Black Kite: Over 70% of Major Retailers Show Exposed Credentials in 2026

by

Estimated reading time: 5 minutes

A company’s computer system is like a building with many locked doors. Credentials, such as keys and passwords, allow access. When these credentials are compromised, criminals can get in easily and cause problems quickly. This risk is now common in wholesale, retail, and their vendors. Black Kite’s 2026 Wholesale & Retail Report links this danger to leaked credentials, vendor exposure, and ransomware threats.

A Shared Supply Chain, A Shared Blast Radius
Black Kite logo over photorealistic mall interior representing retail and wholesale cybersecurity and third-party risk and supply chain risk management, should it require cyber liability insurance?

Black Kite describes retail and wholesale as closely connected targets. The report warns that the network of vendors is now “the new critical risk,” making the threat both immediate and widespread.

Ferhat Dikbiyik, Black Kite’s Chief Research & Intelligence Officer, put it bluntly. “The bottom line is that wholesale and retail’s greatest risk is their shared supply chain,” he said. He warned that “just one vulnerability in a common vendor can create systemic impact.”

The report also flags “the unexpected volume of digital partners.” It says digital partners now outnumber physical providers. That shift widens the attack surface.

Stolen Keys Already Sit In The Open

Black Kite’s report warns that more than 70% of major retailers have exposed credentials. Nearly 60% of wholesalers and 52% of supply chain companies face the same problem.

The report connects these exposures to stealer logs, where corporate email credentials are often found. It highlights the urgency by stating, “The internal defense has already failed.”

This concern matters for cyber insurance teams, as credential theft shortens the path to network compromise and raises the odds of repeat intrusions.

See also  Watch Out for "Quishing," UK Cyber Security Provider Warns the Insurance Industry (and We Add: Beware of "Brushing" Too)

The report’s findings stress that credential theft is the leading access vector, linking stealer logs and leaked passwords to rapid entry.

Watch – Marks & Spencer Cyberattack: £300 Million Wake-Up Call for UK Businesses

Ransomware Plays Two Games Across The Sectors

Black Kite looked at 636 public ransomware cases in retail and wholesale. It found two main attack strategies, which the report calls “Volume Game” and “Big Game Hunting.”

Retail skews toward larger extortion targets. The report highlights that 17% of retail ransomware victims posted revenue over $1B.

Wholesale shows a different pattern. The report says 39% of wholesale ransomware victims fell in the $20M–$100M range. Attackers chase faster repeatable payouts there.

Black Kite also reports a sharp increase in attacks on wholesale companies. Wholesale moved from 12th place in 2024 to 5th in 2025 among ransomware targets.

Known Exploited Flaws Amplify The Vendor Threat

The report drills into CISA’s Known Exploited Vulnerabilities list. It focuses on flaws under active attack.

In a sample of 2,620 critical supply chain vendors, Black Kite found major KEV exposure. The report says 46% had at least one KEV-listed vulnerability. It counted 165 unique KEV vulnerabilities across the ecosystem.

Black Kite then ties KEVs to ransomware tradecraft. It reports 24 of those KEVs show use in ransomware campaigns. It reports 141 show attack use without a public ransomware attribution.

The sector-level numbers look similar. Black Kite found 53% of surveyed wholesale firms carried at least one KEV. It found 57% of surveyed retailers carried at least one KEV.

See also  Cyber Incident Response Plan: Reasons It Fails & How to Fix It

The report urgently repeats a warning: “The risk is not theoretical; it’s being actively exploited today.”

A Ransomware Forecast For The Vendor Ecosystem

Black Kite uses its Ransomware Susceptibility Index to estimate future risk. It applies the index to the vendor pool.

The result looks uncomfortable for underwriters. The report says, “Nearly half of vendors are high-risk targets.” It adds that 45% of critical vendors fall into RSI 0.4 to 1.0.

This matters because vendors are critical to operations. A single vendor outage immediately halts ordering, payments, and fulfillment. Business interruption risk surges.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

What Defenders And Insurers Should Watch Next

Black Kite urges tighter third-party cyber risk programs. It argues that “checklist compliance” no longer keeps pace with the speed of attackers. It calls for “real-time threat identification across the ecosystem.”

The report also pushes targeted patching. It stresses KEV-listed vulnerabilities with remote code execution risk. It links those flaws to modern ransomware intrusion chains.

For organizations, that means faster credential controls and vendor scrutiny. It means stronger MFA coverage, plus monitoring for stealer-log exposure. It means contract pressure for KEV patch SLAs.

What the report says about retail and wholesale cybersecurity

The report states that retail and wholesale face a single urgent threat. Attackers look for the easiest way in and move quickly through shared vendors. Black Kite says the whole ecosystem needs to respond with unified and immediate defense plans.

Martin Hinton

See also  SecurEyes Partners with Cyber Security Global for Latin America and Europe Cybersecurity Expansion

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×