


Blog Details
HomeBlog Details

Software Flaws Are the Leading Cause of Data Breaches Now - Verizon Report
For nearly two decades, stolen or even guessed passwords have been the single most common way attackers slip into company systems. And, for this long time, that was basically it. But this year, it changed.
Verizon's 2026 Data Breach Investigations Report (DBIR), published in May, based on more than 22,000 confirmed data breaches in business across 145 countries, found that finding and exploiting software vulnerabilities now takes over credential theft as the leading route attackers use to get in the first place. It’s the first time in the report’s 19-year history that vulnerability exploitation is the top point.
The shift feels abrupt. Vulnerability exploitation made up 31% of breaches in this year’s report. It was 20% in last year’s report, which means that there is a 55% jump in just one year. Credential abuse, last year's leader, fell to 13%. Some analyses of the underlying dataset put the figure even higher: a summary published by CXO Digital Pulse, drawing on Verizon's analysis of more than 35,000 security incidents and over 10,000 confirmed breaches, put vulnerability exploitation's share of initial access at 36%. The exact percentage varies a bit, depending on how a given summary slices the dataset. But every version says the same thing: software vulnerabilities are the new leading cause of breaches.
The DBIR's dataset includes incidents logged between November 1, 2024, and October 31, 2025. The report is compiled from law enforcement agencies and forensic investigators along with Verizon’s own threat research team. It’s commonly treated as the industry benchmark report for how data breaches in business really unfold.
What's the Reason for this Shift in Data Breaches in US Businesses
The short explanation is that the attackers are moving faster than the companies trying to patch against them.
Verizon's researchers pointed to automation and generative AI as the main accelerant. Newly disclosed vulnerabilities are now being turned into working exploits within hours or days of becoming public, rather than the weeks or months it used to take. That compresses what used to be a reasonable patching window into something closer to a sprint that most internal IT teams aren't equipped to run.
Daniel Lawson, SVP of Global Solutions at Verizon Business, said the increasing velocity of cyber threats driven by both AI and faster vulnerability exploitation makes fundamental security practices and risk management more important than ever.
Meanwhile, the supply of weaknesses that need patching is growing way faster than most security teams can manage to patch them. In the report, it says organizations faced about 50% more “must patch” issues from CISA’s Known Exploited Vulnerabilities catalog (KEV) this year than last year. And only 26% of those high-severity vulnerabilities were actually fully remediated during the study period. These figures are down from 38% the year before. Also, the median time it took to fully patch a vulnerability stretched out to 43 days, up from 32 days.
The scale of the backlog is larger than those percentages alone suggest. According to an analysis of the report by vulnerability management firm Nucleus Security, Verizon examined more than 1 billion anonymized vulnerability detection records and found that 35% of KEV vulnerability instances were still open 28 days after being flagged. Thus, translating to roughly 184 million open vulnerability instances across the dataset. Regardless of an organization's size or maturity, 60% to 70% of KEV vulnerabilities were still unpatched a full week after disclosure.
Put plainly: there are more vulnerabilities, they're being weaponized faster, and companies are patching a smaller share of them, more slowly, than they were twelve months ago.
Where the Attacks Are Actually Landing
The report found a particularly steep rise in attacks against edge devices and VPNs. The hardware and software that sits at the perimeter of a company's network, connecting remote employees and branch offices back to core systems. Breaches involving exploitation of edge devices and VPNs jumped to 22% of all vulnerability-related breaches, up from just 3% the year before, according to an analysis of the report by security vendor Push Security. That's roughly a sevenfold increase in a single year.
Firewalls, remote management tools, cloud infrastructure components, and web applications also saw increased targeting, according to the CXO Digital Pulse summary of the findings. Developer environments, CI/CD pipelines, and software supply chains were flagged as growing areas of concern too, with vulnerabilities in open-source dependencies showing up as a common entry point. Verizon researchers described this pattern as "zero-day acceleration". This term refers to threat actors rapidly weaponizing newly disclosed vulnerabilities before organizations have time to deploy patches.
Vulnerability intelligence firm Tenable, which contributed enriched vulnerability data to this year's report, described the pattern as one where the volume of vulnerabilities keeps expanding while organizations' ability to patch them keeps falling further behind. The firm's own count: 1,526 CVEs were listed in the CISA KEV catalog as of February 2026, and 991 of those showed some exploitation activity over the prior 12 months, according to the Nucleus Security analysis. Nearly half of the vulnerabilities with detectable exploitation activity fell into a category Verizon labeled "Persistent". This category means they kept being actively exploited over an extended stretch, rather than in a single burst. Only about 20% of the vulnerabilities in that long‑lived category had even been registered in the CVE database in 2024 or 2025. So, a real meaningful chunk of what is actively harming companies right now is honestly not new at all.
The Part of the Story That's Easy to Miss
It would be pretty easy to read this year’s DBIR as a hint that identity driven incidents like phishing, stolen passwords, and credential stuffing are becoming a less severe threat. But that would be a wrong take, 100%!
The DBIR's headline number pits vulnerability exploitation (31%) against credential abuse alone (13%) as a single category. But identity-related access is actually tracked across three separate categories in the report: phishing (16%), credential abuse (13%), and pretexting, or impersonation-based social engineering (6%). Added together, those three still account for roughly a third of initial access, comparable to vulnerability exploitation itself, according to an analysis by security vendor Dataprise.
