HomeBlog10 Breaches, 10 Vectors

Attack Vector AnalysisMay 202612 min read

10 Breaches. 10 Vectors. 1 Platform.

Every breach this month had a vector. Most weren't zero-days. They were trust failures: vendors, vishing, OAuth, packages. Your perimeter is now a phone call, a Python package, and a vendor's OAuth token. Here's what got hit. And the Dashr.ai control that catches it.

Sammy Basu

Founder, Dashr.ai · CISO, Careful Security

THE PATTERN

9 of 10 attacks didn't break in. They walked in.

The fix isn't another tool. It's continuous evidence on the things you already trust.

Trust Boundary Failures

Vendor, partner, or open-source dependency was the entry

Human-as-API

One vishing call became one malicious OAuth grant

Classic + Undisclosed

Tenant flaws, ransomware, and "we won't say how"

BREACH TEARDOWNS

The Last 30 Days — Attack by Attack

BREACH 1 OF 10Instructure / Canvas LMST1190 + T1078

275M users gone. Through a free-tier backdoor.

How They Got In

Attackers exploited the Free-For-Teacher tenant program. No institutional verification, weak isolation from paid tenants. One soft entry triggered bulk export across 15,000 schools.

Impact

275 million student and faculty records exposed across 15,000 institutions

Dashr.ai Control

Continuous SaaS Posture Monitoring

Dashr.ai flags multi-tenant SaaS configurations where free or trial accounts share infrastructure with production data. If your vendor's onboarding has a "no verification needed" lane, your evidence stack should know about it.

"If it's free to sign up, it's free to breach."

BREACH 2 OF 10TrellixT1213.003 + T1552

The security vendor got popped. Source code walked out.

How They Got In

Unauthorized access to internal source code repositories. Vector still undisclosed. The 2026 pattern is CI/CD secret theft and stolen developer credentials.

Impact

Unauthorized access to internal source code repositories

Dashr.ai Control

Developer Access & Secret Hygiene Tracking

Dashr.ai maps which engineers have repo access, when keys were last rotated, and which CI/CD secrets are stale. Audit-ready evidence that your code factory isn't the attacker's factory.

"If your AppSec vendor can be breached, so can you."

BREACH 3 OF 10VimeoT1199 + T1528

Never breached Vimeo. Breached Vimeo's analytics vendor.

How They Got In

ShinyHunters stole OAuth tokens from third-party analytics vendor Anodot, then used them to pivot into Vimeo's Snowflake and BigQuery cloud data warehouses. 119K users affected.

Impact

119K users exposed via third-party analytics pivot

Dashr.ai Control

Third-Party OAuth & Vendor Token Inventory

Dashr.ai keeps a live registry of every third-party app authorized into your SaaS tenants: Salesforce, Workspace, Snowflake. Scope, owner, and last-used date for each. Stale OAuth grants are the new shadow IT.

"Your vendor's breach is your breach."

BREACH 4 OF 10NVIDIA GeForce NOWT1199 + T1213

NVIDIA's brand. Armenia's breach.

How They Got In

Regional Alliance partner GFN.am operated separate auth and database infrastructure under the NVIDIA brand. Partner got breached. NVIDIA's own network: untouched. The user data: gone.

Impact

Regional partner infrastructure compromised under NVIDIA brand

Dashr.ai Control

Vendor & Partner Risk Scoring

Dashr.ai scores every partner that touches your brand, customers, or data. Not just your top 10. White-label, reseller, regional licensee: same posture rigor, same evidence trail, same risk weighting.

"If they wear your logo, they carry your liability."

BREACH 5 OF 10Cushman & WakefieldT1566.004 + T1528 + T1567

One phone call. 500,000 Salesforce records.

How They Got In

Vishing call social-engineered an employee into authorizing a malicious connected app in Salesforce. Bulk API export through a sanctioned OAuth grant. Email gateways, EDR, and SIEM all missed it.

Impact

500,000 Salesforce records exfiltrated via social engineering

Dashr.ai Control

Connected-App Authorization Monitoring

Dashr.ai alerts the second a new OAuth grant is added to Salesforce, M365, or Google Workspace. Risk scoring on scope and publisher. Vishing wins because no one watches the connected apps tab. Dashr does.

"The help desk is the new perimeter. Drill accordingly."

BREACH 6 OF 10Autovista (JD Power)T1486 (impact) · initial access TBD

Ransomware took out Europe's auto data backbone.

