TL;DR
- Stolen credentials appear in 39% of all breaches and remain the primary method attackers use to move laterally, escalate privileges, and monetize access after initial entry.
- 73% of ransomware victims experienced an infostealer infection or credential leak within the year before their attack, with 50% occurring within 95 days of the ransomware incident.
- Third-party involvement in breaches jumped 60% year over year to 48% of all breaches, with most incidents traced to authentication failures like missing multi-factor authentication (MFA) rather than technical exploits.
- Mobile-centric phishing attacks via SMS and voice have a 40% higher success rate than traditional email phishing, and phishing-as-a-service (PhaaS) platforms are making these attacks easier to launch.
- MFA protects only the login event while session tokens and OAuth credentials allow attackers to bypass authentication entirely, as demonstrated by multiple 2025 incidents including CitrixBleed 2 and Device Code Authentication phishing.
- AI-assisted attacks primarily scale and automate existing techniques rather than create novel attack methods, with 44% of AI-assisted initial access techniques being phishing-related.
Every year, the Verizon Data Breach Investigations Report lands with the weight of hard truth. The 2026 edition – its 19th – is the biggest yet: more than 31,000 incidents and 22,000 confirmed breaches across 145 countries. It’s a lot to parse.
At SpyCloud, we cut through the volume (of this report and darknet data) to surface what matters most for security teams focused on identity threats, ransomware prevention, and stopping attackers early in the attack lifecycle.
We pulled the findings that matter most for security teams focused on identity threats, ransomware prevention, and stopping attackers before they turn stolen access into a full-blown attack
Here’s what stood out:
39%
of all breaches; primary method for lateral movement
73%
of victims had a prior infostealer infection or leak
48%
of all breaches (60% YoY increase)
Mobile-centric attacks have
40%
higher success than email
About the 2026 Verizon Data Breach Investigations Report (DBIR)
The 2026 report analyzes data from November 2024 through October 2025, with forward-looking commentary on AI-augmented threats observed through early 2026. The dataset covers more than 22,000 confirmed breaches – the most the report has ever examined in a single edition. As Verizon notes, that’s not a celebration; it reflects the scale of a threat landscape that keeps growing.
Who's behind the breaches?
The actor breakdown is familiar: external threat actors dominate, responsible for the vast majority of breaches. Internal actors appeared in 12% of breaches this year – down from 18% in 2025, but still enough to require attention.
What’s notable is why insider incidents are so damaging when they do occur. Employees have legitimate access, know the environment, and are harder to detect in real time. The most common motive for insider misuse this year was convenience (60%), followed by financial gain (33%). “Convenience misuse” – like emailing company files to a personal account to work from home – is a growing and often an underdetected category that expands data exposure before security teams have the context to act on it.
For external actors, financial motivation still drives the overwhelming majority of breaches, with espionage-motivated attacks (12%) concentrated in System Intrusion, the pattern that accounts for ransomware and nation-state campaigns alike.
Credentials are still the connective tissue of every breach
The initial access headline this year belongs to vulnerability exploitation, which rose to 31% – a 55% increase over last year – officially unseating credential abuse at the top of the chart for the first time. But here’s the nuance the DBIR is careful to make: that’s only first contact.
When you look at credential abuse across the entire attack chain – not just initial access – it still appears in 39% of all breaches. Attackers gain a foothold through an unpatched vulnerability, then immediately pivot to credential dumping, password harvesting, and privilege escalation. Stolen credentials are how they move laterally, escalate privileges, and ultimately monetize access.
A few data points make this concrete:
- In System Intrusion breaches, ‘Use of stolen credentials’ and ‘Exploit vulnerabilities’ are tied at 39% each – making them complementary attack paths.
- In Basic Web Application Attacks, stolen credentials remain the top action, sourced from phishing, infostealers, or prior breach data bought on criminal markets.
- 4% of Active Directory (AD) user accounts are using passwords that have already been compromised elsewhere – and users are more than four times more likely to use an already-compromised password than a technically "weak" one.
- 6% of AD accounts are reusing passwords, giving attackers exactly what they bank on when cracking harvested hashes.
Source: Verizon 2026 Data Breach Investigations Report
This aligns closely with what SpyCloud observes in recaptured darknet data. Our 2026 Identity Exposure Report found 5.3 billion credential pairs circulating in criminal underground sources last year, with 4 in 10 corporate users having reused an exposed password. A single exposed password rarely travels alone – it’s captured alongside session cookies, application tokens, and PII that make downstream attacks far more effective.
The infostealer-to-ransomware pipeline: Now with data
SpyCloud has been documenting the connection between infostealer infections and downstream ransomware attacks for years. The 2026 DBIR now has the data to prove it at scale.
Verizon analyzed a wider collection of ransomware victims to determine how many had infostealer infections or credential leaks in the period before the attack. The results are striking:
- 73% of ransomware victims had an associated infostealer infection or credential leak event in the year prior to the attack.
- Of those, 50% experienced that credential event within 95 days of the ransomware attack.
