Verizon DBIR: Vulnerability Exploitation Surpasses Stolen Credentials as Top Breach Entry Point

Vulnerability exploitation overtook stolen credentials as the leading initial access vector in cyber breaches for the first time in the history of Verizon’s annual Data Breach Investigations Report (DBIR), according to findings released Tuesday by Verizon.

The 2026 edition of the DBIR found vulnerability exploitation accounted for 31% of breaches, reflecting the growing speed at which threat actors weaponize newly disclosed flaws. Verizon said artificial intelligence (AI) is accelerating the exploitation cycle, compressing timelines from months to hours in some cases.

The report also highlighted increases in mobile-focused social engineering attacks, third-party breach exposure and the rise of “shadow AI” use inside organizations.

Still, some cybersecurity experts cautioned against interpreting the findings as evidence that credential abuse has become a secondary concern.

In prepared media comments, Enzoic CEO Mike Greene argued that while vulnerabilities may now lead as the primary initial access vector, compromised credentials continue to play a major role throughout broader attack chains.

“The headline will be that vulnerabilities overtook credentials, but that's a dangerous misread,” Greene said. “Credential abuse still accounts for 39% of all breaches.”

Greene pointed to additional DBIR findings that he said illustrate what he described as a growing “credential paradox” in enterprise security programs. According to Greene, the report found users are four times more likely to be using previously compromised passwords than weak passwords that fail standard complexity requirements.

“We've been fighting the wrong password battle for nearly a decade,” Greene said. “Companies are winning the complexity battle but losing the exposure war.”

The DBIR found less than 1% of Active Directory accounts failed password complexity checks, while 4% were using passwords that had already appeared in known credential exposures, according to the report analysis cited by Greene.

Verizon’s report additionally found ransomware attacks remain closely tied to credential compromise activity. Greene noted that 73% of ransomware victims identified in the DBIR had experienced a credential leak within the prior year, with roughly half occurring within 95 days of the ransomware incident.

Beyond credential risks, Verizon reported that third-party involvement in breaches increased 60% year over year and now appears in 48% of all breaches examined in the report.

AI usage raises data exposure risks

The company also warned organizations about the operational and security implications of growing employee use of unauthorized AI tools. Verizon said frequent employee use of AI applications rose from 15% to 45% over the past year, increasing the likelihood of sensitive information exposure through unsanctioned platforms.

Daniel Lawson, senior vice president of global solutions for Verizon Business, stated the report underscores the continued importance of cybersecurity fundamentals despite the rapid evolution of attack techniques.

“The DBIR reinforces that these fundamentals still hold as organizations strive for resilience,” Lawson said in an announcement.

The report includes recommendations for security leaders focused on vulnerability management, layered defenses, software patching strategies and stronger controls around identity security and AI usage.