TLDR: Your vendor list is a map of potential entry points into your network. Third-party access is one of the most commonly exploited and least audited attack surfaces in mid-market organizations, and the numbers are getting worse, not better.
Introduction
The attacker did not need to break down a digital door. They walked through one that was already open.
In November 2013, attackers entered Target’s corporate network using stolen credentials from Fazio Mechanical Services, an HVAC contractor with remote access to Target’s systems for electronic billing and project management. There was no perimeter breach, no zero-day exploit. They used legitimate credentials from a small subcontractor, moved laterally through the network, and planted malware on point-of-sale systems across the country. By December 15th, payment card data from over 40 million customers had been compromised. The total cost exceeded $200 million.
That was over a decade ago. The attack pattern is still working.
According to the 2025 Verizon Data Breach Investigations Report, breaches involving third parties doubled year-over-year, now accounting for 30% of all confirmed breaches, up from 15% the prior year. The infrastructure gets more complex, the vendor lists grow longer, and the access reviews stay annual at best. Meanwhile, attackers spend those months looking for the path of least resistance.
Why Vendors Get Trusted Too Much, Too Fast
Vendor access typically gets provisioned under pressure. A project kicks off, a deadline looms, an MSP needs to get into the environment to troubleshoot. Someone on the IT team creates credentials, grants access, and moves on to the next fire. That access rarely gets revisited.
The operational logic is understandable. Onboarding a vendor is often treated as a one-time event. The agreement gets signed, the credentials go out, the vendor does their work, and everyone moves on. What does not happen, routinely or systematically, is a check six months later asking whether that vendor still needs the same level of access, or whether they still need access at all.
The business relationship may have changed. The project may have ended. The vendor may have been acquired, lost key personnel, or experienced their own security incident. None of that shows up in your access management system unless someone is actively looking.
This is not a criticism of IT teams. It is a structural problem. Access provisioning is visible; access review is not, and the urgency of daily operations consistently beats the non-urgency of hygiene.
What Attackers Actually Do With It
From an attacker’s standpoint, third-party access is attractive for a specific set of reasons. Vendor credentials are often less scrutinized than employee credentials. The accounts may be older, less likely to have updated authentication requirements, and connected to parts of the network the vendor needed access to years ago but no one remembers to revisit. They also tend to carry implicit trust, and activity from a known vendor account looks legitimate right up until it does not.
The 2020 SolarWinds compromise illustrated this at scale. Attackers compromised SolarWinds’ build environment, inserted malicious code into routine software updates, and rode those updates into the networks of thousands of customers, including U.S. federal agencies. The attack went undetected for roughly nine months. CISA, the FBI, and NSA jointly attributed the campaign to Russia’s Foreign Intelligence Service. The initial access vector was not a phished employee or an exposed credential. It was a trusted software update mechanism that no one thought to distrust.
In the Okta breach disclosed in October 2023, attackers accessed Okta’s customer support management system, obtained session cookies, and used them to bypass login screens and multi-factor authentication. Okta’s investigation found that 134 customers were affected, with unauthorized activity spanning from September 28 to October 17, 2023. Three customers (1Password, BeyondTrust, and Cloudflare) publicly confirmed the impact. Detection and scoping were complicated because certain file download actions were not captured in the expected log format, creating gaps in the forensic record.
These are not obscure scenarios. They are case studies that appear in security conferences and academic curricula precisely because the pattern is so reproducible.
The Inventory Problem
Before an organization can manage third-party access risk, it has to know what access exists. Most organizations do not have a clean answer to that question.
This is less about negligence and more about how access accumulates over time. A vendor relationship that starts with one account expands to three when the project scales. A contractor who needed database read access during an implementation still has it two years later. An MSP that supported a legacy application retains credentials after the application was decommissioned. Nobody revoked it because nobody was tracking it.
The result is access sprawl: a population of accounts with varying levels of access, accumulated over years, that nobody has mapped comprehensively. An attacker with a single valid vendor credential can use that starting point to understand the network, identify adjacent systems, and move laterally in ways that look like normal vendor activity.
