2026 Third-Party Data Breaches: The Complete List
Third-party breaches are no longer the exception. They are the pattern.
In 2026, attackers stopped targeting companies directly. They go through the vendors, contractors, and platforms that already have access — OAuth tokens, CRM integrations, billing providers, chatbots. Tools your team approved, connected, and forgot about.
The Verizon DBIR found that 48% of breaches now involve a third party. Every row in this table is proof of what that looks like in practice.
We update this list as new incidents are confirmed.
| Month | Company | Data Breached | Use of 3rd Party | 3rd-Party Company |
|---|---|---|---|---|
| January | Ledger | Personal data, names, contact information, order data, shopper order data. |
Payment provider | Global-e |
| January | European Commission | Personal and reservation information, identity and contact details, passport info, names, dates of birth, addresses, emails, phone numbers, health information, and IBANs. |
Rail pass provider | Eurail |
| January | Grubhub | Unknown | Chatbot provider | Salesloft Drift |
| January | Betterment | Full names, email addresses, physical addresses, phone numbers, dates of birth. |
Marketing provider | Third-party vendor |
| February | Bayada Home Health Care | Names, dates of birth, diagnoses, medical/physical treatment info, health insurance plan info, prescription info, hospital admissions, disability info, Social Security numbers (subset). |
Billing provider | Doctor Alliance |
| February | Advanced Homecare Management | Names, addresses, dates of birth, patients' gender, physician names, medical record numbers, clinical information, health plan numbers. |
Billing provider | Doctor Alliance |
| February | National Bank of Ukraine | Names, phone numbers, email addresses, delivery addresses. |
Online store contractor | Third-party vendor |
| February | Ericsson Inc. | Names, addresses, SSNs, Driver's License numbers, government-issued IDs, financial info, medical info, dates of birth. |
Unknown provider | Third-party vendor |
| February | ManoMano | Customer names, email addresses, phone numbers, customer service exchanges. |
Customer service provider | Unnamed subcontractor |
| February | Hims & Hers Health | Names, contact information, and other unspecified data. |
Customer service provider | Zendesk |
| February | Canada Goose | Customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, order histories, partial payment card info, purchase history, device and browser info. |
Payment provider | Third-party vendor |
| March | Crunchyroll | User name, login name, email address, IP address, geographic location, support ticket contents, some credit card details (last 4 digits, expiration dates). |
BPO provider | Telus International |
| April | Vercel (subset) | Customer data, environment variables. | Cloud platform provider | Vercel |
| April | Mercor | Source code repositories, internal databases, cloud storage buckets, videos and verification workflows. |
AI Gateway provider | LiteLLM |
| April | Rockstar Games | Limited non-material company information. | Analytics provider | Anodot |
| April | HackerOne | Social Security numbers, full names, home addresses, dates of birth, health plan participation details, information about employees' dependents. |
Employee benefits provider | Navia Solutions |
| May | Vimeo | Limited non-material company information. | Analytics provider | Anodot |
| May | Zara | Limited non-material company information. | Analytics provider | Anodot |
| June | Oxford University | Full names, email addresses of students and alumni, passwords of users who logged in without SSO. |
Careers platform | Group GTI Career Connect |
| June | LastPass | Customer names, email addresses, phone numbers, physical addresses, CRM records and support case data. |
Market intelligence platform | Klue |
Do you know every external connection inside your environment?
Most security teams don't. Vendors, contractors, and SaaS tools accumulate access over time, and nobody tracks when it becomes a risk.
FrontierZero's free External Access Report maps every connection into your environment. The ones you authorised. And the ones you didn't.
Takes 15 minutes. No deployment. No disruption.