Verizon Just Changed the Answer. For 19 Years, Stolen Credentials Were the #1 Breach Entry Point. Not Anymore.

-
Breaking Research Threat Intelligence
May 2026  ·  8 min read

The 2026 Verizon Data Breach Investigations Report dropped this week — the 19th edition, analyzing 22,000 confirmed breaches across 145 countries. For the first time in the report's history, unpatched software vulnerabilities have overtaken stolen credentials as the leading way attackers get in. Here's what that means for every small business.

Every year in May, Verizon publishes the Data Breach Investigations Report — the most widely cited primary source in cybersecurity, built from real breach data contributed by law enforcement agencies, incident response firms, and security organizations worldwide. This year's 19th edition analyzed over 31,000 security incidents and more than 22,000 confirmed data breaches across 145 countries. It is the largest dataset in the report's history.

The headline finding will surprise anyone who's been following this series: for the first time in 19 years of DBIR data, exploiting unpatched software vulnerabilities — not stolen credentials — is now the #1 way attackers get into organizations. Vulnerability exploitation accounted for 31% of breaches. Credential abuse dropped to 13%.

Before you close your password manager, read the nuance: the DBIR notes that a methodology change — reclassifying "pretexting" as a new initial access category — moved some incidents out of the credential column. On an apples-to-apples basis, identity-related access (phishing plus credential abuse) totals roughly 32% — essentially tied with vulnerability exploitation at 31%. Credentials haven't stopped mattering. But something genuinely significant has shifted — and it changes what small businesses need to be doing right now.

31% of all breaches now start with unpatched vulnerability exploitation — #1 for the first time in 19 years Verizon DBIR 2026, p.10
43 days median time to fully patch a critical vulnerability in 2025 — up from 32 days. Getting slower, not faster. Verizon DBIR 2026
96% of ransomware victims were SMBs — unpatched devices and limited recovery capabilities make small businesses the primary target Verizon DBIR 2026 / GiaSpace analysis
The DBIR's message this year: "The foundational principles of security and strong risk management remain the most effective defense." AI is accelerating attacks. The patch window has shrunk from months to hours. And the answer is still the same fundamentals — applied faster and more consistently than most SMBs currently manage.

The five findings that change what you should be doing

1

Unpatched vulnerabilities just became your biggest open door

31% of all breaches · #1 entry point

For 18 consecutive years, the DBIR's answer to "how do attackers get in?" was stolen credentials. In 2026 that changed. Exploitation of unpatched software vulnerabilities is now the leading initial access vector. The driver is AI: threat actors are using generative AI to accelerate vulnerability research, target selection, and exploit development, compressing the window between a CVE being disclosed and it being weaponized from months to hours.

The median patching time increased from 32 days in 2024 to 43 days in 2025 — organizations are getting slower at patching at exactly the moment when the exploitation window is getting shorter. Organizations patched only 26% of flaws in CISA's Known Exploited Vulnerabilities catalog last year, down from 38% in 2024. And the volume of critical flaws organizations needed to patch was 50% higher than the year before.

What this means for your business Every day a known critical CVE on an internet-facing system goes unpatched is a day an attacker's automated scanner could find and exploit it. Critical patches should be applied within 48–72 hours of release, not 43 days. If you don't know what CVEs are on your public-facing services, finding out is the most urgent security action you can take today.
2

96% of ransomware victims were small businesses

Ransomware in 48% of all breaches

Ransomware was involved in 48% of all confirmed breaches in 2025 — up from 44% the year before. The SMB-specific finding commands every small business owner's attention: 96% of ransomware victims were small and medium-sized businesses. Not because large enterprises have solved ransomware, but because SMBs present the combination of unpatched devices, limited recovery capabilities, and smaller security teams that makes them the most operationally vulnerable targets.

There is a sliver of good news: median ransom payments dropped below $140,000, and only 31% of victims paid — down from 50% two years ago. Attackers are making up in volume what they're losing in payment rates. The math hasn't changed in SMBs' favor.

