In today’s hyper-connected, rapidly evolving global economy, no business is an island. Extended ecosystems are now vital to agility, growth, and innovation.
These sprawling networks of suppliers, partners, manufacturers, assemblers, service providers, and other business collaborators enable faster, more distributed innovation and provide access to diverse expertise, new markets, and complementary offerings.
They also foster resilience and agility by distributing risks across many collaborators rather than concentrating them internally or on just one partner.
Add to this trends such as digitization and technologies like AI, cloud computing, and SaaS platforms, and business and IT boundaries blur even further.
From a data perspective, all this means enterprise information is scattered across third-party clouds, systems, service providers, and more.
Ecosystem partners must have secure access to data to fulfill their role, which can mean giving them access to timesensitive and confidential information ranging from product designs, bills of materials, and formulas, to product images and even detailed customer data.
The problem is that ecosystems are increasingly sources of significant data leaks. This trend is clear, as noted by recent studies.
FOR EXAMPLE:
According to the Verizon 2025 Data Breach Investigations Report (DBIR), around 30% of all data breaches now entail third-party involvement, roughly double the proportion from the previous year, and are often driven by vulnerability exploitation and supply chain compromises.
Security Scorecard’s 2025 Global Third-Party Breach Report indicates that at least 35.5% of data breaches in 2024 originated from third-party compromises (up 6.5% from the prior year), with some analyses suggesting this is likely an undercount due to underreporting.
IBM’s Cost of a Data Breach Report (2025) notes that breaches involving third parties or supply chain partners average over $4.91 million.
IBM’s Cost of a Data Breach Report (2025) also noted that supply chain compromise take the longest time to resolve—a combined 267 days. They are also hard to detect because they exploit supplier-customer trust and system-to-system communications. These trends persist despite significant investment in and reliance on secure data-sharing methods such as supplier portals, vendor management systems, and global content management systems that provide partners with access to controlled-release materials like blueprints, prototypes, or inventory data.
The problem is that these data protections fall short once content is legitimately accessed and viewed by those working at trusted, third-party organizations. They stop at the “authorized view,” leaving the post-access phase wide open to exploitation via cameras, screen captures, or simple sharing.
Let’s take a closer look at how this happens—and why it’s so easy to do.
Image-based leaks happen when someone takes a screenshot or a photo of a screen containing sensitive information. Anyone with data access and a phone—including an employee or contractor at a service provider, supplier, or vendor—can post these images on social media, news sites, or online forums like Telegram and Reddit. Suddenly, company information is exposed, businesses and their customers suffer the consequences, and no one knows who did it or how to stop future leaks
Images Are Leaked by Insiders—and the Hackers They Work With
Often, insiders leak images online because they have personal grievances, seek attention and notoriety, or want to harm a business. In other cases, insiders are financially motivated to sell their information access or are recruited and bribed by hackers to share insider information. Hackers then leak screenshots or photos of stolen information (for example, security details, credentials, documents, or hacked screens) as proof of access or to pressure victims during extortion (often in ransomware or data-theft campaigns). These leaks on sites like Telegram, in communications with victims, or to media outlets are used to demonstrate breach authenticity and instill fear to motivate compliance with demands.
Taking Action Starts with Identifying the Source of the Leak
But regardless of how images are leaked or by whom, what’s critical is finding out the actual source of the leak, and quickly, not just what was leaked. The longer leakers go unidentified, the more time they have to capture and leak more screen images externally. Traditional perimeter defenses and access controls are vital, yet they often stop at the “authorized view,” leaving the post-access phase wide open to exploitation via mobile cameras, screen captures, or simple sharing. 5 Even a single unauthorized screenshot of proprietary designs shared by a supplier, a photo of confidential specs captured during a remote manufacturing review, or an internal document leaked from a partner’s access portal can lead to:
From an ecosystem perspective, it’s also vital to gain insight into where leaks are coming from so businesses can make more informed decisions about who to work with. Over time, they can build a more secure, safe extended ecosystem that allows their organization to thrive.
Think again. Image-based leaks aren’t just a theoretical risk. These low-tech leaks are a serious and growing threat to every business in every industry—and perpetrated by both insiders and ecosystem partners. They often involve outsourced call centers or support teams in regions with lower oversight, and entail quick exfiltration via personal devices to bypass endpoint detection.
The following two examples highlight how easily these incidents occur—and why even large enterprises with the best data security are vulnerable.
