New data from Verizon 2026 Data Breach Investigations Report (DBIR) underscores growing cyber risk for critical infrastructure and industrial sectors, as exploitation of software vulnerabilities overtook stolen credentials for the first time to become the leading breach entry point, accounting for 31% of incidents. The report warns that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation, reducing defenders’ response windows from months to hours.
Verizon also found that third-party and supply chain-related breaches surged, while mobile-focused social engineering attacks achieved a 40% higher success rate than traditional phishing campaigns, trends that could have significant implications for manufacturing, utilities, transportation, and other OT (operational technology)-heavy environments increasingly exposed through connected systems and external vendor ecosystems.
It also pointed to the rapid weaponization of known vulnerabilities by AI, which can create a capacity crisis for security teams, underscoring the urgent need to prioritize fundamental security and risk management practices.
“While the velocity of cyber threats—driven by AI and faster vulnerability exploitation—is increasing, the foundational principles of security and strong risk management remain the most effective defense,” Daniel Lawson, senior vice president for global solutions at Verizon Business, said in a Tuesday media statement. “The DBIR reinforces that these fundamentals still hold as organizations strive for resilience.”
Verizon reported in its 2026 DBIR that exploitation of vulnerabilities has overtaken credential abuse as the leading initial access vector for breaches, accounting for 31% of incidents, while credential abuse fell to 13%. At the same time, organizations struggled to keep pace with remediation efforts. Only 26% of critical vulnerabilities listed in the Cybersecurity Infrastructure and Security Agency’s Known Exploited Vulnerabilities catalog were fully remediated in 2025, down from 38% the previous year. The median time to fully resolve vulnerabilities increased to 43 days from 32 days, while organizations faced 50% more critical vulnerabilities requiring patching compared with the prior reporting period.
Ransomware activity continued to grow, rising to 48% of all breaches from 44% the previous year. Despite the increase, fewer victims chose to pay attackers, with 69% of ransomware victims declining payment. The median ransom payment also fell to $139,875 from $150,000. The report additionally highlighted a sharp increase in third-party exposure, with breaches involving third parties rising 60% year over year to account for 48% of all breaches. Remediation challenges remained significant, as only 23% of third-party organizations fully resolved missing or improperly secured multifactor authentication issues on cloud accounts, while weak passwords and permission misconfigurations often took nearly eight months to address.
The report also found that generative AI is increasingly shaping the threat landscape, with threat actors using AI-assisted techniques during targeting, initial access, and malware development. The median threat actor used AI across 15 documented attack techniques, while some leveraged it in as many as 40 or 50 techniques. Most AI-assisted malware development remained tied to already established attack methods, with a median of 55 known malware samples performing similar functions. Less than 2.5% of observed AI-assisted malware involved rare or previously uncommon techniques.
Human-focused attacks also remained a major factor in breaches. The report found that the human element was involved in 62% of breaches, slightly higher than the previous year’s 60%, while social engineering accounted for 16% of all breaches. Mobile-centric phishing and scam tactics proved especially effective, with click-through rates for text and voice-based attacks running 40% higher than traditional email phishing campaigns. Pretexting, where attackers build trust through fabricated scenarios to manipulate victims into compromising actions, became a more common entry point for ransomware and extortion attacks, reaching 6% of all breaches, while phishing remained steady at 16%.
For the manufacturing sector, Verizon reported that the number of breaches continues to rise, driven largely by ransomware activity. The report found that the top breach patterns remained consistent with last year, with system intrusion, social engineering, and basic web application attacks accounting for 91% of confirmed breaches. Financially motivated threat actors dominated the landscape, representing 87% of breaches, while espionage-related activity accounted for 15%. External actors were responsible for 95% of incidents, compared with 5% linked to internal actors.
Verizon also found that the most commonly compromised data types included internal data, credentials, other sensitive information, and personal data. Exploitation of vulnerabilities emerged as the leading initial access vector at 38%, followed by phishing at 13% and credential abuse at 11%. The report further highlighted growing role of third parties and the human element in manufacturing-related breaches.
