Verizon DBIR 2026: vulnerability exploitation has overtaken stolen credentials as the top breach vector for the first time in the report's 19-year history - the real question

[StoneCold]

The 2026 Data Breach Investigations Report, covering incidents from November 2024 to October 2025, analysed more than 31,000 security incidents and 22,000 confirmed breaches, nearly double last year's 12,195. The headline finding: vulnerability exploitation accounted for 31 percent of breaches, beating stolen credentials at 13 percent for the first time in the report's existence.

AI is the driver. Threat actors are using AI to compress the window between vulnerability disclosure and active exploitation from months to hours. The median time for organisations to fully patch increased to 43 days in 2025, up from 32 days. Only 26 percent of KEV catalog vulnerabilities were patched last year. Shadow AI use by employees tripled to 45 percent. Third-party supply chain breaches jumped 60 percent and now account for 48 percent of total breaches.

Breach entry point, 2026 DBIR finds | About Verizon

https://www.verizon.com/about/news/breach-industry-wide-dbir-finds

[BigDog26]

The 43-day median patching time versus hours-to-exploit window created by AI is the number that keeps security teams awake. The gap between the two is now structural and growing

[Ellie22]

Credential theft dropping to 13 percent is not because organisations are managing credentials better. It is because exploiting unpatched vulnerabilities is faster and more reliable now. Phishing still works, it is just no longer the favourite route

[Cheugy]

Shadow AI use tripling to 45 percent of employees is the one that should terrify CISOs. Every employee using an unapproved AI tool is a potential data exfiltration channel that is not in any security architecture document

[Ridge]

Supply chain breaches at 48 percent of total is the structural change nobody has solved. You can harden your own perimeter and be compromised through a vendor you have never heard of

[Plateau65]

22,000 confirmed breaches from 31,000 incidents analysed is a confirmation rate that should make anyone uncomfortable. That is not a few bad actors, that is a sustained industrial scale operation

[Isaac80]

The KEV catalog patching rate dropping from 38 percent to 26 percent is the most alarming single number in the report. That catalog exists specifically because those vulnerabilities are being actively exploited. Less than a third are getting patched

[QueueDay]

The AI acceleration of exploitation is a ratchet that only goes one direction. The report notes defenders can use AI too but the attack surface is so much larger than the defence surface that the asymmetry is structural

[Fox]

Nineteen years of DBIR and credentials were always the top vector. The fact that exploitation has now overtaken it marks a genuine phase transition in the threat landscape not just an annual fluctuation

[Brittle Ronan]

The mobile social engineering increase of 40 percent is the trend that does not get enough attention. As email phishing awareness improves, attackers pivot to SMS and voice. The education has not kept up with the shift