Rows of illuminated server racks in a dark data center with blue and green indicator lights

TL;DR: Verizon's 2026 Data Breach Investigations Report analyzed 31,000 security incidents and 22,000 confirmed breaches across 145 countries. Three findings matter most: (1) vulnerability exploitation (attackers hitting unpatched software) is now the #1 way into your systems, overtaking stolen credentials for the first time in the report's 19-year history; (2) supply chain breaches jumped 60%, with nearly half of all breaches now involving a third party your organization trusted; and (3) 45% of employees are using AI tools at work, two-thirds of them through personal accounts their employer can't monitor. Your company isn't just getting breached through its own mistakes anymore. It's getting breached through its vendors' mistakes and its employees' AI experiments.

Unpatched Software Is Now the #1 Way In

For 18 years, stolen credentials topped the list. Not anymore. Vulnerability exploitation (attackers finding and hitting unpatched software) now accounts for 31% of all breaches, up from 20% last year. That's a 55% surge in a single year [1].

The reason is simple: organizations aren't patching. Only 26% of the critical vulnerabilities flagged by CISA's "Known Exploited Vulnerabilities" catalog were fully remediated by the organizations Verizon polled. That's down from 38% the year before. The median time to patch? 43 days. Up from 32 [1].

Attackers aren't waiting around. AI is accelerating exploit development. Verizon tracked 793 malicious actors using AI platforms, with a median actor querying for 15 different attack techniques. The window between a vulnerability being disclosed and an attacker weaponizing it has compressed from months to hours [2].

Credentials still matter. They show up in 39% of all breaches when you count lateral movement and privilege escalation, not just initial access [3]. But the front door has changed. If you're not patching within days, you're leaving it wide open.

Half of All Breaches Now Come Through Someone Else

Third-party involvement in breaches jumped 60% year-over-year. Nearly half (48%) of all confirmed breaches now involve a vendor, contractor, or partner that the victim organization trusted with access to their systems or data [1].

The identity hygiene among these third parties is dismal. Only 23% of third-party organizations had fully remediated MFA issues on their cloud accounts. Permission misconfigurations and weak passwords typically took eight months to resolve [1].

Think about that. Your company can run a tight ship (patch everything, enforce MFA, train every employee) and still get breached because your payroll vendor uses "admin123" and takes eight months to fix it.

This isn't theoretical. The Instructure/Canvas breach in May 2026 exposed data from 275 million student and teacher accounts because ShinyHunters hit the vendor, not the schools [4]. The New York public healthcare system breach, one of the largest of 2026, happened through an unnamed third-party vendor, exposing patient records including biometric data, Social Security numbers, and medical histories [5].

Remote monitoring and management (RMM) tool abuse increased 240% year-over-year. Traditional malware dropped 27%. Attackers are using the same legitimate tools your IT department uses. They just log in through your vendor's compromised credentials [3].

Your Employees Are Feeding Your Data to AI, and You Can't See It

This is the finding that should keep CISOs up at night. 45% of employees now use AI tools regularly on corporate devices. That's triple the 15% from last year [6].

Here's the problem: 67% of those employees access AI services through non-corporate accounts. Personal Gmail. Personal ChatGPT subscriptions. AI tools their company has never heard of, running on company hardware, processing company data [6].

Verizon analyzed 858,440 data loss prevention events involving uploads to generative AI tools. Source code was the top data type being uploaded, by a large margin. Followed by images, structured data, and research documentation [6].

Shadow AI is now the third most common non-malicious insider action in DLP data. That's a fourfold increase from last year [3]. These aren't malicious employees. They're people trying to do their jobs faster. They paste source code into ChatGPT to debug it. They upload spreadsheets to get AI-generated analysis. They feed proprietary research into tools that retain everything.

And then there are the browser extensions. The average company has more than 15% of its users running unauthorized AI browser extensions that silently collect the context of every page visited [6].

