For the first time in 19 years, exploiting software vulnerabilities has overtaken stolen credentials as the primary way attackers break into corporate networks. Verizon’s 2026 Data Breach Investigations Report (DBIR) analyzed more than 31,000 security incidents across 145 countries and delivers a clear message: the threat landscape has fundamentally shifted, and most organizations are not moving fast enough to keep up.

AI is at the center of that shift. Attackers now use AI tools to discover and weaponize known software flaws at a speed that compresses the available response window from months to hours. Security teams that once had weeks to apply a patch now have far less time before active exploitation begins.
Vulnerability Exploitation Overtakes Stolen Credentials
Software vulnerability exploitation now accounts for 31% of all confirmed data breaches. Stolen credentials, which dominated breach entry points for nearly two decades, dropped sharply to just 13% of reported incidents this year.
The gap reflects a structural change in how attackers operate. Rather than running large-scale credential stuffing campaigns or buying Microsoft 365 login credentials on dark-web markets, threat actors increasingly target unpatched software because AI makes that approach faster and more scalable.
The median time organizations took to apply patches during 2025 was 43 days. In a threat environment where exploitation can begin within hours of a flaw becoming public, a 43-day patch cycle leaves networks exposed for weeks. Only 26% of critical vulnerabilities were fully remediated across the entire year.
Ransomware Keeps Rising Despite Fewer Payments
Ransomware attacks appeared in nearly half of all breaches, rising from 44% the previous year to 48% in this report. The frequency is still climbing, but the economics are starting to shift against attackers.
69% of victims refused to pay the ransom. Organizations are getting better at recovering data from backups and restoring systems without funding criminal operations. Even so, ransomware remains the most common outcome once attackers gain a foothold, which makes the speed of initial access all the more critical to address.
Mobile Social Engineering Now Outperforms Email Phishing
The human element remained present in 62% of all breaches. But the channel attackers use to reach people has changed significantly.
Phishing simulations confirm that text messages and voice calls now achieve a 40% higher success rate than traditional email phishing. As users grow more suspicious of email-based attacks, threat actors are pivoting to mobile-centric social engineering where people are less guarded and security tools offer less coverage.
Voice phishing attacks targeting SSO accounts have already produced high-profile breaches at major enterprises. Attackers call employees directly, impersonate IT support, and talk victims into handing over session tokens or one-time codes in real time. Email security gateways provide no protection against that approach.
Phishing kits like Kali365 have also lowered the technical bar for running sophisticated phishing campaigns, making it easier for less skilled attackers to target corporate environments at scale.
Shadow AI Has Become a Data Leakage Problem
AI tool adoption at work tripled in a single year. 45% of employees now use AI tools on the job, up from 15% the previous year. That number reflects how quickly AI has embedded itself into daily work, but it also represents a security gap that most organizations have not addressed.
67% of employees who use AI at work access those platforms through unauthorized personal accounts rather than approved corporate systems. When workers paste internal documents, customer records, or proprietary data into a personal AI account, that content leaves the organization’s security boundary with no audit trail and no recall mechanism.
The DBIR now ranks shadow AI as the third most common cause of non-malicious data leakage. Unlike malware or credential theft, employees using unauthorized AI tools at work do not intend to expose data. The risk is structural and grows every time someone pastes a work document into a consumer AI chat interface.
Supply Chain Attacks Jumped 60%
Third-party involvement in breaches rose 60% year over year. Breaches with a supply chain component now account for 48% of all incidents.
Attackers recognize that enterprise perimeters are harder to breach directly. Targeting a smaller vendor with weaker security and using that access to reach a larger customer is a more efficient path. Organizations that share data, credentials, or network access with third-party partners now carry that partner’s security posture as part of their own attack surface.
AI Bots Are the Emerging Threat Surface
Beyond the current breach statistics, the DBIR flags AI bot internet crawlers as the next frontier. AI bot traffic is growing at 21% month over month. Human-led internet traffic, by comparison, grew just 0.3% over the same period.
That gap signals where future attack automation will concentrate. As AI-powered crawlers get better at mapping exposed systems, identifying vulnerable software versions, and detecting misconfigured services, the speed advantage attackers already hold will compound further.
What to Do Based on These Findings
The DBIR’s recommendations come down to fundamentals executed consistently:
- Patch faster: A 43-day median patch cycle is not acceptable in an environment where AI-assisted exploitation can begin within hours. Prioritize public-facing systems and internet-connected infrastructure.
- Cover mobile attack channels: Email security tools do not intercept SMS phishing or voice-based social engineering. Training employees to recognize mobile-specific attacks is now essential, not optional.
- Control AI tool access: Establish a list of approved AI platforms, provide corporate accounts on those platforms, and block personal AI account usage on corporate devices and networks.
- Treat third-party compromise as inevitable: Audit vendor access regularly, enforce least-privilege for external connections, and monitor outbound data flows that touch third-party systems.
- Use a VPN for remote work: A VPN encrypts your internet traffic before it leaves your device and hides your real IP address from anyone trying to intercept it. That remains a practical baseline for employees accessing corporate systems from outside the office network.
Protecting accounts at the individual level also matters. Attacks against Microsoft accounts and personal accounts cascade into corporate environments when employees reuse credentials or link personal and work authentication. Windows Credential Autofill changes and tighter controls on how apps interact with login prompts are part of Microsoft’s response to this pattern.
The 2026 DBIR makes one thing clear: attackers are acting on the assumption that AI gives them a speed advantage, and the data proves they are right more often than not. The answer is not more complexity but consistent execution of the fundamentals at a pace that matches the threat.
You can download the full 2026 DBIR from Verizon’s website.
