Why Is Everything Getting Hacked? The Real Reasons Behind the Rise in Cyberattacks

By Bikram Bhujel · Cybersecurity · April 2025

TL;DR: Cyberattacks are becoming more frequent and more audacious. The reasons go far beyond clever hackers finding new exploits. Weak accountability, shifting attack strategies, and an explosion in software dependencies have created an environment where breaches are almost inevitable for unprepared organizations.

Data Breaches Are No Longer the Exception. They Are the Norm.

Not a week passes without a headline about another high-profile breach. Whether it is a developer tool, a cloud hosting platform, or a third-party customer service vendor, the victims are increasingly well-known and the scale increasingly alarming. What changed?

The short answer is almost everything. The attack surface has widened. The tools hackers use have matured. And the consequences for companies that fail to protect user data remain shockingly light.

One significant shift is regulatory transparency. Since 2024, the U.S. Securities and Exchange Commission (SEC) requires publicly traded companies to disclose material cybersecurity incidents within four business days. Before this rule, breaches could be quietly buried, handled behind closed doors and never mentioned to the people whose data was stolen. This mandate alone means the public is now hearing about incidents that previously would have disappeared into corporate legal teams and PR silence.

Beyond the SEC rule, U.S. state-level breach notification laws, the European Union's GDPR, and sector-specific regulations like HIPAA for healthcare and mandatory reporting requirements for critical infrastructure operators have collectively made non-disclosure far riskier. The information was always there. Now companies are legally obligated to share it.

But more disclosure does not mean more is being done to prevent breaches from occurring in the first place. Companies are getting caught and then continuing to operate with inadequate security postures until the next incident forces another reckoning.

The Human Factor: Social Engineering Is the New Perimeter Bypass

Traditional thinking around cybersecurity focused on hardening the technical perimeter through firewalls, intrusion detection, and patch management. Hackers, rational actors that they are, responded by finding the path of least resistance, which is the people inside.

Rather than spending weeks probing a fortified network for open ports, a sophisticated attacker can achieve the same result by targeting a single employee through phishing, fake software, or a compromised personal device. These attacks are far cheaper to execute, scale easily, and exploit something no firewall can fully patch: human trust.

Real-World Case: The LastPass Breach

The 2022 LastPass breach offers a sobering illustration. A senior developer had a personal media server exposed to the internet that had not been updated in an extended period. Hackers exploited a known vulnerability in that software, gained access to the developer's home network, and worked their way inward until they reached credentials and resources tied to LastPass's internal systems. The company's hardened corporate infrastructure was never directly touched.

Real-World Case: The Vercel Incident and the Double Layer of Compromise

The Vercel breach illustrates how interconnected digital identities have become and how dangerous that interconnection can be. The chain started with a completely unrelated company, Context.ai, whose systems were compromised after an employee downloaded malware hidden in what appeared to be pirated game software.

With access to Context.ai's backend, the attackers modified the platform's Google authentication flow to silently request far greater permissions than necessary. When a separate Vercel employee later signed into Context.ai using their Google Workspace account, which was entirely routine behavior, they unknowingly handed the attackers broad access to their corporate Google environment. From there, Vercel's internal developer infrastructure became accessible, and significant data was exfiltrated.

Crucially, Vercel was never the direct target. No one phished them. No one probed their servers. They simply had an employee who used a third-party product that had been silently weaponized.

Third-Party Vendors and the Problem of Outsourced Risk

Many organizations transfer risk without realizing it when they outsource business functions, particularly customer support. The Discord breach is a direct example. A third-party customer service contractor was compromised, and because Discord had shared extensive user data with that contractor to enable their work, all of that data was now in attacker hands.

The security posture of every vendor you share data with becomes part of your own attack surface. If a low-wage customer support contractor in another country has access to your production database or user records, their security becomes your security liability.

It does not always require sophisticated techniques. In some documented cases, hackers bypass technical infiltration entirely and simply offer financial incentives to employees, particularly those who are underpaid and have access to sensitive internal systems. The math is uncomfortably straightforward. If a hacker can pay ten times someone's monthly salary in exchange for one piece of credential data or a brief access window, a percentage of people will accept that offer. Insider threat programs exist precisely because this happens.

The systemic response to this is zero-trust architecture, which treats every access request as potentially untrusted regardless of whether it originates inside or outside the network. Cloudflare gained significant attention when they successfully blocked a phishing-based attack because their employees use physical hardware security keys (YubiKeys) for authentication. Even stolen credentials alone were not enough. Without a physical key present, access was denied.

Learn more about zero-trust security frameworks from CISA.

Supply Chain Attacks: The Invisible Threat Hidden in Your Codebase

Modern software development is built on layer upon layer of dependencies. An application you build today might directly rely on 20 packages, but each of those packages pulls in dozens more. The resulting dependency tree can contain hundreds of components, most of them maintained by individuals or small teams with limited resources.

Supply chain attacks exploit exactly this complexity. Rather than attacking a target company head-on, hackers compromise a maintainer's account on a package registry such as npm, PyPI, or NuGet, and push a malicious update to a legitimate, widely used library. Developers pull that update trusting it is safe, execute it on their servers, and unknowingly trigger a script that exfiltrates credentials, environment variables, or sensitive configuration data before anyone is aware.