- Small organizations in the dataset had a median of 7 credential leak events per year. Larger organizations faced a median of 20.
Source: Verizon 2026 Data Breach Investigations Report
The mechanism matters here. By outsourcing initial access to infostealers and initial access brokers (IABs), ransomware operators focus exclusively on lateral movement, privilege escalation, and payload delivery. IABs sell that access on criminal markets – non-privileged account access for around $700, admin access for around $1,300 – with VPN credentials making up 44% of IAB offerings. Admin accounts command nearly double the price specifically because they bypass the privilege escalation step entirely.
The 95-day window is the critical insight for defenders. For the majority of ransomware victims, there was a detectable warning signal in advance – infostealer-sourced credentials circulating on criminal infrastructure – before the ransomware struck. SpyCloud’s own research reinforces the scale of the problem: in 2025, we recaptured data from 13.2 million infostealer infections, exposing an average of 50 credentials per infection. Notably, 40% of those infections occurred on endpoints with EDR or antivirus tools installed – meaning traditional endpoint defenses aren’t closing the window on their own. That 95-day window is where post-infection remediation is vital.
Ransomware keeps growing – but resilience is building
Ransomware appeared in 48% of all breaches – up from 44% last year and the highest figure in DBIR history. System Intrusion, the pattern dominated by ransomware, now accounts for 60% of all breaches, up from 53% the year prior.
But the monetization picture tells a more nuanced story.
The median ransom payment dropped to $139,875, continuing a downward trend from $150,000 the year before. 69% of ransomware victims did not pay – up from 65% in 2025 – and that rate is rising even among victims with encrypted assets.
The DBIR’s conclusion is that the ransomware market is in slow decline – margin compression from improved victim resilience and attacker competition alike. The “not paid” trend is a signal that defensive investments are working. Addressing the infostealer pipeline upstream of ransomware is a direct contributor to that resilience.
Third-party risk: A 60% jump that demands a different approach
Third-party involvement in breaches grew 60% year over year, reaching 48% of all breaches – after having already doubled the year before. That trajectory is no longer a trend to monitor; it’s a structural feature of the threat landscape.
The DBIR traces the root causes clearly. The majority of high-profile cloud-based, third-party incidents in 2025 came down to insecure authentication – missing or misconfigured MFA, improper credential rotation – and lack of least-privilege enforcement.
The numbers back it up: Only 23% of third-party organizations fully remediated missing or misconfigured MFA on cloud accounts. 37% of organizations had an admin account with MFA disabled on an infrastructure-as-a-service (IaaS) offering. For weak passwords and permission misconfigurations in third-party cloud environments, the time to resolve 50% of findings was almost 8 months.
Third-party risk is identity risk. The credentials, service accounts, and session tokens that flow between organizations and their vendors represent an attack surface that’s only as secure as the weakest link in the chain. SpyCloud’s Supply Chain Threat Protection monitors that surface continuously, surfacing exposed credentials and infostealer-sourced data tied to your vendor ecosystem before attackers can use it.
Phishing is getting harder to catch
Phishing remains the most common social attack vector – but it’s evolving in ways that make traditional email-focused defenses increasingly insufficient.
- 41% of Social Engineering breaches involve vectors beyond email – phones, social media, and voice.
- Mobile-centric phishing (SMS and voice) has a median click rate 40% higher than traditional email phishing simulations.
- Large organizations face a median of 48 SMS-based phishing attempts per year targeting corporate mobile devices – roughly one every 8 days.
- Pretexting – synchronous, voice-based attacks where an attacker actively impersonates IT help desk, HR, or leadership – has emerged as a significant ransomware initial access vector, appearing in 6% of all breaches.
SpyCloud recaptured 28.6 million phished identity records last year – and nearly half of those victims were corporate users. Modern phishing datasets increasingly contain more than just credentials; many include session cookies, authentication tokens, and MFA workflow data, allowing attackers to assume authenticated sessions without triggering traditional alerts. Our 2025 Identity Threat Report found phishing became the leading entry point for ransomware delivery in 2025, jumping 10 points year over year. PhaaS platforms like Tycoon 2FA, FlowerStorm, and Darcula – which use adversary-in-the-middle (AiTM) techniques to steal MFA tokens and session cookies – are only making these attacks more accessible.
Whatever the delivery mechanism, phishing’s ultimate output is the same: stolen credentials and session tokens that fuel every downstream attack we’ve discussed throughout this post.
MFA is.not.enough. Full stop.
Authentication bypass is the new frontier. One of the most important threads running through the 2026 DBIR is a pattern documented across the full year-in-review. Authentication bypass, via session tokens, OAuth credentials, and identity-layer attacks, is making MFA increasingly insufficient on its own.
The 2025 incidents lay it out clearly:
The DBIR also notes that service accounts and machine identities are a growing priority target, with the report calling these out as the assets “most likely to be leveraged in our potential agentic AI future.”