Coinbase/TaskUs Breach (2025)
In this case, a third-party support provider based in India, TaskUs, was handling Coinbase’s customer service. Cybercriminals recruited a sizeable number of rogue support agents at TaskUs and bribed them to copy data from customer support tools—data they then used to hijack customer accounts and blackmail Coinbase with a $20 million ransom demand.
Abusing their secure and authorized access to customer support systems, the agents used their personal mobile phones to take photos of workstation screens displaying Coinbase customer support interfaces and sold them to hackers for $200 per image. One agent reportedly managed to capture up to 200 records per day from September 2024, including names, emails, addresses, partial bank details, account balances, Social Security numbers (last 4 digits), transaction histories, and more. At the time of her arrest in 2025, her device held data from over 10,000 customers.
Hackers briefly posted the photos on Telegram channels to demonstrate access and pressure Coinbase for payment. Posted visuals included support panels showing user balances, IDs, payments, emails, dates of birth, phone numbers, and transactions.
TaskUs ended up firing all 226 employees assigned to the Coinbase project. The broader breach affected ~69,000 Coinbase users, with Coinbase estimating remediation costs at up to $400 million (including reimbursements and security upgrades).
Cybersecurity: CrowdStrike Insider Incident (2025)
This incident involved an insider (described as an employee or contractor with authorized data access) who worked at CrowdStrike being paid $25,000 for screenshots of internal systems by the hacking collective known as Scattered Lapsus$ Hunters.
An insider took photos of their computer screen, capturing information such as dashboards, links to internal resources, and an Okta Single Sign-On (SSO) panel. These images were sold to the hacker collective for $25,000 and posted on their public Telegram channel in late November 2025 to fabricate claims of a full breach and harass the company.
CrowdStrike terminated the insider and referred the case to law enforcement, confirming no actual system compromise or customer data exposure.
The Big Takeaway
No doubt, these enterprises all had the best data protections in place—technologies that excel at securing data in transit and at rest. But they can’t control what happens after data is rendered on-screen.
Once an employee or staff member at a partner organization can view content on a screen, controls such as RBAC, ZTA, DLP, and endpoint protection become passive observers. Screenshots of dashboards, sensitive and confidential content, personally identifiable information, and more can move freely and invisibly across tools and devices to the open web and to hackers. This creates the exact blind spot attackers and malicious insiders rely on: a space where content moves freely, but security tools have no insight or control.
More than ever, enterprises like yours need a new data protection layer that persists after authorized partners access and view information on screens through supplier portals, vendor management systems, and global content management systems. This “post-access protection” layer is a clear gap in the DLP security stack.
In the case of insider leaks, Digimarc addresses this gap by adding persistent, covert digital identifiers to photographs and screenshots of screens containing content. These digital identifiers enable direct attribution and rapid traceability back to the source of the leak. Let’s take a closer look.
Explore Digimarc Leak Detection for Web Content
Digimarc’s Leak Detection solution adds a covert, digital security layer on top of content viewed on computers and mobile devices, including internal websites, portals, and global content management systems that companies use to share information with employees and partners. This security layer embeds persistent, user-specific information into photographs and screenshots of on-screen content (such as user information that IT uses to manage enterprise system and data access). This user-attributable information is resilient, persisting in screenshots and photos—even if they have been modified, saved into different formats, or stripped of metadata.
When a leaked image is found or surfaces online—whether on social media, news sites, forums, or dark web channels—Digimarc can retrieve the embedded information so you can trace it back to the source in your extended ecosystem. This applies to all contractors, suppliers, and partners who access controlled-release materials such as pre-launch designs, confidential specs, or proprietary media through Digimarc-protected internal websites, portals, and content management systems. Regardless of who posts the images, or where, our hidden signals are preserved, detectable, and traceable.
EXPLORE THE BENEFITS
By extending leak protection beyond your four walls, Digimarc helps you:
Regardless of who posts the images, or where, our hidden signals are preserved, detectable, and traceable—even if the file has been stripped of other metadata, modified in some way, or saved to a different format.
In today’s interconnected world, perimeter security alone isn’t enough. True resilience requires security at the content level across extended ecosystems. Digimarc delivers that layer—scalable, reliable, and proven in high-stakes environments.
Ready to close the gaps in your extended ecosystem leaking image-based content? Visit our website to learn more about Digimarc’s leak detection solutions or request a demo today.