For 18 years running, stolen passwords were the main way attackers broke into systems. That era is over. Verizon’s 2026 Data Breach Investigations Report — published yesterday, covering over 22,000 confirmed breaches across 145 countries — found that exploiting software vulnerabilities is now the number-one entry point, accounting for 31% of all breaches.
The shift matters for anyone who stores data with a cloud provider. When passwords were the primary attack vector, strong credentials and two-factor authentication offered meaningful protection. Now, unpatched software on the provider’s side is the bigger threat — and that’s something individual users can’t fix.
The Patch Gap Is Getting Worse
Organisations are getting slower at fixing known vulnerabilities, not faster. The median time-to-patch climbed from 32 days to 43 days — a 34% increase — even as attackers accelerated their exploitation timelines. AI tools are helping threat actors shrink the window between a vulnerability being disclosed and being weaponised, from months down to hours in some cases.
The numbers from CISA’s Known Exploited Vulnerabilities catalogue tell a grim story: there was a nearly 50% increase in the number of vulnerabilities requiring patches, yet only 26% were actually remediated by organisations. The total number of registered CVEs now exceeds 351,000, with over 21,500 already reserved for 2026 alone.
Development tools, virtualisation platforms, and remote monitoring software had the worst remediation rates, with nearly all categories showing above 50% of known vulnerabilities left unpatched.
Shadow AI: 45% of Workers Are Leaking Data to Tools Their Employer Doesn’t Control
The DBIR flagged a sharp rise in “shadow AI” — employees using unapproved AI tools at work. That figure jumped from 15% to 45%, a threefold increase. Every prompt typed into an unvetted AI chatbot is a potential data leak: customer records, internal documents, proprietary code, personal information.
This is a direct privacy risk. When employees paste sensitive data into AI services without organisational oversight, that data may be stored, used for model training, or exposed in future breaches of those AI providers. The user whose records get pasted into a prompt has no idea it happened and no way to consent.
Third-Party Breaches Up 60%
Nearly half of all breaches — 48% — now involve a third party. That’s a 60% jump, and it reflects the tangled web of vendors, cloud services, and SaaS platforms that modern organisations depend on.
This trend explains why seemingly privacy-conscious companies still get caught in breaches. You might trust your direct service provider, but do you know who their subprocessors are? Who hosts their infrastructure? Who provides their analytics, email, or payment processing? Each link in the chain is a potential point of failure.
The Canvas breach we covered yesterday is a textbook case: Instructure — the company behind Canvas — was initially compromised through its Salesforce environment before attackers pivoted to the main platform. The vendor stack is the attack surface.
Mobile Social Engineering Outperforms Email
Mobile-targeted social engineering attacks now have a 40% higher success rate than traditional email phishing. Attackers are exploiting the smaller screens, truncated URLs, and notification-driven interactions that make it harder to spot fakes on phones.
What You Can Actually Do
The DBIR paints a picture of systemic failure at the organisational level — slow patching, uncontrolled AI usage, sprawling vendor dependencies. But there are concrete steps individuals can take:
Minimise your vendor exposure. Every service you use is a third party that could be breached. Consolidating onto fewer, more trustworthy platforms reduces your attack surface. Self-hosted solutions and privacy-first providers with transparent infrastructure cut out layers of third-party risk.
Ask where your data lives. Jurisdiction matters. A provider operating under Swiss privacy law with data stored in Switzerland has different legal protections — and different breach notification requirements — than one routing your data through a chain of US-based subprocessors.
Audit your own AI usage. If you’re pasting work documents, personal data, or anything sensitive into AI tools, you’re part of the shadow AI problem. Use tools with clear data policies, or better yet, self-hosted AI options that keep your data on your own infrastructure.
Keep your own software updated. You can’t control your cloud provider’s patch cycles, but you can control your own devices. Enable automatic updates. Don’t postpone them.
The 2026 DBIR makes one thing clear: trusting your data to others has never carried more risk. The organisations responsible for protecting it are patching slower, getting breached through their vendors, and watching their own employees leak sensitive information into AI tools they don’t control. The less data you hand over, the less there is to steal.