The speed matters enormously. If a poisoned package is deployed at scale before detection, the remediation effort becomes massive. Reversing an infection across thousands of environments is orders of magnitude more difficult than preventing it.

Typosquatting: Low Effort, High Return

Supply chain threats do not always require compromising a real maintainer. Attackers also register package names that closely resemble legitimate, popular libraries, differing by one character, a transposed letter, or a plausible variation. Developers who mistype a package name or copy code from an untrusted source may install malware without any indication that something is wrong.

AI-Hallucinated Packages: An Emerging and Dangerous Frontier

A newer and deeply concerning trend involves AI coding assistants hallucinating package names and confidently suggesting libraries that do not exist. Opportunistic attackers have begun registering these hallucinated names in public package registries, pre-loading them with malicious code. Any developer who follows the AI's guidance and installs the suggested package runs the attacker's malware directly on their machine. This vector is growing rapidly because AI-generated code is being adopted at scale without adequate review.

Learn how the OWASP Top 10 security risks apply to modern software projects, including dependency vulnerabilities.

Rethinking the "Update Immediately" Rule

For years, the best-practice guidance was unambiguous: apply updates the moment they are available, especially for security patches. That guidance remains correct for operating system patches addressing known vulnerabilities and zero-day exploits.

However, for package and library dependency updates pulled via automated tools, a pragmatic delay of one to two days has emerged as a reasonable counterbalancing strategy. The reasoning is straightforward. If a malicious update is pushed to a major registry, the security community typically detects it within hours. A brief waiting period allows the community to surface the threat and the package registry to pull the compromised version before your environment is exposed.

This approach is not a substitute for robust dependency scanning tools, software composition analysis, or code review. It simply adds one more low-effort layer of protection against one of the fastest-growing attack vectors in modern software development.

The Vibe Coding Problem and Why It Matters for Security

The rapid democratization of software development through AI assistants has introduced a new dimension of risk. Developers and non-developers alike can now generate functional applications quickly without deeply understanding what the code does or which packages it relies on. AI tools, trained on vast repositories of existing code, tend to reach for established packages even when a simpler, self-contained implementation would suffice.

The result is applications with unnecessarily large dependency footprints. More dependencies mean more surface area. More surface area means more potential entry points for supply chain attacks. Combine that with the hallucinated-package problem and the tendency to run AI-generated code without careful review, and the conditions for large-scale compromise become easier to assemble than ever before.

Security fluency, which means understanding what code does, why a dependency is necessary, and what trust is being extended when you install it, is no longer optional even for developers who rely heavily on AI assistance.

Frequently Asked Questions

Why are cyberattacks increasing every year?

Multiple factors are converging at once. Companies face insufficient consequences for poor security practices. Hackers have shifted to more effective human-targeting strategies. And the software ecosystem's reliance on third-party dependencies has expanded dramatically over the past decade. Regulatory changes now also require disclosure of incidents that previously would have been quietly suppressed.

What is a supply chain attack in cybersecurity?

A supply chain attack targets the libraries, packages, or services that an application depends on rather than the application itself. By compromising a widely used component, often through a hijacked maintainer account, attackers can push malicious code to thousands of developers and systems at the same time.

How did Vercel get hacked?

Vercel was compromised through a chain reaction that never directly targeted the company. An employee at Context.ai, an entirely unrelated platform, downloaded malware bundled with pirated software. Attackers used their access to alter Context.ai's Google sign-in flow and silently harvest excessive permissions. A Vercel employee who later authenticated with Context.ai via their Google Workspace account inadvertently granted the attackers access to Vercel's internal systems, all without any direct attack on Vercel itself.

What is social engineering in the context of hacking?

Social engineering exploits human psychology rather than technical weaknesses. Tactics include phishing emails, malware bundled with pirated software, fake login pages, and in some cases direct financial bribery. It is often more effective than technical exploitation because human behavior is inherently variable and far harder to patch than software.

Should I delay software updates to avoid supply chain attacks?

For OS-level security patches and zero-day fixes, update immediately. For dependency updates via package managers such as npm, pip, or NuGet, a delay of one to two days can allow the community to detect and flag malicious updates before they reach your environment. Use this approach alongside active dependency scanning, not as a replacement for it.

How can companies better protect themselves from internal threats?

A zero-trust architecture is the foundational response. The core principle is to never assume that a request is safe simply because it originates inside the network. Physical hardware keys such as YubiKeys or passkeys for employee authentication, strict third-party vendor security assessments, granular access controls, and ongoing security awareness training all work together to reduce the risk of both insider threats and externally driven employee compromise.

Cyberattacks are not primarily a technology problem. They are a systemic one. Hackers are rational, adaptive, and increasingly focused on exploiting the gaps between organizational silos, whether that is between vendors and clients, between personal and professional devices, or between trust and verification. The path forward is not a single solution. It is a culture of security that matches the sophistication of those working against it. Whether you are an IT professional, a developer, or someone who oversees vendor relationships, understanding these threat vectors is the most important first step toward meaningful protection.