The 2026 DBIR says the quiet part loud: fundamentals still win

Every year, the Verizon Data Breach Investigations Report (DBIR) is one of the most hotly-anticipated and widely-read documents in security. And every year includes some surprising stats and reshuffles the top few threat vectors. But longtime readers will notice that the 2026 DBIR features some advice that ought to be familiar to everyone by now: get the basics right. The report’s authors even say that the overarching theme this year is “keeping a strong foundation in the face of change.”

So what does a strong foundation look like? It looks like patching faster, reducing credential reuse, tightening third-party access, and making it harder for attackers to turn one weak login into a company-wide mess. Glamorous? No. Effective? Yes.

Exploits, credentials, and AI: The stories that stood out in the 2026 DBIR

This year’s DBIR analyzes more than 31,000 incidents, including more than 22,000 confirmed breaches across 145 countries. It’s not light reading, unless your idea of a beach read includes ransomware economics, exploit chains, and the occasional donut chart. But diving deep into these topics is worthwhile, because the numbers show both change and stubborn repetition. 

Vulnerability exploitation is surging

In terms of eye-popping statistics, the big story this year is the explosion of vulnerability exploitation, which is now the leading initial access vector for breaches–far exceeding phishing and credential abuse. Only 26% of critical vulnerabilities in the CISA Known Exploited Vulnerabilities catalog were fully remediated in 2025, down from 38% the prior year. Median time to full remediation rose to 43 days, a huge jump from last year’s 32 days. Maybe the scariest part of this whole scenario is that these are pre-Mythos numbers, and security experts are still bracing for an AI-powered hurricane of vulnerabilities.

The report’s authors attribute this escalation to the sheer volume of vulnerabilities organizations had to face, finding that there were roughly 50% more critical vulnerabilities to patch over last year. But while we can speculate about why there are suddenly so many more vulnerabilities to patch, what’s indisputable is that organizations need to be investing more resources in their patch management efforts. It might be a sisyphean task, but that doesn’t mean it’s not worth doing.

Diminishing returns for ransomware

Ransomware remains a dominant pressure point, appearing in 48% of breaches. However, there is some good news: 69% of ransomware victims in the DBIR dataset did not pay, and median payments continued to decline. That suggests resilience work is having an impact. Tested backups, segmentation, access controls, and incident response planning are not exciting cocktail conversations, but they sure beat explaining why the finance share was encrypted by someone named DarkSomething_1997.

Weak links in the supply chain

Third-party risk spiked in this year’s report, and breaches involving third parties rose to 48% of total breaches, a 60% increase from the prior dataset. The report points to familiar causes in cloud and SaaS environments: missing or improperly secured MFA, weak passwords, poor credential rotation, and excessive permissions. This is where security programs often discover that their real perimeter includes vendors, contractors, SaaS apps, service accounts, OAuth tokens, and at least one integration nobody remembers approving.

The report cautions organizations to reign in permissions, writing “...a strong starting point is to focus on the authentication and authorization layers, as those are usually the ones that end up on an organization’s end of the responsibility matrix of cloud environments.” The authors also warn, “We should pay special attention to service and machine accounts, as those will likely be the ones leveraged in our potential agentic AI future.”

Credentials and the “human element”

Even in our ever more automated work environment, the human element is still at the center of many breach stories. It appeared in 62% of breaches, while Social Engineering represented 16% of all breaches. This year, the report separated traditional phishing attacks (which they define as using asynchronous communication like emails) from “pretexting,” where attackers are communicating with victims in real time. Email phishing is still common, but mobile-centric tactics are gaining traction. In simulations, voice and text-based attacks had a median success rate 40% higher than email simulations. Attackers have learned that people make decisions while multitasking, commuting, or staring at a phone between meetings. Corporate security training needs to catch up to this new reality.

And what about passwords? This year credential abuse fell to 13% as the first observed entry point. So at last, we here at 1Password can hang up our spurs and call it a day. Just kidding. While passwords may not be the leading initial attack vector, credential abuse appears in 39% of breaches when measured across the full attack chain, which means attackers have not exactly thrown passwords into the sea. They still love them. Too much, frankly.

The AI of the storm

Naturally, both we and the DBIR would be remiss not to make AI a focal point. The DBIR shows threat actors using GenAI for targeting, initial access, malware development, and tooling. But perhaps the most troubling AI-related risks are coming from inside the house. The 2026 DBIR finds that Shadow AI is rampant. 67% use non-corporate accounts to access AI services on their corporate devices. Worse still, source code was the most common data type submitted to external GenAI tools in the report’s DLP dataset. It seems inevitable that those chickens will come home to roost, possibly in next year’s DBIR

How 1Password addresses the risks in the DBIR

The DBIR is focused on surfacing the security risks facing organizations. 1Password is focused on addressing those risks across our entire customer spectrum.

For consumers and families, 1Password reduces the blast radius of the credential problems attackers keep exploiting. Watchtower flags breaches, weak passwords, duplicate items, and other security issues in saved items, with checks for reused and weak passwords performed locally on the device. 1Password also supports passkeys across devices, helping people move important accounts away from phishable passwords. Its security model combines the account password with a 128-bit Secret Key to protect account data.

For enterprises, 1Password Unified Access addresses the access sprawl behind many modern breaches. Unified Access governs credentials across humans, AI agents, and machines. It brings together discovery, security, and auditability, with endpoint discovery, centralized credential storage, runtime credential delivery, and unified attribution. Meanwhile, 1Password SaaS Manager lets organizations discover, manage, and optimize spend on their SaaS applications, including the ones outside SSO. That’s a big deal given the fact that the DBIR recommends deactivating dormant accounts no less than four times.

For developers, 1Password helps remove secrets from places they should never live. The 1Password CLI can load secrets into scripts so credentials stay synced and are not exposed in plaintext. Service Accounts help automate secrets management for applications and infrastructure. Shell Plugins help eliminate API keys stored on disk or in shell profiles. This is practical security for teams that need to ship software without leaving credentials scattered through terminals, repos, and config files like breadcrumbs for criminals.

Put the DBIR’s lessons to work

One of the reasons for the DBIR’s enduring popularity is that it refuses to traffic in snake oil or flavor-of-the-week security fads. Instead, it offers a simple lesson: Defenders should prioritize the controls that interrupt real attack paths.

This week, review your internet-facing systems, require MFA on remote and SaaS access, rotate shared and third-party credentials, inventory AI tools in use, and move developer secrets out of local files and into managed workflows. Then schedule the same review monthly. Attackers automate repetition. Defenders should too.

Want to learn how 1Password can help you address the risks in your company’s environment? Talk to an expert today.