Ask Runable forDesign-Driven General AI AgentTry Runable For Free
Runable
Back to Blog
Cybersecurity & Data Breaches27 min read

Adidas Data Breach: Was It Really Hacked or Third-Party? [2025]

Lapsus$ hackers claim an Adidas breach, but the sportswear giant says it was a third-party partner. Here's what actually happened and why it matters. Discover i

Adidas breachLapsus$ hackersdata breach 2024third-party breachcybersecurity incident+10 more
Adidas Data Breach: Was It Really Hacked or Third-Party? [2025]
Listen to Article
0:00
0:00
0:00

Adidas Data Breach: The Third-Party Twist That Changed Everything

When cybersecurity headlines scream "Adidas Hacked," most people assume the worst. Your credit card data. Your personal information. Potentially compromised on the dark web. But here's the thing: not every breach is what it seems.

In mid-2024, the notorious Lapsus$ hacking collective made headlines claiming they'd breached Adidas and stolen 815,000 rows of sensitive data. Passwords. Email addresses. Dates of birth. Names and company information. Pretty damning stuff. The posts appeared on Breach Forums, a notorious underground marketplace where stolen data changes hands for cryptocurrency. The hackers allegedly exfiltrated "a lot of technical data" from what they described as the Adidas extranet.

But here's where the story gets interesting. Adidas pushed back, and fast. The company's response was measured, specific, and crucial: they'd actually been breached, yes, but not by Adidas directly. A third-party licensing partner had been compromised instead.

This distinction matters more than you'd think. When hackers hit a major brand's partner instead of the brand itself, it changes the entire risk profile. It shifts liability. It changes what data was actually at risk. And it reveals something important about how modern cybersecurity actually works in the real world: the weakest link in your supply chain often isn't you.

Let's break down exactly what happened, why Adidas's response was significant, and what this tells us about how major corporations protect (or fail to protect) your data.

TL; DR

  • Lapsus$ claimed an Adidas breach: The hacking group posted claims on Breach Forums alleging they'd stolen 815,000 rows of data from Adidas's extranet
  • It was actually a partner breach: Adidas clarified the breach hit a third-party licensing partner for martial arts products, not Adidas's core systems
  • Consumer data wasn't compromised: Adidas explicitly stated no e-commerce platforms, consumer data, or main IT infrastructure was affected
  • Third-party breaches are common: Supply chain attacks now account for roughly 45-60% of enterprise breaches, according to industry reports
  • Lapsus$ is still active: The group remains one of the more aggressive threat actors, with a history hitting Microsoft, Nvidia, and Samsung

Who Is Lapsus$ and Why Should You Care?

Lapsus$ didn't just appear overnight. The group first surfaced in late 2021 when they targeted the Brazilian Health Ministry's systems, looking for government data and credentials. It was a relatively unknown move at the time, but it set the tone for what would become a pattern of high-profile, aggressive breaches targeting major corporations and government entities.

What made Lapsus

differentfromotherhackingcollectiveswastheirbrazennessandtheirtargets.Unlikemanycybercriminalgroupsthatoperateintheshadows,Lapsus different from other hacking collectives was their brazenness and their targets. Unlike many cybercriminal groups that operate in the shadows, Lapsus
members were relatively public about their activities. They'd post about breaches on forums. They'd negotiate directly with targets. They'd claim responsibility loudly.

After their first major move against Brazil's Health Ministry, the group escalated quickly. They went after Microsoft in early 2022, claiming to have accessed source code and internal systems. Microsoft confirmed the intrusion but said their security systems contained the damage. Then came Nvidia, another major target. The group allegedly stole proprietary information, cryptographic keys, and employee data. Nvidia confirmed the breach but also stated that the compromised data "contained employee information."

Samsung was next. Then T-Mobile. The pattern was clear: Lapsus$ was targeting companies that were big enough to matter, valuable enough to leverage for ransom negotiations, but sometimes vulnerable enough to actually get in.

