Vulnerabilities Overtake Stolen Credentials as the Top Breach Entry Point, Verizon Reports
Software vulnerabilities have overtaken stolen credentials as the most common way attackers gain initial access in confirmed data breaches, according to the 2026 Data Breach Investigations Report released this week by Verizon Business. The shift, modest in any single year but pronounced across the report's three-year view, reorders the standard advice that security teams and the financial-services firms they protect have been operating on for most of the past decade.
The Verizon report, in its 19th annual edition, covers incidents recorded between November 1, 2024, and October 31, 2025. It draws on caseload data contributed by domestic and international law enforcement agencies, forensic firms, cyber insurers, security industry sharing groups, and Verizon's own Threat Research Advisory Center. The methodology and timeframe are unchanged from prior years, which is what makes the year-over-year comparison meaningful: the same source population, scored the same way, showing a different leader.
The reordering matters because the response to a breach attempt that begins with a vulnerability is fundamentally different from the response to one that begins with a stolen password. Each requires a different set of controls, a different allocation of attention, and a different conversation with senior leadership about where to invest. For financial-services firms, where regulators have been increasingly direct about expectations on both fronts, the report sharpens a question that compliance officers were already being asked.
What the report describes
Verizon's findings, summarized on the company's published report page and reflected in coverage by trade publications during the week of May 14, characterize the shift in concrete terms. The proportion of confirmed breaches in the dataset that began with the exploitation of a software vulnerability rose to a level above credential-based entry, which had been the leading category in prior editions of the same report. Ransomware involvement in breaches also rose, by Verizon's account, though the report notes that average payouts have moved in the other direction as more victims decline to pay.
The report attributes the vulnerability-led shift to two compounding factors. The first is that attackers have invested more heavily in automating the exploitation of public-facing software, particularly in the window between a vulnerability's disclosure and the application of the patch. The second is that defenders have, separately, become more effective at detecting and rejecting credential-stuffing and phishing-based intrusions through measures such as broader adoption of multi-factor authentication and improved monitoring of login behavior. The net effect is that the relatively harder route, software exploitation, has become comparatively more rewarding than the route that defenders have spent several years hardening.
This is not a story of attackers becoming uniformly more sophisticated. Verizon's own framing acknowledges that some of the shift reflects defender progress on credentials as much as attacker progress on exploitation. The category that has held steady, by contrast, is the human-error category: misconfigured cloud storage, misdirected documents, internal-access mistakes. Those routes remain a meaningful share of incidents and have not benefited from the same investment as credential defenses.
The view from this week's other security news
The Verizon findings did not arrive in isolation. Two days before the report's release, Microsoft issued an out-of-band patch for two vulnerabilities in its Defender antivirus engine that, by the company's own description, were being exploited in active attacks. The U.S. Cybersecurity and Infrastructure Security Agency added both to its Known Exploited Vulnerabilities catalog on May 20. In the same week, the security firm Sysdig published research on an authentication-bypass flaw in the open-source AI orchestration framework PraisonAI that, according to Sysdig's account, drew internet-wide scanning within three hours and 44 minutes of public disclosure.
Each of those incidents, taken individually, is a single data point. Taken together, with Verizon's annual report sitting on top of them, they describe a coherent picture: that the vulnerability disclosure-to-exploitation window has compressed to a point where the older operational rhythm of monthly patch cycles is, for some classes of flaw, no longer sufficient. The financial-services firms that have already moved to faster patching cadences for internet-facing infrastructure are operating on something close to the assumption Verizon's data now supports.
What it changes for financial-services firms
For firms holding financial data — banks, asset managers, fintechs, insurance carriers, and the third-party service providers that operate around them — the practical implications of the shift are several.
The first is that the relative weighting of investment may need to be revisited. A security program that has spent the past three years pouring resources into credential controls is not wrong to have done so. The Verizon data suggests, however, that the marginal next dollar may need to move toward vulnerability management — specifically, the speed of discovery, prioritization, and remediation of public-facing software flaws — rather than toward additional credential controls layered on top of strong ones already in place.
The second is that third-party risk takes on greater weight. A financial firm's own systems may be well-patched. Its vendors, its document-sharing platforms, its data room providers, its analytics services, its identity providers, are each a software surface running someone else's code. Two of the breach categories that have grown most visibly during the past year, in coverage by PKWare and other industry analysts, are supply-chain compromises and third-party attacks that reach a target through a connected provider. The Verizon report's vulnerability finding compounds rather than replaces that concern.
The third is that the conversation with regulators is sharpening. U.S. and European banking supervisors have been clearer in their 2025 and 2026 guidance about expectations on patching timelines, on third-party oversight, and on the documentation of vulnerability management programs. A finding by the largest annual breach study that vulnerabilities have become the leading initial-access vector is the sort of supervisory talking point that tends to outlast a single annual report.
What the report does not say
A few things worth being careful about, given how widely the report's headline finding will be quoted.
The Verizon DBIR is not a complete census of breaches. It is a study of the cases its contributing partners worked, which skews toward incidents that were detected, investigated, and either disclosed or shared with insurers and law enforcement. Many breaches do not enter that population. The findings should be read as the best available view of a substantial sample, not as a settled count of everything that happened during the year.
The report also does not say that credentials no longer matter. It says vulnerabilities have moved ahead in the ranking. Credential-led breaches remain a major category, and the controls associated with them — multi-factor authentication, conditional access, behavioral monitoring — remain among the highest-return defenses an organization can deploy. The shift is one of emphasis at the margin, not a wholesale reordering of priorities.
The report does not assign blame. Verizon's framing is descriptive: this is what the data shows. The interpretive work, including what each industry should do about the findings, is left to readers and to the regulatory and supervisory bodies that will read the report alongside their own caseloads.
The takeaway for the week
For a financial-services reader, the most useful posture in the wake of the report is to treat its headline finding as a prompt rather than a verdict. The questions worth bringing to the next quarterly security review are concrete: How quickly is the firm patching internet-facing systems? What is the firm's view of the patching cadence of its critical vendors? Is the vulnerability management program documented in a form a regulator would accept? Are the credential controls that have served well in recent years receiving disproportionate investment relative to the underlying surface area of unpatched software?
The DBIR will be quoted heavily for the next 12 months. Its finding will outlast the immediate news cycle. The firms that take it seriously this quarter are likely to be in a calmer position when the supervisors arrive with the same finding in hand.
Related reading
- How Businesses Keep Financial Data Safe in Practice
- How Data Rooms Support Secure Information Handling Across a Business
Sources and further reading
Impulsblog analysis is based on the published sources listed above and is current as of May 25, 2026.

