For almost 20 years, stolen credentials have been the most common route for attackers into organizations, according to the Verizon Data Breach Investigations Report (DBIR). But that's no longer the case. According to the newly published 2026 report, exploitation of vulnerabilities has overtaken credential theft as the leading vector for hackers to gain their initial access — accounting for 31% of all security breaches. And what's the likely reason? AI is helping attackers find and weaponize known flaws far faster than defenders can patch them. The uncomfortable truth is that the window between a vulnerability being disclosed and it being actively exploited has shrunk from months to hours. Verizon's report further claims that only around a quarter of disclosed vulnerabilities ever get fully patched, and on average it takes 43 days to fix half of them — a timeline that is slipping, not improving. Anyone hoping that simply patching their systems faster is a workable strategy is going to be sorely disappointed. The sheer volume of problems is making that impossible. But this is far from the only headline from this year's Verizon DBIR. Phishing Targeting Mobile Devices Clued-up workers are becoming increasingly wise to the risk of malicious emails arriving in their inboxes, and so attackers have switched channels. Increasingly, social engineering attacks like fraudulent SMS messages and voice calls are launching successful attacks at a rate 40% higher than traditional email phishing. Employees are far less likely to scrutinize a sender's number on a small screen than they are to double-check the veracity of an email on their desktop. Cyber-criminals know that users are often most distracted when on their mobile phones, and are exploiting the weakness with success. Shadow AI Is the New Shadow IT For years companies have known that unsanctioned web applications and software-as-a-service tools were a security headache, but Verizon has found that frequent use of AI tools by employees has surged from 15% to 45% in a single year. 75% of those using AI in the workplace are doing so by accessing unsanctioned services, mostly through personal accounts. This use of "Shadow AI" is now the third most common source of non-malicious data leakage, according to the report. And the risks are real. Because every time an employee pastes a contract, a customer list, or source code into a chatbot accessed via their personal account, the data effectively leaves the organization. The Supply Chain Keeps Getting Longer Breaches involving a third party are up 60% compared to the previous year, and now make up 48% of all breaches. Organizations are increasingly relying on external vendors, contractors, and service providers. Cyber-criminals are wise to the fact that the weakest link which will provide access to a company's systems or data might be a different vendor entirely. Ransomware Is Proving Less Profitable It's not all bad news. Although ransomware is now involved in approximately 48% of confirmed data breaches, fewer of its victims are paying their extortionists. The proportion of organizations refusing to pay has risen from 65% to 69% according to the report, and the average ransom payment continues to fall. Conclusion What is clear from the advice contained within the DBIR is that you can do a lot to defend your company simply by getting the fundamentals right. Reduce your attack surface, understand what parts of your business are at risk and reduce your exposure, don't bolt AI into your systems but instead integrate it carefully and securely, take vulnerability management seriously and keep yourself briefed on the latest threats. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra. Cybercrime Intelligence Shouldn't Be Siloed Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats. READ OUR RESEARCH Graham Cluley Cybercrime Researcher and Blogger View Profile RELATED CONTENT BLOG Verizon 2025 DBIR Highlights: Third-Party Threats Double and System Intrusion Is 81% to Blame BLOG The Verizon 2024 DBIR Reveals Record-High Confirmed Data Breaches GUIDE 7 Best Practices for Vulnerability Assessment & Management BLOG 50 Examples of Ransomware Attacks and Their Impacts Image