In 2022, London police arrested seven individuals suspected of being Lapsus$ members. The group went quiet for a while after that. But they never truly disappeared. By 2023, they were back, re-emerging under new aliases and claiming new breaches. Two of the original arrestees were re-arrested later, but the collective never fully disbanded.

What's important to understand about Lapsus$ is this: they don't just steal data and disappear. They use breaches as leverage. They negotiate with companies. Sometimes they sell data on underground forums. Sometimes they use the threat of exposure to extort payments. The group operates with a level of sophistication that belies their public image as somewhat reckless.

What Exactly Did Lapsus$ Claim to Have Stolen?

Let's look at the specific claims the group made about the Adidas breach. On Breach Forums, they posted that they'd infiltrated the Adidas extranet and exfiltrated 815,000 rows of data. That's a fairly precise number, which might suggest they actually accessed some kind of database or spreadsheet.

According to their post, the data included:

  • Full names
  • Email addresses
  • Passwords (which is particularly concerning)
  • Dates of birth
  • Company information
  • "A lot of technical data" (intentionally vague on their part)

Now, here's where we need to be careful. When hackers claim data exfiltration, there are a few possibilities. One: they actually stole all that data and have access to it. Two: they stole some of it and are claiming more to sound impressive. Three: they got access to systems but didn't actually grab everything they claimed. Four: they're lying outright to generate buzz.

The 815,000 rows figure suggests a structured database, not just random files scattered across a server. If that number is accurate, it implies they accessed something like an employee directory, a customer database, or some kind of structured administrative system. The inclusion of passwords is particularly damaging because it means they had access to authentication credentials.

But here's the critical detail: Adidas said this data came from a third-party partner's systems, not from Adidas itself. That changes the nature of what was actually stolen. If the partner is a martial arts products distributor, the data might be employee information for that distributor, not consumer data for Adidas. The passwords might be for that partner's internal systems, not Adidas's e-commerce platform.

The "technical data" they claim to have stolen is frustratingly vague. It could mean API documentation. It could mean infrastructure diagrams. It could mean source code snippets. Without seeing the actual data (which we haven't), it's hard to know what legitimate security threat exists.

The Adidas Response: Why the Third-Party Distinction Matters

Adidas's response to the breach claims was prompt and, crucially, specific. When the company issued its statement, it didn't do what many breached companies do: panic, deny everything, then issue a vague statement three months later. Instead, Adidas said this: they'd been made aware of a potential data protection incident at one of their independent licensing partners and distributors for martial arts products.

That's a very specific statement. "Independent licensing partner." "Martial arts products." "Independent company with its own IT systems." Every phrase there is doing work.

By saying it was an independent company with its own IT systems, Adidas was drawing a clear line: this isn't our infrastructure. This isn't our responsibility to manage or secure directly. This is a third party we have a relationship with, and they got breached. Big difference.

Adidas was also clear about what wasn't compromised. The company stated there was "no indication" that Adidas's own IT infrastructure had been affected. No indication that e-commerce platforms were compromised. No indication that any consumer data was at risk. That's important because those are the things people actually care about.

Nobody really cares if a third-party distributor's employee directory gets stolen. People care if their credit card information, shipping addresses, or personal account data gets exposed. Adidas was making that distinction crystal clear.

The company didn't disclose the specific date of the breach, which is somewhat frustrating for transparency purposes. It also didn't fully detail what technical data was actually at risk. But the core message was solid: the breach happened elsewhere, not to us, and your consumer data is safe.

That response had measurable effects. While the Lapsus$ group continued to claim they'd hacked Adidas, the narrative shifted. Industry coverage immediately noted the third-party distinction. Security researchers acknowledged that this wasn't a breach of Adidas's core systems. The company maintained its reputation for data security even while acknowledging the partner incident.

Third-Party Breaches: The Hidden Crisis in Corporate Security

Here's something that doesn't get enough attention: third-party breaches are now the norm, not the exception. When a major company gets compromised these days, there's actually a decent chance it happened through a partner, vendor, or contractor rather than through the company's own systems.

