Verizon 2026 DBIR: For the First Time, Unpatched Software Beats Stolen Passwords as the Top Breach Vector

Verizon released its 2026 Data Breach Investigations Report this week, and the headline finding is one that should stop any security team in its tracks: for the first time in the report's 19-year history, vulnerability exploitation has overtaken stolen credentials as the leading initial access vector for confirmed data breaches. Unpatched software is now how attackers most commonly get in. And the gap between attackers' ability to exploit known vulnerabilities and organizations' ability to patch them is getting wider, not narrower.

The Numbers That Define the Shift

Vulnerability exploitation accounted for 31% of all confirmed breaches analyzed in the 2026 DBIR, up from 20% the year before. Stolen credentials, which had topped the list consistently for over a decade, now sit behind it. This is not statistical noise -- an 11-percentage-point year-over-year jump in a dataset of this scale reflects a genuine structural change in attacker behavior.

The patching data makes the cause clear. The median time to patch vulnerabilities has increased from 32 days to 43 days. More damaging: only 26% of critical vulnerabilities in CISA's Known Exploited Vulnerabilities catalog were fully remediated in 2025, down from 38% the year before. The KEV catalog exists to signal which vulnerabilities are being actively weaponized. A 74% non-remediation rate for that catalog is not a patching problem. It is a crisis.

AI Is Compressing the Exploitation Window

The DBIR documents AI's role in the shift in specific terms. Threat actors are using AI to accelerate exploitation of known vulnerabilities, shrinking the window between public disclosure and active exploitation from months to hours. The median threat actor in the dataset utilized AI assistance across 15 distinct attack techniques; some used it across 40 to 50 techniques.

This compression of the exploitation timeline makes the patching delay numbers even more consequential. When the window between disclosure and active exploitation was weeks, 43-day median patch times were painful but survivable. When that window is measured in hours, 43 days represents near-certain exposure for any known, unpatched vulnerability in internet-facing infrastructure.

The Shadow AI Tripling

One of the most alarming findings has nothing to do with external attackers. Employee use of unapproved shadow AI on corporate devices tripled in a single year, rising from 15% to 45% of employees. The data type most commonly submitted to these unauthorized AI platforms? Source code -- entered through personal accounts with no enterprise governance, no data classification controls, and no logging.

The DBIR is blunt about the implication: from a data exposure standpoint, employees submitting proprietary source code to a personal AI account through an unauthorized browser extension is functionally identical to data exfiltration. The code has left the organization's control. More than 15% of corporate users have unauthorized AI browser extensions installed -- plugins specifically designed to capture browsing context for model input, including internal systems and non-public data.

Third-Party Risk and the Defense Gap

The DBIR also documents a significant increase in breaches originating through third-party vendors. Attackers have recognized that targeting vendors, contractors, and software providers those enterprises trust is often easier than direct compromise. The 2026 data shows this strategy paying off at an increasing rate.

On defense, the DBIR's assessment is measured: "AI is changing the economics of attack, but the same cannot yet be said for defense." Attack automation is ahead of defense automation. The net effect at this stage of adoption appears to favor offense.

What Security Teams Should Do

The shift from credential theft to vulnerability exploitation has direct implications for defensive prioritization. Organizations that have focused on identity and access management have not wasted their investment, but they may have under-invested in vulnerability management relative to the current threat environment. Reducing median patch time, improving KEV remediation coverage, and establishing technical controls around employee AI tool usage -- browser extension allowlisting, data loss prevention rules for AI platform domains, enterprise AI usage monitoring -- are the three areas where the 2026 DBIR data most clearly points to actionable gaps.