More importantly, the DBIR notes that credential abuse shows up somewhere in the attack chain in 39% of all breaches analyzed, not just as the first move. Thus, making it the single most pervasive technique in the dataset even though it's no longer the top entry point. Stolen credentials are still how attackers move sideways through a network and maintain access once they're in. But it's the software flaw that got the door open in the first place.
Verizon's report also found that the human element, including phishing, social engineering, human error, and misuse, was a factor in 62% of all data breaches in business. That figure hasn't meaningfully declined. It's just being joined by a faster-growing problem rather than being replaced by it.
On the mobile side, the report found that social engineering conducted over text messages and voice calls is now succeeding at a rate roughly 40% higher than traditional email-based phishing. This is a sign that as employees get better at spotting suspicious emails, attackers are simply moving to a channel with fewer defenses.
AI is Showing Up on Both Sides
This year's DBIR includes a new section built in collaboration with Anthropic, examining 793 threat actor accounts that were shut down for violating acceptable use policies between March 2025 and February 2026. The findings suggest attackers are using AI mainly to scale up techniques they already had, rather than inventing new categories of attack. In the median case, a malicious actor used AI assistance across roughly 15 distinct attack techniques, and phishing-related activity accounted for about 44% of AI-assisted initial access attempts observed. Fewer than 2.5% of the technique’s researchers observed were classified as genuinely novel.
Separately, the report found that employee use of unauthorized "shadow AI" tools on corporate devices roughly tripled year over year, from around 15% to 45% of employees, according to Dataprise's summary of the findings. Of particular concern to security teams: 67% of those employees were logging into AI tools using personal accounts rather than corporate-managed ones, according to the same analysis. This creates a data exposure risk that most companies' security stacks aren't built to monitor.
The report also flagged a new and fast-growing category of internet traffic: AI bot crawlers, which grew 21% month-over-month during the study period, compared to essentially flat growth (0.3%) in human-driven web traffic. Verizon's researchers noted this as an early signal of where the next wave of attack surface may be forming, though the report stops short of describing concrete attacks tied to bot crawler traffic yet.
Third Parties are a Growing Part of the Problem
One of the report's other notable findings: breaches involving a third party now account for 48% of all data breaches in business, up 60% from the prior year's report. Rather than attacking a company directly, threat actors are increasingly going after the vendors, integrations, and cloud accounts that a company relies on, then using that trusted access to move in.
Email security firm Abnormal AI, in its own review of the DBIR data, noted that attackers are increasingly exploiting compromised vendor accounts, weak cloud identity controls, and excessive permissions to move laterally through otherwise well-defended networks. The firm's own research found that 44.2% of vendor email compromise messages that employees actually opened were engaged with in some way. This is a reminder that messages arriving through an established, trusted vendor relationship are far more likely to succeed than a cold phishing attempt.
This matters directly for the vulnerability exploitation trend, since a growing share of the internet-facing infrastructure at risk isn't owned or directly managed by the company that ultimately gets breached. It belongs to a vendor several steps removed, patched on that vendor's timeline rather than the victim's own.
How Verizon's Research Actually Helps
The report includes a striking piece of analysis on how quickly a patched vulnerability stops being a threat. Verizon researchers examined 1.4 million observations covering roughly 1,000 vulnerabilities over six years and found that the probability of a vulnerability being re-exploited drops by about half every 30, 90, and roughly 270 days since it was last observed being actively used in an attack. After about a year with no observed exploitation, a vulnerability's risk profile looks statistically similar to one that was never exploited at all.
The practical implication, according to the report: recency of real-world exploitation is a better signal for what to patch first than a vulnerability's severity score alone. A moderately rated flaw that's being actively exploited right now is a higher priority than a "critical"-rated one that hasn't seen activity in eight months. This runs counter to how a lot of smaller IT teams still triage their patch queues.
Verizon's broader recommendation across the report is a shift from static vulnerability lists toward what the security industry calls exposure management: continuously tracking which systems are internet-facing, which vulnerabilities are being actively exploited in the wild, and which of those sit closest to critical business data rather than trying to patch everything with a high CVSS score in the order it was disclosed.
Why this Matters for US Small and Mid-Size Businesses
Large enterprises have dedicated vulnerability management teams that can, in theory, keep up with a 43-day median patch cycle. Most small and mid-size businesses don't. A five-person IT team juggling help desk tickets, onboarding, and daily fires doesn't have the bandwidth to track a fast-growing CISA KEV catalog, let alone patch against it within hours of a new exploit going public.
That gap is exactly what this year's DBIR describes: not a change in what attackers want, but a change in how fast they can get it, at a moment when most organizations' patching capacity hasn't grown to match. A company doesn't need to be specifically targeted to be affected. It just needs to be running unpatched software that happens to match whatever an attacker is scanning for that week.
The report's own conclusion is fairly unglamorous: there's no single new tool that solves this. The fundamentals remain the most effective defense, even as the tools attackers use get faster. For businesses without an in-house team that can realistically run that process day to day, that's usually where a managed IT or security partner comes in. This is not to replace the fundamentals, but to make sure someone is actually watching the patch queue before it becomes a 43-day gap; an attacker only needs a few hours to walk through.
Related Reads
- What Happens to Your Data After You Share it with AI Tools
- Shielding Your Business from Password Spraying Attacks
- The Rising Threat of AI Financial Fraud in US Corporate Accounts
- The New QR Code Scam Sweeping the US
- Suspicious Login Locations? Why Your Account Shows Places You’ve Never Been
- My Gmail Was Accessed Without Any Security Alerts