The numbers back this up. Industry security reports consistently show that supply chain attacks and third-party breaches account for a significant and growing portion of major corporate security incidents. Some estimates put third-party involvement in 45-60% of enterprise breaches. Let that sink in. Nearly half of all major corporate breaches aren't even targeting the company directly. They're targeting the weakest link in the supply chain.

Why is this happening? Several factors.

First, major corporations like Adidas have security teams. They have budgets. They have compliance requirements. They have incentives to protect their own infrastructure. But third-party partners? They might be smaller companies with smaller security budgets. They might be international distributors with varying security standards. They might be single-point contractors with minimal security practices. A licensing partner for martial arts products might be a 50-person company running on infrastructure from 2015.

Second, vendors and partners have access. That's the entire point of partnerships. They need access to systems, data, credentials. That access is a security surface that's much harder to control than your own infrastructure. You can mandate security practices for your own employees. You can enforce security updates on your own systems. You can require multi-factor authentication throughout your own organization. But a partner? You can create requirements, sure. But if they don't comply, what do you do? Cut off the partnership? That might damage business relationships or disrupt supply chains.

Third, many partners aren't as security-savvy as the major companies they work with. They might not have dedicated security teams. They might not have incident response plans. They might not even know they've been breached until a hacker posts about it on an underground forum.

The Adidas situation illustrates this perfectly. A major, sophisticated company gets compromised through a partner. The partner presumably didn't have the same security infrastructure, monitoring, or response capabilities as Adidas itself. The hackers found the path of least resistance.

This is why supply chain security is now a major regulatory and business concern. Companies are starting to implement vendor security assessment programs. They're requiring partners to maintain certain security certifications. They're demanding regular security audits. But enforcement is still spotty, and many companies still treat vendor security as an afterthought.

What Data Was Actually at Risk?

Let's think carefully about what Lapsus$ actually accessed. According to their claims and Adidas's confirmation, the breach involved a third-party partner's systems, not Adidas's consumer-facing infrastructure.

So what does that mean? The 815,000 rows of data almost certainly included some combination of:

  • Employee information for the partner company
  • Partner customer data (potentially retailers or distributors buying from them)
  • Internal systems documentation
  • Credentials and access information
  • Technical data related to the partner's operations

What it almost certainly did NOT include:

  • Adidas customer payment information
  • Adidas consumer account data
  • Adidas e-commerce platform data
  • Adidas employee personal information
  • Adidas intellectual property

Now, that doesn't mean nothing was at risk. Employee data is still sensitive. Partner customer data could be valuable. Credentials could potentially be used to access other systems. Technical documentation can be valuable to competitors or other attackers.

But there's a massive difference between "hackers got access to a partner company's employee directory" and "hackers compromised Adidas's consumer database." One affects a few hundred employees. The other affects millions of customers.

Adidas's explicit statement that consumer data wasn't compromised is crucial. That's the reassurance people needed to hear. Because if Adidas had actually suffered a breach of its customer database, it would have been a major incident. Millions of people would have potentially needed to change passwords, monitor their credit cards, and consider themselves at risk of identity theft.

Instead, the breach was compartmentalized. It was serious, yes. It required investigation. It required notification to regulators. But it wasn't catastrophic for Adidas's customers or reputation.

The Extranet Distinction: Why This Specific Attack Vector Matters

Lapsus$ claimed they accessed the Adidas "extranet." That's a specific technical term, and understanding it is important to grasping what security actually failed here.

An extranet is essentially a private network that extends beyond a single organization. Unlike the general internet, which is open to everyone, an extranet restricts access to authenticated users. In Adidas's case, their extranet presumably allowed partner companies (like the martial arts products distributor) to access certain systems without going through the public internet.

This makes sense from a business perspective. You want your partners to be able to access inventory systems, order information, maybe even some level of customer data. But you don't want random people on the internet accessing that. So you create an extranet that requires authentication.

