> We once used a third-party service ... they got hacked ... [people] blamed us for ...
From my point of view as a client, I don't care that the problem was with one of your suppliers: my relationship is with you no them, I trusted you with my information not them, and so forth. Unless you gave your users a choice about whether their information went to that third party then from your user's point of view it is your fault - there was nothing they could do to prevent the problem (other than not use your service).
I know it is not realistic to expect you to fully vet the security of all third parties and take full responsibility for any failures of them as no amount of due diligence will protect against every eventuality, hence I use the "unique email address" approach and take other care when handing out personal details that are less easy to fake (phone numbers, details needed for payment processing, ...), but it is also not realistic to disavow yourself of responsibility when something like that does go wrong at a supplier. You chose to trust that service, not your users. You put your users information in a position of being out of your (and their) control.
From my point of view as a client, I don't care that the problem was with one of your suppliers: my relationship is with you no them, I trusted you with my information not them, and so forth. Unless you gave your users a choice about whether their information went to that third party then from your user's point of view it is your fault - there was nothing they could do to prevent the problem (other than not use your service).
I know it is not realistic to expect you to fully vet the security of all third parties and take full responsibility for any failures of them as no amount of due diligence will protect against every eventuality, hence I use the "unique email address" approach and take other care when handing out personal details that are less easy to fake (phone numbers, details needed for payment processing, ...), but it is also not realistic to disavow yourself of responsibility when something like that does go wrong at a supplier. You chose to trust that service, not your users. You put your users information in a position of being out of your (and their) control.