The 19th Verizon Data Breach Investigations Report (DBIR) contains worrying, if not surprising, details about how hackers are coming up with unique ways to compromise corporate networks. For DBIR 2026, Verizon security experts analysed over 31,000 real-world security incidents and 22,000 confirmed breaches across 145 countries.
They found that using artificial intelligence (AI) to fast-track malicious activities has been a raging trend throughout the coverage duration of their report’s dataset, which covers incidents from October 2024 to November 2025 and some early trends from 2026.
The death of the stolen password
It is the first time in DBIR’s 19-year history that researchers found exploiting software vulnerabilities overtaking usage of stolen credentials to become the top-most preferred way hackers gain initial access to a network.
Reportedly, this specific technique caused 31% of all breaches. Previously, hackers took months to weaponise a newly discovered software bug, whereas now, through generative AI (GenAI), they can conduct vulnerability research quickly. This means GenAI has shrunk the defensive window down to a few hours.
Another crucial finding is that while users are still learning to spot standard email phishing, scammers have moved to mobile phones, with interactive social engineering attacks becoming the norm. Research revealed that using voice calls and text messages boasts a 40% higher success rate compared to traditional email phishing. And, once inside an endpoint system, hackers use OS credential dumping, specifically LSASS memory dumping, to obtain higher permissions.
Shadow AI and laptop farms
Internal corporate habits are also causing data exfiltration risks, as the report (PDF) states that employee use of unapproved shadow AI tools tripled in a single year- from 15% to 45% of the workforce. Staff regularly upload corporate data and source code into unauthorised external models. At the same time, third-party supply chain breaches surged by 60%, meaning vendor vulnerabilities now account for 48% of all breaches.
The dataset highlighted a massive identity fraud campaign attributed to North Korean threat actors involving the use of around 15,000 stolen identities to pass technical interviews and land remote full-stack engineering and marketing jobs. They operated through regional laptop farms run by local accomplices with the intention to send earned money back home to fund state operations.
Researchers finally conclude that automated threats are rising since internet traffic from AI bot internet crawlers is increasing by 21% month-over-month. In comparison, human web traffic growth is at 0.3%. As the report concludes, “The threat landscape will keep evolving, but the fundamentals still matter most.”
Industry Experts on the 2026 Verizon Data Breach Investigations Report
Several industry leaders shared their thoughts on the findings with Hackread.com, detailing how corporate security teams must adapt to machine-speed threats.
Matthew Hartman, Chief Strategy Officer at Merlin Group, agrees that the traditional timeline for network defense has collapsed completely: “Today’s Verizon DBIR confirms what security teams are already experiencing: AI has compressed the time between vulnerability discovery and exploitation from months to hours. Companies can’t defend against that reality with periodic assessments and siloed tools.”
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, views the landmark data as an economic shift rather than a technical fluke: “The DBIR’s 19-year credential streak ending is not primarily a credential story; it is an economics story. AI is making vulnerability discovery and weaponization so fast and cheap that attackers no longer need a stolen password when a known, unpatched flaw gets them in faster.”
Ford emphasizes that “point-in-time testing cannot keep pace with machine-speed exploitation,” and that the rise of shadow AI represents a massive internal coverage gap most enterprises remain blind to.
Mika Aalto, Co-Founder and CEO at Hoxhunt, adds that building a resilient internal posture requires blending technical hygiene directly with behavioral changes: “The DBIR’s message this year is refinement, not revolution. AI is accelerating threats, but the organizations that will stay resilient are still the ones executing well on fundamentals: patching, incident response, identity management, and increasingly, security culture.“
