Hackers are still trying to trick people to exploit an organization’s systems, but more breaches now with software vulnerabilities
Stolen passwords, or credential abuse, are no longer the top way hackers breach systems, according to Verizon’s latest annual Data Breach Investigations Report (DBIR). Exploitation of software vulnerabilities now accounts for 31% of security incidents analyzed by Verizon.
Credential abuse is now down to 13% of incidents.
Verizon said “vulnerability management is an incredibly important risk mitigation process that needs to exist in virtually every organization, but the headwinds facing organizations implementing it have been discouraging, to say the least.”
“Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them,” Verizon added in the report, adding that just 26% of critical vulnerabilities were fully remediated by organization in 2025. That’s lower than the prior year by 12 percentage points.
Verizon said ransomware grew to account for 48% of all breaches, up from 44% the prior year, though payments continue to decline. Nearly 70% of victims did not pay. Of those that did, the median amount was $139,875 compared with $150,000 the previous year.
In terms of using generative artificial intelligence, threat actors have certainly been dabbling with AI’s capabilities, using the technology in multiple stages of an attack—choosing targets, establishing themselves when inside, identifying vulnerabilities, developing malware, and creating tools to improve efficiency.
“The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50,” Verizon said.
Verizon researchers have seen AI-assisted code in malware and other hacking tools at a greater rate heading into 2026.
“The takeaway from our dataset is that AI’s primary impact is currently operational: automating and scaling techniques defenders already know how to detect, not yet unlocking these novel or rare attack surfaces—which means defensive postures don’t need to be reinvented today, but they do need to keep pace with faster, more adaptive execution,” wrote Verizon, following with, “But who knows? Given the rate of change in AI capabilities, this assessment might be obsolete by the time this report is finally published.”
The most important insurance news,in your inbox every business day.
Get the insurance industry’s trusted newsletter