“Ransomware is still, in large part, the driving force behind both the growth in breaches and the prominence of system intrusion incidents. Malware was involved in 75% of the breaches in this vertical, with ransomware accounting for 61%,” Verizon reported.
A prominent example in this sector is the late 2025 ransomware attack on the Japanese company Asahi Group Holdings. “The incident forced a shutdown of their domestic manufacturing facilities and resulted in a suspension of shipments, while also potentially compromising corporate data. This event illustrates that the financial impact of a breach can often extend far beyond the immediate ransom or extortion demands, as the operational downtime and downstream supply chain disruption can be considerable.”
Moreover, hacking actions were involved in 71% of manufacturing breaches. The main tactics haven’t changed much since last year’s report, such as using stolen credentials and exploiting vulnerabilities, each of which contributed to 41% of manufacturing breaches. SocialeEngineering may be the second most common pattern in this vertical, but its actions still lag well behind the leaders in malware and hacking. Social actions appeared in only 16% of breaches, and most of those were of the phishing variety (77%).
“The more elaborate Pretexting schemes barely register by comparison, accounting for only 18% of social attacks in manufacturing breaches. Internal data in this sector apparently didn’t get the memo about staying put,” Verizon’s DBIR reported. “It’s involved in 80% of breaches, making emails, plans and reports among the favorite items on the criminal’s takeout menu, or perhaps simply the easiest to obtain. Credentials show up next in 26% of incidents, and personal (personally identifiable information, or PII) data makes an appearance in 17% of manufacturing breaches—less common but still more than enough to ruin someone’s day.”
In September, the industrial sector experienced what was described as the costliest cyber incident in U.K. history after a ransomware attack on Jaguar Land Rover halted production for five weeks and caused an estimated £1.9 billion in damages. During the same period, Amazon said it blocked more than 1,800 infiltration attempts linked to North Korean remote worker schemes by detecting a distinctive 110-millisecond keystroke input lag. Researchers also uncovered a self-replicating npm worm known as Shai-Hulud that compromised more than 500 software packages to steal developer credentials and GitHub access tokens.
Verizon’s latest breach data shows that exploitation of vulnerabilities has overtaken stolen credentials as the leading initial access vector, accounting for 31% of breaches. The report noted that attackers are increasingly shifting away from tricking users and toward directly exploiting software weaknesses.
The report also found that 48% of all breaches now involve ransomware, although ransom payments are declining as more organizations choose not to pay attackers. Verizon further warned that generative AI is accelerating multiple stages of cyberattacks, with threat actors using AI-assisted techniques to identify security gaps and develop malware more quickly.
Mobile-focused attacks are also becoming more effective. Verizon reported that higher click-through rates on mobile devices are making smartphones and tablets increasingly attractive targets, with users 40% more likely to fall for mobile-based phishing or scam attempts than traditional email attacks.
Regionally, North America recorded the highest number of incidents, with 12,371 incidents and 8,426 confirmed data disclosures. In the region, system intrusion, social engineering, and basic web application attacks accounted for 87% of breaches. Financial motives were linked to 98% of breaches in North America, while exploitation of vulnerabilities represented the leading initial access vector at 30%.
In the Asia-Pacific region, Verizon recorded 5,229 incidents and 2,855 confirmed data disclosures. System intrusion, basic web application attacks, and social engineering represented 97% of breaches. External actors accounted for 99% of breaches, while exploitation of vulnerabilities was the leading access vector at 42%, followed by credential abuse at 25% and phishing at 15%.
Europe, the Middle East, and Africa recorded 8,245 incidents and 6,060 confirmed data disclosures. Verizon found that system intrusion, social engineering, and miscellaneous errors represented 92% of breaches in the region. Exploitation of vulnerabilities accounted for 47% of initial access activity, while phishing represented 28%.
Latin America and the Caribbean recorded 813 incidents and 718 confirmed data disclosures. Verizon reported that system intrusion, social engineering, and basic web application attacks represented 98% of breaches in the region, with exploitation of vulnerabilities accounting for 44% of initial access incidents.
