Data Breaches Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Verizon’s 2026 DBIR finds vulnerability exploitation has overtaken credential abuse as the leading breach vector, as AI accelerates attacks, patching delays worsen, and ransomware and third-party compromises continue to surge. By Ionut Arghire | May 19, 2026 (8:04 PM ET) Flipboard Reddit Whatsapp Whatsapp Email Vulnerability exploitation was the most common access vector for data breaches in 2025, the latest installment of Verizon’s annual Data Breach Investigations Report (DBIR) shows. The number of analyzed security incidents has increased to 31,000. Of these, more than 22,000 were confirmed breaches, nearly double compared to last year’s 12,195 confirmed breaches. Approximately 31% of the breaches were the result of unpatched vulnerabilities being exploited. Credential abuse, which was the top entry point in last year’s DBIR , accounted for 13% of the breaches. According to Verizon’s researchers, threat actors are leveraging AI to accelerate vulnerability exploitation, and the window for defense has decreased from months to hours. “The rapid weaponization of known vulnerabilities by AI can create a capacity crisis for security teams, underscoring the urgent need to prioritize fundamental security and risk management practices,” Verizon says. The Verizon 2026 DBIR (PDF) also shows that organizations continue to struggle with vulnerability remediation. The median time for full patching increased to 43 days in 2025, up from 32 days in the previous year. Advertisement. Scroll to continue reading. According to the report, organizations patched only 26% of the security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog last year, a drop from 38% in 2024. The number of critical flaws (defined in the report as bugs included in the KEV list) that organizations had to patch was 50% higher in the median case compared to the previous year’s dataset. “The findings in Verizon’s 2026 DBIR are striking because it reinforces something we have been saying for years: exploitation is now the leading breach vector, and organizations are still simply not fixing flaws fast enough,” said Veracode co-founder and chief security evangelist Chris Wysopal. Per Verizon’s new report, ransomware was involved in 48% of the confirmed breaches in 2025, up from 44% in the previous year, while ransom payments decreased, with the median amount paid dropping below $140,000. Only 31% of ransomware victims paid, the report shows. An increased reliance on third-party software and services has expanded organizations’ attack surface and led to a 60% increase in breaches with third-party involvement last year, reaching 48% of the total. “Looking at remediation over time in third-party cloud exposure, only 23% of third-party organizations fully remediated missing or improperly secured multifactor authentication (MFA) on their cloud accounts, with 50% of all findings being resolved within a month,” the DBIR reads. Verizon’s report also shows that threat actors are increasingly relying on gen-AI for targeting, initial access, and malware and tool development. “The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50. Most AI-assisted development of malware and tooling was associated with well-known and defined attack techniques, with a median of 55 existing known malware examples performing the same functions,” the report reads. Per the Verizon 2026 DBIR, 62% of breaches involved a human element, social engineering accounted for 16% of breaches, and the median rate of success was 40% higher in mobile-centric phishing attacks than via email. Shadow AI , or the unauthorized use of gen-AI services, the report also shows, continues to plague enterprises, as 67% of users are accessing AI services from corporate devices using non-corporate accounts. Overall, 45% of employees are regular AI users, up from 15% last year. “While the datapoints are clear, the takeaway for the industry is resounding. Security teams can’t rely solely on downstream remediation. As attackers increasingly target common coding weaknesses, organizations need to prioritize finding and fixing vulnerabilities during development—not months, or even a year, down the line when the burden of time, cost, and risk is multiplied. This is even more important as GenAI continues to change the code vulnerability calculus,” Wysopal said. Related: Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Related: Unpatched ChromaDB Vulnerability Can Lead to Server Takeover Related: Cyber Resilience Is the New Business Continuity Plan Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire ‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVE First Shai-Hulud Worm Clones Emerge Exploitation of Critical NGINX Vulnerability Begins PoC Code Published for Critical NGINX Vulnerability OpenAI Hit by TanStack Supply Chain Attack TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source Code Chrome 148 Update Patches Critical Vulnerabilities Latest News Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Unpatched ChromaDB Vulnerability Can Lead to Server Takeover B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards Cyber Resilience is the New Business Continuity Plan 201 Arrested in Crackdown on Cybercrime in Middle East, North Africa PoC Released for DirtyDecrypt Linux Kernel Vulnerability Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Tim Byrd has been appointed Chief Information Security Officer at First Citizens Bank. IRONSCALES has named Steve McKenzie as Chief Operating Officer. Silvio Pappalardo has joined AuthMind as Chief Revenue Officer. More People On The Move Expert Insights Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email