The security model for an extranet is different from the security model for a public website. An extranet typically assumes that authenticated users are somewhat trusted, so it might not require the same level of verification for every action. It might have fewer monitoring systems than a consumer-facing platform. It might be managed by a smaller team.

When Lapsus$ got into the Adidas extranet, they almost certainly did so by compromising the partner company's credentials. They likely got credentials from the partner (either through phishing, credential stuffing, or some other method), authenticated to the extranet, and then poked around to see what data they could access.

This is a common attack pattern. Find a partner, breach them, use their credentials to access the main company's systems. It's harder than a direct attack on the main company's firewall, but easier than compromising the main company directly.

What's notable is that even though Lapsus$ accessed the Adidas extranet, they apparently couldn't get deeper into Adidas's main infrastructure. The firewalls, segmentation, and access controls prevented them from moving laterally into systems that actually contained consumer data.

That's actually a sign that Adidas's security architecture worked reasonably well. Even with a compromised third-party account, the attackers couldn't penetrate to the sensitive stuff.

How Did This Breach Actually Happen? The Attack Vector

We don't have a complete forensic breakdown of how Lapsus$ initially compromised the partner company, but we can make educated guesses based on how similar breaches typically occur.

The most likely scenario: someone at the partner company received a phishing email or was targeted with credential stuffing attacks. Their login credentials were compromised. With those credentials in hand, Lapsus$ accessed the partner's systems. From there, they had legitimate access to the Adidas extranet because the partner was supposed to have that access.

Phishing is remarkably effective. Studies consistently show that even in security-aware organizations, 20-30% of phishing emails get clicked by someone. If a small partner company doesn't have robust security awareness training, that percentage could be much higher.

Alternatively, the partner might have used weak passwords, reused passwords from compromised databases, or had credentials leaked through some other breach. Lapsus$ is known for using credential stuffing attacks, where they automatically try known leaked credentials against various accounts to see if any work.

Once inside the partner's systems, Lapsus$ would have explored what they could access. They found the extranet access. They authenticated to it. They discovered the partner company's database and started exfiltrating data.

The fact that they got 815,000 rows suggests they had database-level access or SQL query capabilities. They weren't just grabbing random files. They were systematically extracting structured data.

This entire attack vector depended on compromising the partner first. The partner was the weakest link, and the hackers exploited it.

The Broader Security Implications for Adidas and Similar Companies

Even though Adidas avoided the worst-case scenario (a direct compromise of their consumer infrastructure), this breach still has implications for how they manage security going forward.

First, it highlighted supply chain risks. Adidas now has to think harder about which partners have extranet access, what data they can access, and what their security posture actually is. They probably need to be more rigorous about vetting partner security practices.

Second, it shows that even extranet systems—which are supposed to be more secure than public platforms—can be compromised. Adidas probably needs to increase monitoring of extranet activity. They might want to implement more aggressive access controls. They might want to require multi-factor authentication for partner logins.

Third, it raises questions about data retention. The partner company had 815,000 rows of data. Did they actually need all of it? Could Adidas have implemented data minimization policies that reduced what the partner could access? This is a broader trend in security: many companies hold onto data they don't actually need, which just increases the risk profile if that data gets breached.

For other large companies in similar positions, the Adidas incident is a case study in supply chain risk. It demonstrates that you need to monitor your partners' security practices continuously, not just during onboarding.

Lapsus$ After the Adidas Breach: Are They Still Active?

The question everyone asks about defunct-seeming hacking groups: are they actually gone or just laying low?

For Lapsus$, the answer is clearly the latter. The group has continued to be active despite police arrests in 2021. They claim new breaches regularly. They operate under multiple aliases. They're not as publicly visible as they were in 2022, but that's probably intentional. The heavy law enforcement attention made them less bold.

By the time of the Adidas incident, Lapsus

hadevolved.Somemembershadbeenarrested.Somehadmovedon.Butthecollectivepersisted.TheyrenowsometimesassociatedwithalargergroupcalledScatteredLapsusHunters,whichsuggeststheoriginalLapsus had evolved. Some members had been arrested. Some had moved on. But the collective persisted. They're now sometimes associated with a larger group called Scattered Lapsus Hunters, which suggests the original Lapsus
members have collaborated or merged with other threat actors.