MFA protects the login event. It does nothing to protect the authenticated session that follows it. Last year we recaptured 8.6 billion stolen session cookies circulating in criminal underground sources. Those cookies represent live, post-authentication access that bypasses every MFA control an organization has in place. That’s exactly what Session Identity Protection is built to address – recapturing stolen session objects from criminal infrastructure and invalidating them before attackers can use them.
AI: Real, documented, and already scaling
The DBIR took a harder look at AI-assisted attacks this year, partnering with Anthropic to analyze data from 793 threat actors who received enforcement action for violating acceptable use policies between March 2025 and February 2026.
The findings reframe the AI threat in useful terms.
In the median case, threat actors used AI assistance across 15 distinct MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) techniques. In extreme cases, actors queried for 40 to 50 techniques – using AI as a co-developer across the full attack chain. 44% of AI-assisted initial access techniques were phishing-related. 32% were vulnerability exploitation-related. The median AI-assisted technique already had 55 existing known malware tools performing the same function. Only less than 2.5% of AI-assisted techniques were classified as genuinely rare or novel.
The DBIR’s honest conclusion is that AI’s primary current impact is operational – automating and scaling techniques defenders already know how to detect, not unlocking novel attack surfaces. That said, the democratization effect matters. Less-sophisticated actors are now executing campaigns that previously required real expertise, and the baseline of what can be achieved at low cost keeps rising.
Source: Verizon 2026 Data Breach Investigations Report
On the defensive side, there’s a growing blind spot: 67% of employees are accessing AI services on corporate devices through non-corporate accounts, and 45% are now regular AI users on corporate devices – up from just 15% last year. Shadow AI is now the third most common non-malicious insider DLP event, a fourfold increase year over year. More than 15% of corporate users have unauthorized AI browser extensions installed – extensions that often silently collect browsing context, including sessions on internal systems. That’s essentially equivalent to an infostealer installed with user consent.
SpyCloud’s own research found 6.2 million credentials and authentication tokens for AI tools circulating in criminal underground sources in 2025. As AI tools become more deeply embedded in enterprise workflows, the credentials and tokens that authenticate into them become increasingly high-value targets.
Key takeaways for security teams
This year’s Verizon DBIR tells a consistent story beneath all the individual statistics: identity is the throughline of every major threat pattern.
Vulnerability exploitation gets attackers through the door. Stolen credentials move them through the house. Infostealers feed the ransomware pipeline with a three-month head start. Third-party authentication failures become your breach. Session tokens and OAuth credentials let attackers stay long after MFA has fired. And AI is making all of it faster and more accessible to a broader range of threat actors.
Here are some practical priorities the data points to for all security teams:
- Treat infostealer exposure as a ransomware precursor. The 95-day window is actionable intelligence. If your employees' credentials are in infostealer logs, the clock is running.
- Post-infection remediation goes beyond password resets. Infostealers capture credentials, session cookies, authentication tokens, and device fingerprints. Resetting a password doesn't invalidate an active session. Full remediation requires addressing everything that was exfiltrated.
- Monitor your vendor ecosystem as if it were your own environment. Third-party breaches are at 48% and still climbing. The authentication failures at your vendors are your exposure.
- MFA is necessary but not sufficient. Authentication bypass via session tokens, OAuth credentials, and Device Code phishing are all documented, active techniques. Protecting the login event is not the same as protecting what comes after it.
- Phishing defenses need to reach beyond email. Voice, SMS, and social media are now documented attack surfaces with measurably higher success rates, and PhaaS platforms are lowering the barrier to launch them at scale.
SpyCloud recaptures stolen data – cookies, session tokens, credentials, and identity artifacts – directly from criminal infrastructure and infostealer logs, successful phishes, combolists and breaches, and turns it into automated remediation before attackers have the chance to use it.
SpyCloud helps enterprises worldwide protect billions of accounts and stop identity-driven attacks before they start. To see insights on your organization’s exposed data, check your exposure now.
FAQs
SpyCloud continuously recaptures breach data, infostealer logs, and phished records from criminal underground sources and automatically surfaces exposed credentials tied to your employee or customer population – giving security teams actionable intelligence before attackers can use it.
The Verizon Data Breach Investigations Report is one of the most comprehensive annual analyses of confirmed breach data available, drawing on tens of thousands of incidents across more than 100 countries. For enterprise security teams, it provides empirically grounded benchmarking on how attackers are gaining access, what industries are most targeted, and which defensive investments are – and aren’t – paying off.
According to the 2026 Verizon DBIR, the median ransomware payment dropped to $139,875 – down from $150,000 the prior year – with 69% of victims opting not to pay. The report attributes improving victim resilience partly to more mature incident response capabilities and, critically, to addressing identity-based attack precursors like infostealer infections earlier in the attack lifecycle.
The DBIR’s finding that 73% of ransomware victims had an infostealer infection or credential leak event in the year prior to their attack – with 50% occurring within 95 days – transforms what previously looked like background noise into a measurable early warning signal. For security teams, this validates treating infostealer exposure as a ransomware precursor and prioritizing post-infection remediation that goes beyond password resets to address all exfiltrated identity artifacts.
Keep reading