How They Got In

Initial access vector undisclosed. Customer organizations were told to block all inbound Autovista email and quarantine attachments. Strong tell for phishing-borne lateral movement and email account takeover.

Impact

Ransomware deployment across customer-facing email and data infrastructure

Dashr.ai Control

Email & Identity Security Evidence

Dashr.ai tracks DMARC enforcement, MFA coverage, conditional access policies, and EDR deployment. The four controls that decide whether a phish becomes a ransomware event. Continuous, not checkbox.

"Silence on the vector is its own confession."

BREACH 7 OF 10ChipSoft (Dutch Healthcare EHR)T1133 (suspected) + T1486

80% of Dutch hospitals run their EHR. One vendor. Down.

How They Got In

Embargo ransomware. Vector undisclosed. Z-CERT told hospitals to immediately cut VPN connections to ChipSoft, suggesting trusted-network lateral movement was the operational vector.

Impact

80% of Dutch hospitals disrupted by ransomware on single EHR vendor

Dashr.ai Control

Critical-Vendor Concentration & BC/DR Mapping

Dashr.ai surfaces single-vendor dependencies that, if down, take you down. Concentration risk reports map directly to ISO 27001 A.5.21, SOC 2 CC9.2, and HIPAA contingency planning. Your auditor's first question, answered before they ask.

"If one vendor going down stops your business, it isn't a vendor. It's a dependency."

BREACH 8 OF 10City of Suffolk, VAT1486 · initial access undisclosed

157,725 people. 2.5 TB. Disclosed 3 months later.

How They Got In

Cloak ransomware. Initial vector not publicly disclosed in breach notifications. 2026 municipal attacks have skewed toward exposed remote access, phishing, and unpatched edge appliances.

Impact

157,725 residents affected; 2.5 TB data stolen; delayed disclosure

Dashr.ai Control

Disclosure Readiness & 72-Hour IR Evidence Pack

Dashr.ai pre-stages the evidence regulators and insurers demand within 72 hours: control status snapshots, access logs, vendor list, MFA coverage. Disclosure delay is a control failure and a litigation risk.

"When you breach, the clock is the second attacker."

BREACH 9 OF 10St. Joseph County, INT1190 + T1199

2 TB out the door. Through a fax server.

How They Got In

Handala group compromised a third-party fax server, not the county's core network. Classic forgotten edge infrastructure: internet-exposed, vendor-managed, never audited.

Impact

2 TB of government data exfiltrated via compromised third-party fax infrastructure

Dashr.ai Control

Asset & Shadow-IT Inventory

Dashr.ai keeps a living inventory of every internet-exposed asset and vendor-managed system tied to your environment. The asset you forgot about is the asset they found first.

"You can't protect what you don't know you have."

BREACH 10 OF 10MercorT1195.002 + T1552 + T1071

A $10B AI company. Killed by a Python package.

How They Got In

TeamPCP poisoned the Trivy GitHub Action, stole a maintainer PAT, published malicious LiteLLM versions. Mercor's CI pulled the package. Credential-harvester scooped API keys, SSH, Kubernetes configs. Lateral movement. Tailscale VPN owned. 4TB gone.

Impact

4TB stolen; API keys, SSH, Kubernetes configs; Tailscale VPN owned

Dashr.ai Control

Software Supply Chain & SBOM Tracking

Dashr.ai tracks dependency pinning, lockfile hygiene, GitHub Actions configurations, and SBOM completeness across your repos. The companies that pinned LiteLLM with hashes were never breached. The ones that didn't, were.

"Your AI stack is built on someone else's open source. Verify it."

THE TAKEAWAY

Cybersecurity isn't defense. It's a competitive advantage.

Every breach this month happened because someone trusted something they couldn't see: a vendor, a token, a partner, a package. Dashr.ai turns trust into evidence.

SEE IT

Continuous monitoring across SaaS, vendors, code, and identity

PROVE IT

Audit-ready evidence mapped to SOC 2, ISO 27001, HIPAA, ISO 27701

OWN IT

One dashboard, one source of truth, one conversation with the board

Want the 30-day breach playbook? Comment "DASHR" or DM us. We'll send it. No gate.

Get Free Assessment

SHARE THIS TEARDOWN

Know someone who needs to see this?

Send them the 10-breach teardown directly. No signup required.

LinkedIn X / Twitter Email

— or send a personal note —

Tags:breach analysisattack vectorssupply chain securityOAuth securityvishingransomwarevendor riskSaaS security