What's changed is their targeting pattern. Early on, they were very public about breaches. Now, they're more selective. They target companies where they think they can leverage the breach for maximum impact. They negotiate quietly before making things public. They're a bit more sophisticated and a bit less theatrical.

The Adidas incident fits this pattern. A claim on Breach Forums, but not massive publicity. They waited for Adidas's response before pushing the narrative further. It's more calculated than their 2022 tactics.

Lapsus$ remains one of the more active threat actors out there. They're not the only group targeting major corporations, but they're certainly in the top tier in terms of profile and impact.

Legal and Regulatory Implications: What Happens Now?

When a breach happens—even a third-party breach—there are legal implications. Regulatory requirements kick in. Notification laws apply. Adidas presumably had to notify relevant regulatory bodies about the incident, depending on where the partner company operated and where the affected individuals lived.

In Europe, GDPR requirements would apply. Any personal data of EU residents that was compromised requires notification to regulators and potentially to affected individuals. That's a significant legal obligation, even if it's technically a partner's breach.

In the United States, data breach notification laws vary by state, but many require notification if personal data was compromised. Some states have specific timelines for notification. Some require notification to state attorneys general.

Adidas's response to these requirements likely involved:

  1. Formal investigation into what data was actually accessed
  2. Notification to relevant regulatory authorities
  3. Notification to affected individuals (employees of the partner, potentially)
  4. Preservation of evidence for potential law enforcement investigation
  5. Consultation with legal teams about liability and indemnification clauses with the partner

The last point is interesting from a business perspective. If the partner company was negligent in their security practices, Adidas might have legal grounds to claim damages or demand indemnification. The specific terms of the partnership agreement would matter here.

From a regulatory perspective, this incident might also trigger audits or compliance reviews. Regulators might ask Adidas to demonstrate that they're taking supply chain security seriously. That could lead to new requirements or restrictions on how Adidas can manage partner relationships.

Lessons for Consumers: What Should You Do?

If you're an Adidas customer, the risk here is actually minimal. Adidas's statement that consumer data wasn't compromised is presumably accurate. Your account information, payment information, and personal data associated with Adidas purchases are presumably safe.

That said, it's always good practice to:

  1. Monitor your accounts for unusual activity
  2. Change your Adidas password if you haven't changed it in a while
  3. Check your credit card statements for unauthorized charges
  4. Consider enabling two-factor authentication on your Adidas account if they offer it

More broadly, incidents like this are reminders that your data is only as secure as the weakest link in every company's supply chain that has access to it. You can't control which vendors your favorite companies work with or how secure those vendors are.

The best you can do is choose companies that seem to take security seriously, enable all available security features on your accounts, and monitor your financial information regularly.

Industry Response: How Other Companies Are Learning From This

When a major breach happens, other companies pay attention. The Adidas incident has likely informed how other large corporations think about third-party risk management.

Some larger companies are now implementing vendor risk platforms—software systems that track which vendors have access to what data, require regular security assessments, and monitor for breaches involving vendors in their ecosystem.

Others are implementing zero-trust security models that don't distinguish between "internal" and "partner" access. Everything requires authentication and authorization, regardless of source.

Still others are implementing data access logging and anomaly detection for partner logins specifically. If a partner account suddenly starts accessing unusual data volumes or unusual systems, alerts fire immediately.

These are all responses to incidents like the Adidas breach. The incident revealed a pattern (partner compromise leading to extranet breach), and now the industry is building defenses against that pattern.

The Timeline: What Happened When?

