1) This means they have a lot of data, such as credit cards, bank accounts, and social security numbers. When they revealed that they had been hacked in October, after three months of compromise, the damage amounted to more than 5.5 million Social Security numbers and numerous bank accounts.
During the forensic investigation into this breach, it was determined that it originated not from their internal servers but from a third-party data-handling service. The threat actor identified a vulnerable API (application programming interface) from that vendor. The threat actor was able to exfiltrate data due to a security vulnerability in the API, a failure to validate consumer reference IDs against the original requester.
The data types that have been exposed include:
The vendor did not report the breach on their end, and it escalated into a massive breach. From the time the breach started through 700credits finding out about it and reporting it to the relevant authorities, they estimate 20 percent of their data had been stolen, roughly 5.5 million records across their entire network.
This attack highlights a growing issue in cybersecurity. Hackers are incredibly smart, so if they know their target will be on guard against anything they haven’t vetted, they simply look for a workaround. In this case, pursuing third-party vendors may not provide as much security as targeting the main target. These vendors wouldn’t have the same safeguards as larger names.
Perhaps the two most visible recent examples of third-party breaches were Salesforce and UnitedHealthcare. For Salesforce, they were compromised earlier in 2025. Hackers were able to take advantage of trust in Salesforce approved apps via phishing. “By disguising themselves as IT support personnel on the phone, hackers belonging to the group “ShinyHunters” successfully tricked the employees at several multinational corporations into handing over the data within their own Salesforce platforms. The attacks underscore the vulnerability that all businesses, large or small, face in preventing cyberattacks that begin with basic social engineering scams. (3) Over 1 billion records across multiple companies were compromised.
In the case of UnitedHealthcare, its 2024 data breach not only affected multiple pharmacies but also temporarily took the network offline, making international news. The target wasn’t UnitedHealthcare itself, but one of its systems that manages processing. Change Healthcare, the program in question, was acquired by UnitedHealthcare to streamline its insurance payment processing.
“A few months after the incident, on May 1, the CEO of UnitedHealth Group, Andrew Witty, was summoned to testify before Congress. From that testimony, the general public finally learned how the attack on the company unfolded.
According to Witty, the attack began on February 12. The attackers used compromised credentials to gain access to the Change Healthcare Citrix portal, which was used for remote desktop connections. Two-factor authentication should have stopped them but… it wasn’t enabled. Thus, attackers were able to gain entry simply by using the compromised credentials.
After gaining initial access, they began to move laterally and harvest data. The attackers clearly managed to collect a substantial amount of valuable data within the following nine days. In any case, on February 21, they deployed ransomware — initiating the encryption of Change Healthcare’s systems.
Faced with this situation, UnitedHealth decided to disconnect Change Healthcare data centers from the network to contain the ransomware attack. “(4)
In effect, these third parties are being compromised as another way to attack their real targets. They know that the low-hanging fruit is companies that might not have the safety protocols in place to prevent these hacks
Third-party vendors can be a blessing and a curse. They can take on the burden of managing the massive amounts of data some companies oversee. But without proper vetting, they might not realize they lack adequate security protocols. Hackers know people are evolving to counter their attempts, so they simply shift their attack vectors to devastating results. When dealing with vendors, be sure to verify the security protocols they have in place before you allow them to store your information.