Two-thirds of organizations can't fully account for where their sensitive data is [6]. So when an employee pastes your customer database into an AI chatbot running on a personal account, nobody knows. Until it shows up in a breach report.

Ransomware: Higher Volume, Lower Payouts

Ransomware accounted for 48% of all breaches in the 2026 DBIR, up from 44%. But here's a rare piece of good news: 69% of victims didn't pay [1].

The bad news: the attacks are hitting faster. Half of ransomware victims had credential or infostealer compromises within 95 days before the attack. Infostealers surface an average of 2,362 breached corporate credentials per month from organizational email domains [3]. That's the pipeline: steal credentials, sit on them, deploy ransomware weeks later.

The human element still drives 62% of breaches overall. Mobile phishing engagement rates are 40% higher than email phishing. Voice phishing (actual phone calls) outperforms email too. 41% of social engineering breaches now come through non-email channels [1].

Email security gateways catch credential phishing well enough: 80% of blocked attacks fall in that category. But they're blind to the phone call, the text message, the deepfaked voice that sounds like your CEO.

What You Can Do

The DBIR is a report for enterprise security teams, but the threats filter down to everyone. Here's what matters at every level:

If you run a company or IT team:

  • Patch within days, not weeks. 43 days median is a death sentence. Automate patching for everything you can. Prioritize CISA's Known Exploited Vulnerabilities catalog. If it's on that list, attackers are already using it.
  • Audit your vendors. Require MFA for every third-party with access to your systems. Check their security posture before renewing contracts. 48% of breaches come through third parties. Your security is only as strong as your weakest vendor.
  • Get ahead of shadow AI. Blocking AI tools entirely doesn't work. Employees route around bans. Provide approved AI tools with enterprise accounts and data guardrails. Monitor DLP events for uploads to AI services. If 45% of your workforce is already using AI, the only question is whether they're using it safely.

If you're an individual:

  • Assume your data has been breached. 22,000 confirmed breaches in one year across 145 countries. Freeze your credit. Use unique passwords for every account. Enable MFA everywhere. Not SMS, use an authenticator app or hardware key.
  • Watch for voice phishing. The DBIR shows phone-based social engineering works 40% better than email. If someone calls claiming to be your bank, IT department, or a government agency, hang up and call them back at their official number.
  • Think before you paste. If you use AI tools at work, ask yourself: would I email this data to a stranger? Because that's essentially what you're doing when you paste proprietary code or customer data into a free AI tool on a personal account.

The Bigger Picture

The 2026 DBIR paints a picture of an ecosystem eating itself. Companies outsource more work to vendors, and each vendor is another attack surface. Employees adopt AI tools faster than security teams can evaluate them. Attackers use the same AI to find and exploit vulnerabilities before patches ship.

The fundamentals haven't changed: patch your software, enforce MFA, train your people. But the attack surface has expanded so far beyond your own walls that controlling it requires controlling relationships you don't fully own.

Your vendor's security posture is your security posture. Your employees' personal AI accounts are your data leakage vectors. And the 43 days you take to patch that critical vulnerability? Attackers need hours.

22,000 breaches. 145 countries. The only question left is whether yours is in next year's report.

Sources

  1. Help Net Security: "Verizon DBIR: Vulnerability exploitation is the dominant initial access vector" (May 2026)
  2. Help Net Security: "Lessons for organizations from the Verizon 2026 DBIR" (May 2026)
  3. Push Security: "What the Verizon DBIR tells us about breaches in 2026" (May 2026)
  4. Malwarebytes: "Millions of students' personal data stolen in major education breach" (May 2026)
  5. SharkStriker: "May 2026 Data Breaches: List Major Incidents & Latest Updates" (May 2026)
  6. Kiteworks: "Verizon DBIR 2026: Shadow AI Now a Top Insider Threat" (May 2026)
  7. Verizon: 2026 Data Breach Investigations Report (May 2026)