While Adidas didn't disclose the specific date of the breach, we can piece together a rough timeline:

  • Unknown date: Partner company is breached, credentials are compromised
  • Unknown date: Lapsus$ accesses partner systems, exfiltrates data
  • Unknown date: Lapsus$ claims on Breach Forums that they have Adidas data
  • Shortly after claim: Adidas becomes aware of the claim, begins investigation
  • Within days: Adidas issues public statement that it was a third-party partner breach, not Adidas
  • Following period: Investigation continues, regulatory notifications presumably issued

The lack of specific dates is frustrating for transparency, but it's fairly standard. Companies don't always disclose exact breach dates because that information can help other attackers understand what detection methods caught the original attacker.

Comparing This to Other Recent Breaches

How does the Adidas incident compare to other recent supply chain breaches?

It's actually less severe than many. The Solar Winds breach affected U.S. government agencies and major corporations through compromised software updates. The Kaseya breach was similar. The Target breach in 2013 originated through a compromised HVAC vendor and eventually exposed millions of customer payment cards.

The Adidas incident is more contained. Third-party data compromised, but not consumer data. Partner systems breached, but not Adidas's core infrastructure. It's a reminder that supply chain breaches exist on a spectrum, and Adidas's incident is on the less severe end.

It's also a reminder that quick, accurate public communication matters. Companies that respond clearly and specifically to breach claims (like Adidas did) maintain more credibility than companies that deny everything or issue vague statements.

What Happens to the Stolen Data?

Once Lapsus$ stole the 815,000 rows of data from the partner company, what happened to it?

Several possibilities:

  1. Ransom: Lapsus$ might have approached the partner or Adidas with a ransom demand, offering to delete the data in exchange for payment
  2. Sale: They might have sold it on underground forums to other cybercriminals
  3. Leverage: They might be holding it for leverage in other negotiations
  4. Publication: They might eventually publish it to prove they actually stole it
  5. Combination: They might be doing all of the above

Lapsus$ has historically used data as leverage rather than immediately publishing it. They negotiate. They demand payment. If negotiations fail, then they threaten to publish. This approach often makes them more money than direct sales would.

Without knowing the specific negotiation history, we can't say exactly what happened. But the data is presumably either deleted, held by Lapsus

forleverage,orownedbywhoeverLapsus for leverage, or owned by whoever Lapsus
sold it to.

For the individuals whose data was in that 815,000 rows, the risk profile depends on what actually happened to the data. If it was deleted or held privately for extortion, the exposure is limited. If it was sold on the dark web, it could end up in the hands of identity thieves, spammers, or other miscreants.

The Future of Supply Chain Security

Incidents like this have probably accelerated the adoption of supply chain security practices across the industry. Companies are realizing that third-party risk is not a nice-to-have security focus—it's essential.

We'll likely see:

  1. More rigorous vendor assessments: Companies asking vendors harder questions about security practices
  2. Continuous monitoring: Moving beyond annual audits to ongoing monitoring of vendor security posture
  3. Data minimization: Partners getting access only to the absolute minimum data they need
  4. Contractual requirements: Clearer security requirements in partnership agreements
  5. Incident planning: Better coordination with vendors on breach response procedures

Adidas has probably already started implementing more aggressive vendor security practices. Other companies in their position should too.

Key Takeaways: Why This Matters

The Adidas-Lapsus$ incident matters for several reasons:

First, it demonstrates that major corporations can be breached through partners even when they have strong security practices themselves. The attack vector bypassed Adidas's own defenses by going through someone else's.

Second, it shows that companies need to be transparent and specific when responding to breach claims. Adidas's clear statement that it was a third-party partner and that consumer data wasn't affected actually protected their reputation.

Third, it's a real-world example of why supply chain security is becoming a major concern in enterprise security. You're only as secure as your least-secure partner.

Fourth, it confirms that groups like Lapsus$ remain active threats despite law enforcement efforts. The threat actor ecosystem is resilient and adaptive.

Finally, it's a reminder that data breaches are becoming normalized. Major companies get breached fairly regularly now. What matters is what was actually compromised and how the company responds.

FAQ

Was Adidas actually hacked directly?

