Exposed credentials and unpatched software vulnerabilities are leaving much of the retail and wholesale ecosystem open to cyberattacks, with criminals increasingly exploiting shared vendors to move across both sectors, according to a new report from Black Kite, a Boston-based cybersecurity company that specializes in third-party cyber risk management.
The report found that corporate email credentials appeared in criminal “stealer logs” at more than 70% of major retailers and 60% of wholesalers. More than half of critical supply chain vendors also showed evidence of exposed credentials, suggesting attackers frequently begin with valid usernames and passwords rather than exploiting network perimeters.
The analysis examined 840 large companies with more than $1 billion in annual revenue — 614 retailers and 226 wholesalers — along with 2,620 critical vendors connected to those firms. The findings show attackers increasingly treat retail and wholesale as a single, interconnected target environment linked by common IT service providers, software platforms, professional services firms, and financial vendors.
“When we think about the supply chain, we often picture logistics and warehouses, but today the real threat is the expanded digital ecosystem,” said Ferhat Dikbiyik, chief research and intelligence officer at Black Kite. “One vulnerability in a shared vendor can create systemic impact across wholesale and retail at the same time.”
Ransomware data in the report shows attackers adjusting their strategies based on company size and revenue. In retail, 17% of ransomware victims reported annual revenue exceeding $1 billion, indicating large retailers remain high-value extortion targets. In wholesale, attackers favored volume: 157 of 400 publicly disclosed wholesale ransomware victims — 40% — reported revenue between $20 million and $100 million.
The wholesale sector has moved rapidly up attackers’ priority lists, rising from 12th place in 2024 into the top tier of ransomware targets, the report said.
Threat actors increasingly rely on the same tools across both industries, including credential-stealing malware, stealer logs, and managed file transfer exploits. Ransomware groups such as Cl0p, Qilin, Akira, RansomHub, Lynx and Play were active in both sectors, underscoring the overlap in attacker activity.
The report also highlights widespread failures in basic cyber hygiene. More than half of retailers and wholesalers had at least one vulnerability listed in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog — flaws already under active exploitation. Among supply chain vendors, 42% had at least one KEV-listed vulnerability.
Critical weaknesses were common across the ecosystem. About two-thirds of retailers and more than half of wholesalers had vulnerabilities with a CVSS severity score of 8 or higher. Encryption and certificate misconfigurations were found by 60% of retailers and more than 60% of wholesalers, according to the report.
Professional and technical services firms and information services providers dominated the digital supply chain, accounting for 1,500 vendors combined and significantly expanding the attack surface beyond traditional logistics and distribution partners.
Risk indicators observed at large retailers and wholesalers were mirrored — and often amplified — across their vendors. Half of critical supply chain partners fell into moderate-to-high ransomware risk categories based on Black Kite’s Ransomware Susceptibility Index, signaling elevated likelihood of future attacks.
Black Kite said the findings show that checklist-driven, compliance-focused third-party risk management programs are no longer effective in an environment where credential theft and actively exploited vulnerabilities are widespread.
“The data shows the attacker is often already past the login page,” Dikbiyik said. “Defenders need to assume compromised credentials and focus on closing the most dangerous gaps across the entire ecosystem.”
The report is based on publicly disclosed ransomware incidents from October 2024 through October 2025, combined with Black Kite’s proprietary risk telemetry and intelligence from surface, deep and dark web sources.
Do not miss any content from Distribution Strategy Group. Join our list.
