Vercel did not get hacked. Vercel's vendor got hacked, and then Vercel's customer data walked out the door. The TechCrunch writeup by Zack Whittaker is a clean anatomy of how third-party dependency chains have become the primary attack surface in enterprise software. You secure your perimeter. The breach comes from the vendor who has access to your employee credentials. The vendor's breach enables an account hijack. Your customer data is gone. The liability chain is as diffuse as the attack chain.
Consequence-Free Architecture, From Cloud to Billionaires
The structural pattern here maps precisely onto what The Atlantic's account of Jeff Bezos's private retreat describes as "consequence-free reality." At the Bezos gathering, everything is free and nothing sticks. In cloud infrastructure, every major breach is now attributable to a third party, which means no one entity absorbs the full reputational or legal weight of the failure. The architecture of modern software supply chains is the technical implementation of diffused accountability. A 2025 paper in IEEE Security and Privacy by Zahan et al. found that over 70% of significant enterprise breaches in 2024 involved a third-party or fourth-party vendor component, up from 44% in 2020. The attack surface is not growing because security is getting worse. It is growing because the dependency graph is getting deeper.
The Academic Framing Nobody Is Using
The arXiv paper on "Vulnerabilizing Data Practices" by Martinez Pandiani et al. introduces a useful conceptual shift: stop treating vulnerability as a property of individuals and start treating it as something that data practices create. Vercel's customers did not become vulnerable because of their own choices. They were vulnerabilized by an architecture they had no visibility into. This framing has direct implications for how enterprise security is priced and regulated. TurboFund's seed-stage AI investor list includes a growing cluster of cybersecurity and trust infrastructure funds, which is not a coincidence. The third-party breach problem is one of the few areas where the venture market and the regulatory zeitgeist are moving in the same direction at the same speed.