The inventory problem has to be solved before anything else. You cannot revoke access you do not know exists, and you cannot detect anomalies without a baseline of what is normal.
What Good Looks Like
Getting control of third-party access does not require a large security budget. It requires process discipline and the right questions asked on a consistent cadence.
Periodic access reviews, conducted at least quarterly, ask whether each vendor account still needs the access it has, whether the scope of that access still matches the current relationship, and whether the vendor relationship is still active at all. These reviews catch the accounts that fall through the cracks between onboarding and termination.
Just-in-time access provisioning changes the default from “always on” to “access on request, for a defined duration.” A vendor who needs to perform maintenance gets a time-limited credential for that specific task. When the task is complete, the access expires. There is no standing access to compromise.
Least privilege enforcement ensures that vendor accounts can only reach what they actually need to do their work. A segmentation gap between vendor access and sensitive internal systems limits how far an attacker can move with a single compromised credential. The Target breach is the clearest illustration of what happens when that segmentation does not exist. An HVAC contractor’s credentials reached payment processing infrastructure.
Logging and alerting on vendor account activity creates the visibility needed to detect anomalous behavior before it escalates. Knowing when a vendor account logged in, from where, and what it accessed is the baseline for any meaningful detection capability.
Actionable Business Takeaways
These are not hypothetical recommendations. They are the first questions an offensive assessment asks when looking for accessible entry points in your environment.
Build a vendor access inventory. Pull every account in your systems that belongs to a third party and map what it can reach. If you cannot complete this list in a reasonable amount of time, that gap is itself a finding.
Set an access review cadence. Quarterly is a reasonable starting point for most mid-market organizations. The review should produce documented decisions: access retained, access modified, or access revoked. Not a spreadsheet that gets filed until the next audit.
Apply segmentation between vendor access and critical systems. Vendor accounts should reach the systems they support and nothing else. If a vendor’s credentials could theoretically reach your customer data, financial systems, or operational technology, that is a segmentation failure worth addressing now.
Establish offboarding triggers for vendor relationships. When a contract ends, access should end with it. That sounds obvious; in practice, it rarely happens automatically. Build the trigger into the contract termination process, not as an afterthought.
Test your assumptions. Know what you have configured and verify that it works as intended. An access control policy that looks correct on paper but has never been validated is not a control. It is a belief.
Closing
The vendor list your organization maintains for business purposes is also a list that attackers evaluate when mapping potential entry points. Each entry represents a trust relationship, and every trust relationship has a credential, an access path, and a history of whether that access has ever been reviewed.
The organizations that manage this well are not necessarily the ones with the most sophisticated tooling. They are the ones who treat vendor access as an ongoing security question, not a one-time provisioning event. That discipline, applied consistently, closes a lot of doors attackers are counting on finding open.
References
- Krebs, Brian. “Target Hackers Broke in Via HVAC Company.” KrebsOnSecurity, February 2014. https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
- Huntress. “Target Data Breach: What Happened, Impact, and Lessons.” November 2025. https://www.huntress.com/threat-library/data-breach/target-data-breach
- Breachsense. “Target Data Breach Case Study: Causes and Lessons Learned.” April 2026. https://www.breachsense.com/blog/target-data-breach/
- CISA. “Supply Chain Compromise.” January 2021. https://www.cisa.gov/news-events/alerts/2021/01/07/supply-chain-compromise
- Zscaler. “What Is the SolarWinds Cyberattack?” https://www.zscaler.com/resources/security-terms-glossary/what-is-the-solarwinds-cyberattack
- HIPAA Journal. “Okta Third-Party Vendor Incident and Breach of Customer Support System.” November 2023. https://www.hipaajournal.com/okta-third-party-vendor-incident-and-breach-of-customer-support-system/
- Verizon / Beyond Identity. “Verizon DBIR 2025: Access is Still the Point of Failure.” https://www.beyondidentity.com/resource/verizon-dbir-2025-access-is-still-the-point-of-failure