No, Adidas's core systems were not directly hacked. Instead, a third-party company that had a partnership with Adidas was compromised. That partner company had access to Adidas's extranet, and attackers used compromised partner credentials to access the extranet. However, Adidas explicitly stated that their own IT infrastructure, e-commerce platforms, and consumer data were not affected by the breach.

What is an extranet and why is it a security risk?

An extranet is a private network that extends access beyond a single organization to authenticated partners or vendors. It's less secure than internal networks but more controlled than the public internet. Extranets are a security risk because partner credentials can be compromised, and once an attacker has legitimate credentials, they can access systems they're not supposed to. Companies using extranets need to monitor partner access carefully and implement additional security controls.

What data did Lapsus$ steal from Adidas's partner?

According to Lapsus$'s claims, they stole 815,000 rows of data including full names, email addresses, passwords, dates of birth, company information, and technical data. However, this data belonged to the third-party partner, not to Adidas. The exact nature of the technical data remains unclear, but it likely included infrastructure documentation or system configuration information rather than Adidas consumer data.

Should Adidas customers be concerned about their data?

Adidas explicitly stated that consumer data, e-commerce platforms, and core IT infrastructure were not affected by the breach. Therefore, Adidas customers don't need to be concerned about their personal account information or payment data being compromised. However, customers can proactively monitor their accounts and change passwords as a general security practice.

Who is Lapsus$ and are they still active?

Lapsus$ is a hacking collective that emerged in late 2021 and has claimed breaches of major companies including Microsoft, Nvidia, and Samsung. London police arrested seven suspected members in 2022, and two were re-arrested later. The group remains active as of 2024-2025, though they've become less publicly visible and more selective in their targets. They sometimes operate as part of a larger collective called Scattered Lapsus Hunters.

How can companies prevent third-party breaches?

Companies can prevent third-party breaches by implementing vendor security assessment programs, requiring partners to maintain security certifications, conducting regular security audits of partners, limiting partner access to only necessary data, implementing strong authentication for partner accounts (including multi-factor authentication), and monitoring partner account activity for unusual access patterns. Data minimization is also key—partners should only access the minimum data they actually need.

What are the legal implications of a third-party breach?

Even if a third-party is breached, the company that shared data with them often has legal and regulatory obligations. Under GDPR in Europe and various state laws in the U.S., companies must notify regulators and affected individuals if personal data is compromised, regardless of whether the breach was direct or through a partner. Companies should also review partnership agreements for indemnification clauses that might allow them to recover damages from negligent partners.

How can I protect my data when using large companies with complex supply chains?

You can protect your data by enabling all available security features (like two-factor authentication), using unique, strong passwords for each company's platform, monitoring your accounts for unusual activity, checking credit card statements regularly, and choosing to do business with companies that appear to take security seriously. You cannot directly control a company's vendor security practices, but you can choose companies based on their apparent security posture and incident response track record.

What is credential stuffing and how does it work?

Credential stuffing is an automated attack where hackers take known leaked username and password combinations (from other breaches) and automatically try them against various services to see if they work. If someone reuses the same password across multiple accounts, credential stuffing attacks can compromise them. You protect yourself by using unique passwords for each service and enabling multi-factor authentication wherever possible.

Why don't companies disclose exact breach dates?

Companies often don't disclose exact breach dates because that information can help other attackers understand what triggered detection or what security gaps existed at that time. Additionally, companies might not know the exact date if the breach went undetected for months. Regulatory requirements typically require disclosure of breach dates only to regulators and affected individuals, not necessarily to the public.

Cut Costs with Runable

Cost savings are based on average monthly price per user for each app.

Which apps do you use?

Apps to replace

ChatGPTChatGPT
$20 / month
LovableLovable
$25 / month
Gamma AIGamma AI
$25 / month
HiggsFieldHiggsField
$49 / month
Leonardo AILeonardo AI
$12 / month
TOTAL$131 / month

Runable price = $9 / month

Saves $122 / month

Runable can save upto $1464 per year compared to the non-enterprise price of your apps.

Start saving with Runable todayContact us for any pricing questions