Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector for the First Time in 19 Years

Verizon’s 2026 Data Breach Investigations Report (DBIR) has landed with a finding that marks a significant shift in the threat landscape: for the first time in the report’s 19-year history, vulnerability exploitation has overtaken stolen credentials as the most common initial access vector in confirmed data breaches.

The Numbers

According to the 2026 DBIR, approximately 31% of breaches resulted from attackers exploiting unpatched vulnerabilities — up sharply from prior years. Credential abuse, long the dominant initial access method, fell to 13%. The shift reflects both the growing speed at which attackers weaponize newly disclosed CVEs and the persistently slow pace of enterprise patching.

Ransomware featured in 48% of confirmed breaches in 2025, up from 44% in the prior year — continuing the multi-year trend of ransomware as the dominant monetization path for network intrusions.

AI Is Compressing the Attack Window

One of the most striking findings is the role of AI in accelerating exploitation. The report finds that AI-assisted attacks are dramatically reducing the window between vulnerability disclosure and active exploitation — from what was historically measured in months to hours. This compression directly undermines traditional patch management timelines and means that the window in which an organization can apply a patch before a vulnerability is weaponized is shrinking rapidly.

This is compounded by patching rates that are moving in the wrong direction: organizations patched only 26% of the security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog in 2025, down from 38% in 2024. The gap between the speed of exploitation and the pace of remediation is widening.

Third-Party and Supply Chain Risk Surges

Third-party supply chain breaches jumped 60% year-over-year, now representing 48% of total breaches. This figure underscores the systemic risk of vendor and partner access — and the inadequacy of perimeter-focused defenses for an enterprise whose attack surface extends through its entire supply chain.

Shadow AI: A Growing Exposure

The report highlights a new category of enterprise risk: Shadow AI. 67% of employees accessing AI services from corporate devices are using non-corporate accounts — meaning organizational data is flowing through AI systems outside corporate visibility or control. Overall AI adoption reached 45% of employees, up from 15% the prior year. The combination of rapid adoption and lack of governance creates a data exfiltration surface that most security programs have not yet addressed.

Mobile Phishing and Social Engineering

Mobile-centric phishing attacks showed a 40% higher success rate than email-based phishing, reflecting both the maturation of mobile smishing techniques and the relative immaturity of mobile endpoint security compared to desktop environments. Social engineering remains a significant component of the breach landscape alongside vulnerability exploitation.

Key Takeaways for Security Teams

The 2026 DBIR’s core message is that the patching and credential hygiene disciplines that defined the prior decade of security practice are necessary but no longer sufficient. AI-accelerated exploitation, supply chain exposure, and shadow AI risk require new controls:

• Treat CISA KEV as a minimum bar — 26% patching coverage is a failing grade; prioritize KEV remediation above all other patching work.
• Extend third-party risk management to include continuous monitoring, not just point-in-time assessments.
• Establish AI governance now — shadow AI is a data exfiltration surface, not just a productivity risk.
• Test mobile phishing defenses — success rates 40% higher than email means your mobile users are the softest target.

The full 2026 DBIR is available at verizon.com/business/resources/reports/dbir/.