Verizon's 2026 DBIR: Vulnerability Exploits Now Top Breach Cause

Key Takeaways

• Vulnerability exploitation now accounts for 31% of breaches, a 55% increase year-over-year, overtaking stolen credentials as the top initial access vector.
• 67% of users access AI services through personal accounts on corporate devices, with 23% of sensitive AI uploads bypassing corporate DLP policies entirely.
• 63% of Microsoft-themed phishing sites evade detection by traditional tools, highlighting a critical visibility gap in browser-layer threats.

Verizon's 2026 Data Breach Investigations Report marks a turning point: for the first time in the report's 19-year history, vulnerability exploitation has overtaken stolen credentials as the leading cause of initial access in breaches. Vulnerability exploits now account for 31% of all breaches, a 55% jump from the previous year.

The shift signals that attackers are finding it more effective to exploit unpatched software than to phish credentials. The median time-to-patch for critical vulnerabilities has stretched to 43 days, giving attackers a comfortable window to scan for and exploit known flaws.

Shadow AI Is Now a Top Three Insider Risk

Shadow AI usage jumped into the top three non-malicious insider actions in DLP datasets, a fourfold increase from last year. The DBIR found that 67% of users access AI services on corporate devices through personal, non-corporate accounts. 45% of employees are now regular AI users.

The problem is not malicious intent. Employees paste internal documents or source code into ChatGPT because it's faster than waiting for IT to approve a governed alternative. Over half of AI prompt inputs go to personal accounts, and 23% of sensitive uploads transit through personal or unverified accounts, completely outside corporate DLP policy or logging.

Keep Aware, a contributor to the 2026 DBIR, provided browser telemetry that revealed the scale of this gap. Their data shows 15% of corporate users have unauthorized, data-exfiltrating AI browser extensions installed. These extensions operate entirely inside the browser, invisible to network and endpoint tools.

Credential Abuse Shifts to the Browser

The DBIR found that 39% of breaches still involve credential abuse. Keep Aware's attack data from 2025 puts browser-based credential theft as the number one browser-based attack, accounting for 41% of observed threat activity. The convergence is clear: credential theft is happening inside the browser, where traditional tooling has limited visibility.

Keep Aware's analysis found that 63% of Microsoft-themed phishing sites were not flagged by any vendor blocklist or endpoint tool. Session hijacking and malicious extensions operate at the browser layer, below the detection threshold of network and endpoint security.

“The browser has effectively become the primary operating system for the modern workforce, and attackers have finally shifted their center of gravity to match.”

— Keep Aware Security Researcher

A lead analyst for the 2026 DBIR put it bluntly: "We are seeing a profound convergence: network and endpoint tools are blind to the sophisticated session hijacking and malicious extensions operating inside the browser environment."

The Patching Crisis

The 43-day median time-to-patch reflects a broader slowdown in security maintenance. HackerNews discussions focused heavily on the patching crisis, with many practitioners questioning whether it's realistic to reduce that window in complex enterprise environments with legacy infrastructure and limited security staff.

The report does not break down why patching has slowed, but the implication is clear: attackers are moving faster than defenders. Vulnerability exploitation works because patches arrive too late.

Infostealer-to-Ransomware Pipeline

On Reddit's r/cybersecurity, practitioners highlighted the "infostealer-to-ransomware" pipeline as the most difficult vector to defend against without robust session management. Browser-based credential theft feeds directly into ransomware campaigns, because stolen session tokens grant attackers authenticated access without triggering MFA.

This attack chain is invisible to traditional tools that monitor network traffic or endpoint behavior. The credential theft happens in the browser. The session token is valid. The attacker looks like a legitimate user.

What This Means for Security Teams

The convergence between DBIR data and Keep Aware's browser telemetry points to a clear gap: if you don't have visibility into what's happening inside the browser, you're blind to the initial access vectors that now drive the majority of breaches.

Security teams need to answer three questions: How long does it take us to patch critical vulnerabilities? What AI tools are employees using on personal accounts? What credential theft activity is happening in the browser that our current tools can't see?

The report does not prescribe solutions, but the diagnosis is unambiguous: attackers are living in the browser, and traditional security architecture was not built to see them there.

Frequently Asked Questions

Why did vulnerability exploitation overtake credential theft in the 2026 DBIR?

The median time to patch critical vulnerabilities has stretched to 43 days, giving attackers a comfortable window to scan for and exploit known flaws. Attackers are finding it more efficient to exploit unpatched software than to phish credentials, especially as MFA adoption has risen.

What is shadow AI and why is it a security risk?

Shadow AI refers to employees using AI tools like ChatGPT through personal accounts on corporate devices, outside IT's visibility or control. The DBIR found 67% of users do this, and 23% of sensitive uploads bypass corporate DLP policies entirely, creating an unmonitored data loss channel.

Why can't traditional security tools detect browser-based credential theft?

Browser-based attacks like session hijacking and malicious extensions operate at the browser layer, below the detection threshold of network and endpoint tools. Keep Aware found that 63% of Microsoft-themed phishing sites evade vendor blocklists and endpoint detection.

How are infostealers linked to ransomware attacks?

Infostealers harvest browser session tokens, which give attackers authenticated access without triggering MFA. These stolen sessions feed directly into ransomware campaigns, allowing attackers to move laterally and deploy ransomware while appearing to be legitimate users.

What should security teams do about the 43-day median patch time?

Organizations need to prioritize patch management resources, automate where possible, and implement compensating controls like network segmentation and exploit detection for systems that can't be patched quickly. The DBIR data suggests that slow patching is now the top exploitable weakness attackers rely on.

Source: BleepingComputer