What this means for your business Ransomware's primary entry points in 2026 are exactly the vulnerabilities this series has covered: unpatched systems, stolen credentials, and exposed remote access services. Closing these three gaps doesn't require a security team — it requires the same checks from the 30-minute audit, run this week not next quarter.
3

Third-party breaches jumped 60% — nearly half of all breaches involve a vendor

48% of breaches · up 60% year-over-year

Breaches involving an organization's supply chain — a vendor, cloud provider, managed service provider, SaaS platform, or outsourced IT partner — increased by 60% and now account for 48% of all breaches. Nearly half. An attacker compromises a vendor that has privileged access to your systems. Your defenses are irrelevant because the attacker isn't coming through your perimeter — they're coming through a trusted connection you authorized.

The CISA GitHub leak we covered recently is a direct example: a contractor's credentials exposed government infrastructure because the access had been granted and was never adequately monitored. Replace "government infrastructure" with "your CRM" and the story is the same.

What this means for your business Every vendor, contractor, or SaaS tool with access to your systems is a potential breach entry point you don't control. The offboarding audit in this series — checking for stale vendor accounts and excess access — directly addresses this. Third-party access that was granted and never revoked is now statistically among the most likely sources of your next breach.
4

Shadow AI tripled — employees are using AI tools IT doesn't know about

Shadow AI use up 3x · 45% of employees

Employee use of unapproved "shadow AI" tools tripled to 45% of employees in 2025. When employees paste client data, financial information, proprietary documents, or internal communications into an AI tool that IT hasn't reviewed, that data leaves your control. You don't know where it goes, how it's stored, or who can access it.

The DBIR also documents a 40% increase in mobile social engineering success rates — attackers are shifting from email phishing to SMS and voice attacks because employees are 40% more likely to click a mobile threat than an email one. Your employees have gotten better at spotting phishing emails. Their phones are now the softer target.

What this means for your business If 45% of employees are using unapproved AI tools, the question isn't whether it's happening at your business — it's whether you've addressed it. A clear acceptable use policy naming approved AI tools and explicitly prohibiting pasting client or financial data into unapproved services closes most of the exposure.
5

Humans are still in 62% of breaches — but the attack vector has shifted

62% human element · mobile now primary target

The human element remains a factor in 62% of all breaches. But the DBIR documents an important shift: voice and SMS phishing now produce a 40% higher click rate than traditional email phishing. Employees have gotten meaningfully better at spotting suspicious emails. Attackers have moved to the channel where defenses are weakest — the phone in your employees' pockets.

MFA prompt bombing — flooding an employee's phone with authentication requests until they approve one to make it stop — appeared in 14% of incidents. That's the same attack documented in the MFA bypass post in this series. The DBIR confirms it's not theoretical. It's in 14% of real incidents.

What this means for your business Security awareness training focused exclusively on email phishing is training for last year's attack. If your team hasn't been educated on SMS phishing, voice phishing, and MFA prompt bombing specifically — they're unprepared for the attacks the 2026 DBIR says are actually happening.
The 2026 DBIR analyzed 22,000 confirmed breaches — nearly double last year's 12,195. Not because the world suddenly became less secure, but because reporting has improved. The real number of SMB breaches is almost certainly significantly higher than what's counted. The ones that never make the DBIR are the ones where nobody knew it happened — which, at an average detection time of 292 days for credential breaches, is a significant portion of the total.

The honest summary — what changed and what didn't

The 2026 DBIR is not a signal that credentials no longer matter. It's a signal that the attack surface has expanded and the priority list has shifted:

  • Unpatched vulnerabilities are now the #1 entry point. If you have known critical CVEs on internet-facing systems, addressing them is more urgent than any other single action.
  • Credentials are still the #2 entry point when identity-related access is counted properly. Everything in the credential security series still applies.
  • Third-party access is now nearly as likely a breach source as your own systems. Vendor access reviews and stale account audits are no longer optional hygiene.
  • Your employees' phones are now more vulnerable than their email. Mobile social engineering, SMS phishing, and MFA prompt bombing are the techniques growing fastest.
  • AI is accelerating everything on the attacker's side. The patch window has shrunk to hours. The fundamentals haven't changed — they just need to be applied faster.
The DBIR's closing message: organizations that focus on fundamentals — patching, MFA, credential monitoring, access control, and incident response — still dramatically outperform those that don't, regardless of how sophisticated the attacks become. The businesses that stay out of next year's report aren't the ones with the biggest security budgets. They're the ones that applied the basics consistently before the attack clock started.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

See how your business scores against the threats the 2026 DBIR documented. Veriti Spottr's beta is free.

Get your CyberScore →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more