The 2025 DBIR: What Actually Matters

The 2025 Verizon Data Breach Investigations Report (DBIR) pulls from over 22,000 incidents and 12,195 confirmed breaches. It’s the largest dataset they’ve analyzed to dateand what it shows is damning. Third-party failures, credential leaks, and edge device vulnerabilities weren’t just commonthey defined the year.

Third-Party Failures Aren’t a Side Problem. They Are the Problem.

One out of every three breaches involved a third party, up from 15% last year. This isn’t about theoretical supply chain risk; it’s about real-world fallout from trusting platforms and vendors that don't enforce basic security controls.

Snowflake is a prime example not because its infrastructure was compromised, but because a massive credential abuse campaign exploited accounts that lacked enforced multi-factor authentication. Over 80% of the abused accounts had previously leaked credentials, either from info stealers or public code repositories. Attackers built tooling specifically to identify and exploit Snowflake customers at scale.

MOVEit was another anchor point for widespread damage. Again, third-party software vulnerabilities weren’t just attack surfaces; they were initial access vectors that resulted in cascading compromises. Despite the surge in urgency, only 54% of edge device vulnerabilities were fully remediated within the year.

Credential Abuse Isn’t Declining’s Just Getting Smarter

Credential-based attacks remain the top access vector overall, but the shape of that threat is evolving. This year, the report dives deep into secret exposure API keys, JWTs, SSH tokens, and cloud credentials found leaking in public code repositories. Over 441,000 secrets were found. GitLab tokens made up 50% of CI/CD-related leaks, and Google Cloud API keys were 43% of cloud leaks. And the median time to remediate those exposed secrets? Ninety-four days.

These aren't just sloppy accidents. They're systemic. They're widespread. And they're giving threat actors easy, privileged access to critical infrastructure.

Ransomware Is Everywhere, But It’s Losing Leverage

Ransomware was involved in 44% of breaches, a 37% increase from the previous year. But interestingly, the financial damage is receding. Median ransom payments dropped to $115,000, and 64% of victim organizations refused to pay.

Small businesses were hit hardest88% of their breaches involved ransomware, compared to 39% for large enterprises. This suggests automation and low-effort targeting drive ransomware into high-volume, low-return territory. The extortion playbook fails to deliver the payouts it used to, even as the attack frequency climbs.

Exploitation of Vulnerabilities Is the Fastest-Growing Vector

Exploited vulnerabilities comprised 20% of breach entries, overtaking phishing and closing in on credential abuse. Most of these attacks targeted edge devices and VPNs. That’s an 8x increase from last year’s 3% baseline.

The median patch time was 32 days too long to matter. Threat actors moved fast, using remote code execution flaws to get initial access without ever needing to phish a user or steal a password.

Phishing and Human Error Aren’t Going Away

The “human element” involved 60% of breaches, compared to last year. Errors (like misdelivery or misconfiguration), social engineering, and poor credential handling were consistent culprits. While phishing has taken a back seat to more scalable attack types, it’s still involved in at least 15% of breaches and often precedes credential abuse.

This isn’t about ignorances about overexposure. People are still the weakest link, and BYOD policies, personal email crossover, and unsanctioned app usage make it worse every year.

AI Risks Are Boring, But Real

Generative AI hasn’t led to world-ending cyberattacks, but it has increased the risk surface. 15% of employees accessed GenAI tools on corporate machines, with 72% using personal email accounts. That’s a recipe for untracked data leaks.

Malicious emails with AI-generated content doubled in two years. And a January 2025 breach of the DeepSeek model shows the downstream impact of LLM data hoarding. You're already compromised if your employees feed sensitive data into public AI tools.

Espionage Is Rising And It’s Not Just About Politics

Espionage-motivated breaches rose to 17%, nearly tripling from the previous year. State-sponsored actors were involved in 15% of all breaches, and nearly 30% of those campaigns had a financial motive. That’s a shift worth noting, aren’t always strategic. Sometimes, they’re side hustles.

This isn’t Cold War cyber-theater. This is hybrid warfare and monetized intelligence gathering targeting commercial infrastructure.

So What’s the Play?

You can’t fix stupid. But you can contain it. The DBIR makes it clear:

• Vet third parties like you’d vet hostile insiders. Don’t assume vendors are secureprove they are.
• Prioritize edge device patching like your network depends on because it does.
• Enforce MFA. Enforce token expiration. Monitor public repos for exposed secrets.
• Block unsanctioned AI use in corporate environments. Not because it's "bad"but because it's unknown.
• Accept that breaches are a question of when, not if. Build detection and containment like your survival depends on it.

This year’s DBIR isn’t subtle. Your systems aren't just vulnerable. Your vendors, users, and infrastructure are all complicit in the breach cycle. Stop assuming trust. Start assuming exposure.