Research
May 19, 2026

The Verizon 2026 Data Breach Investigations Report: third-party breaches, credential exposures, and more insights

We discussed the highlights of the Verizon Data Breach Investigations Report (DBIR) in 2024 and 2025 because we deem it to be one of the most valuable sources of insights on the ever-changing cybersecurity landscape. 

The cover of the 2026 report pays homage to its status as a recordkeeper of data breaches and security failures, and we think they’ve earned it. The diligence and consistency of the team at Verizon is apparent in the way they analyze and present this enormous dataset gathered from numerous partners and contributors.

Now, Tenchi Security is proud to be one of these many contributors that make the DBIR possible. 

Before we dive into the fascinating details that the report brought us this year, we’re excited to announce Alex Pinto from the DBIR team at Verizon recently joined Tenchi Security CTO Alexandre Sieira and Adrian Sanabria to talk about many of the findings in the report, cybersecurity trends, and other topics on our podcast.

If you enjoy podcasts or would like to hear more after reading this post, you can check out this conversation here.

This post is focused on data related specifically to third-party cyber risk management, so don't forget to also check the report itself, which is freely available from Verizon. This post aims to share directions regarding some of the data available in the document and in no way should it be seen as a replacement.

Exposure from cloud permissions and lack of MFA

The Verizon 2026 Data Breach Investigations Report has a couple of new graphs showing how long it takes for third-party cloud-based authentication and privilege issues to be resolved. They follow the same logic here as the graphs for the survival of vulnerabilities, but sadly show that businesses are currently much slower to resolve these authentication and privilege errors than to patch vulnerabilities.

One analysis shows that almost half (45%) of all these issues remain unresolved after 350 days. The DBIR offers some explanations for this, such as the fact that issues involving "excessive privileges" don't always have a straightforward fix, especially in cloud contexts and due to the granularity of permissions. 

By comparison, businesses managed to patch roughly 60% of the vulnerabilities on the CISA list in a month, and at least 30% of those vulnerabilities are patched in the first week. For third-party cloud privilege issues though, only about 12% are solved within that 7-day timeframe.

The situation can be better for more specific controls, like we see in the data for multi-factor authentication (MFA). Half of all third-party cloud-based MFA exposures are solved in roughly a month, and only 32% of all issues linger after 240 days.

Unfortunately, every business must look for solutions or develop risk mitigation strategies, regardless of the difficulty inherent in these problems. A failure at a complex control or policy still creates an exposure risk, no matter how challenging it is to fix it.

Tenchi Security contributed this dataset and participated in its analysis. The data is anonymized; it’s not our intention to “name and shame.” Rather, our goal is to bring attention to these issues by casting some light on this tricky landscape.

While Zanshin users have visibility over these exposures in the scope of their own environment, it's important to keep in mind that each business is different.

Risk management and cybersecurity priorities can have a significant impact here. However, not all organizations employ third-party risk management tools that give them visibility over this problem. Some teams are caught off guard when they finally get a glimpse of the cybersecurity challenges that emerge every day inside the IT infrastructure of their third parties, but  problems have to be seen before they can be addressed and resolved.

Credential misuse and abuse

A key reason why excessive privileges and lack of MFA should concern most businesses is the sheer frequency of cyberattacks that rely on credential misuse.

While credential abuse as an initial access vector was less common when compared to last year's DBIR (from 22% to 13%), this drop can be partially attributed to a change in methodology that is discussed more thoroughly in the report.

What is important to know is that credentials are still very relevant in cyberattacks. Around 39% of all breaches involved at least one step abusing a credential in the attack chain. When attackers find that they have credentials for an account with more privileges than expected, escalating becomes even easier.

In other words, mitigating credential exposures is very important for defense-in-depth strategies, even if they have become somewhat less relevant for initial access.

Even more third-party breaches 

The number of breaches with third-party involvement has increased from 30% to 48%, a 60% increase that comes on top of the 100% increase that pushed this topic to the report's cover last year.

It's worth noting that the Verizon Data Breach Investigations Report includes the exploitation of third-party software vulnerabilities in this group, as well as breaches that happen at a third-party or that involve a third-party infrastructure in some capacity.

Some might raise an eyebrow regarding the inclusion of software vulnerabilities in this category. It's worth emphasizing, however, that modern TPCRM teams should also ensure that software and SaaS vendors have an appropriately secure software development process and infrastructure.

Aside from the authentication and patching issues that we already talked about, what this number suggests is that perhaps mitigation strategies are not keeping up with the increased connectivity and interdependency of IT environments.

Deployments of artificial intelligence and 'shadow AI'

The DBIR recorded a surge in the number of employees using AI. While the number of employees who use non-corporate accounts to use AI services on corporate devices has decreased, this figure is still at 67%, which is alarmingly high.

Meanwhile, 45% of employees are now considered "regular users of AI," up from 15% in the previous dataset.

Not all of these uses are authorized by company policy. "Shadow AI," which is a term for the unsanctioned use of AI technologies or services, is now the third most common non-malicious insider action. It reached this position thanks to a fourfold increase from the previous data.

Overall, a human element is still very common in breaches, at 62%.

Don't miss out on what this means for your business

The Verizon 2026 Data Breach Investigations Report is over 100 pages long, so we really can’t do it justice with a short summary like this. We highly encourage you to check out the report itself and listen to our podcast so you can catch up on every detail.

Robust data and sharp visibility over the real issues that exist in our environments play an important part in our ability to design better policies, mitigations, and tools. IT systems are complex, and we should face this complexity armed with the best information available to us. The data is there to make our systems more secure, and we should try to make the best of it.

Share
Latest Posts
Digital sovereignty and fragmentation: understanding the impacts on third-party cyber risk management
Read more
What "Inside-Out" Actually Means in Third-Party Security
The term "inside-out" appears across third-party risk platforms but describes very different technical realities. This post explains what authorized API-based infrastructure monitoring means versus questionnaire correlation.
Read more
Moving beyond compliance theater and guiding third parties to better cybersecurity outcomes
Read more