The 2025 Breach Landscape: Biggest Dataset in DBIR History
The 2025 Verizon Data Breach Investigations Report (DBIR) analyzed the largest volume of breach data ever recorded** in the history of the report. Verizon said:
- 22,000+ security incidents
- 12,195 confirmed data breaches
- Victims spanning 139 countries
- Data contributed by nearly 100 cybersecurity organizations
This year’s dataset is important because it reflects a major shift in attacker behavior.
Over the last 2–3 years, software vendors have unintentionally expanded the global attack surface through weak edge-device security, misconfigured cloud services, and delayed patching cycles.
What used to be occasional vendor mistakes has now transformed into what the report calls:
“a widespread and insidious problem that can have a devastating effect on enterprises.”
For defenders, that means breaches are no longer isolated events; they’re happening at a scale and speed that’s fundamentally different from previous years.
The Three Major Initial Access Vectors (Credentials, Exploitation, Phishing)
The DBIR 2025 data indicates that most breaches continue to originate from the same three entry points. The percentages shift slightly year to year, but the pattern stays consistent:
Stolen credentials -> 22%
Exploitation of vulnerabilities -> 20%
Phishing/social engineering -> 16%
These three techniques comprise a significant portion of initial access events across nearly every industry.
1. Credential Abuse (22%)
Credential-based attacks continue to be the single most common way intruders enter a system. Victims usually don’t notice anything unusual because the activity looks like a normal login.
A few points the report highlights:
Many stolen credentials come from older breaches.
Some are reused across multiple accounts.
Secrets leaked on GitHub or other repos take a median of 94 days to be remediated.
In many cases, the origin of the stolen credential is never discovered.
The main takeaway:
Attackers don’t need an exploit when they can simply log in.
2. Exploitation of Vulnerabilities (20%)
This is the category with the biggest jump compared to last year, up 34%.
The most notable change is where the exploitation is happening:
Edge devices
VPN appliances
Public-facing services
The DBIR notes that exploitation against edge devices and VPNs went from 3% last year to 22% this year. That’s nearly an eight-fold increase.
Patching is a clear issue:
Only 54% of edge vulnerabilities were fully remediated.
Median time to patch: 32 days.
That one-month gap is the opportunity window that attackers take advantage of.
3. Phishing & Pretexting (16%)
Phishing is still one of the most reliable ways attackers steal credentials or trick employees into granting access. It didn’t disappear; it simply settled into a stable percentage while other attack methods grew.
This year’s changes include:
More MFA prompt bombing
More Adversary-in-the-Middle (AiTM) login capture
More malicious software downloads through poisoned search results
Increased state-sponsored social engineering activity
Notably:
52% of social engineering breaches had an espionage motivation.
55% had a financial motivation.
Some nation-state groups were involved in both types of operations.
Overall, social engineering remains a dependable way for attackers to bypass defenses when technical controls fail.
Why These Three Methods Dominate
The DBIR doesn’t frame it dramatically. The explanation is straightforward:
Credentials are easy to steal or purchase.
Exploits scale well with automation.
Phishing works because humans make mistakes.
Together, these three methods explain most of the initial access cases seen in 2024–2025 data.
Ransomware Growth, Human Error, and the Shift Toward Third-Party Breaches
The DBIR 2025 numbers show three major trends that shaped most breaches this year:
Ransomware is increasing again, human involvement is staying high, and third-party breaches are doubling.
Each of these has different causes, but together they paint a clear picture of how attackers operate today.
1. Ransomware in 44% of Breaches (Up 37% From Last Year)
Ransomware continues to be one of the most common outcomes after attackers gain access. The report shows:
- 44% of all breaches involved ransomware (with or without encryption)
- Up from 32% last year
- A 37% increase
Even with the rise, ransom payments have started to drop:
- Median payment: $115,000 (down from $150,000)
- 64% of organizations refused to pay -> (this was only 50% two years ago)
One interesting detail is the difference between large companies and small ones:
- Large orgs: ransomware in 39% of breaches
- Small orgs: ransomware in 88% of breaches
Small businesses continue to get hit hardest because they lack patching speed and detection.
2. Human Involvement in Breaches Remains High (60%)
Despite more MFA, more training, and better tools, the human element remains a major factor:
- 60% of breaches involved some type of human action
- Last year: 61%
- Essentially unchanged
The report breaks down human-driven errors into categories:
- Phishing / Social engineering → stolen credentials
- Misconfiguration or mistakes
- Downloading or installing malware
- Interacting with malicious MFA prompts
The overlap between social engineering and credential abuse is significant. A phishing email may steal the credentials, but the breach is then logged as credential misuse.
The DBIR emphasizes that many orgs now have two chances to stop the attacker:
- During the social engineering attempt
- During the credential misuse attempt
But most still miss both.
3. Third-Party Breaches Doubled (15% → 30%)
This is one of the more concerning shifts in the dataset.
DBIR reports that breaches involving third-party access or systems doubled in the last year:
- 15% last year
- 30% this year
Major reasons:
- Credential reuse across environments
- Contractors with overly broad access
- Supply chain exposures
- Secrets leaked in external repositories
A standout datapoint:
Median time for an organization to fix leaked secrets on GitHub: 94 days.
That’s nearly three months of exposure.
4. Espionage-Motivated Breaches Rising (17%)
Another shift this year is the increase in espionage-focused attacks:
- 17% of breaches now involve espionage
- Many tied to state-sponsored actors
- Heavy use of zero-days and edge-device vulnerabilities
The report mentions that around 28% of incidents involving state actors included a financial motive, meaning certain groups are now mixing intelligence gathering and revenue generation.
5. MFA Bypass Techniques: Prompt Bombing, Token Theft, AiTM
This year had enough data to analyze MFA bypass methods clearly:
Top techniques seen:
- Prompt bombing (MFA fatigue)
- Token theft
- Adversary-in-the-Middle (AiTM)
- SIM swapping and account hijacking
Microsoft 365 telemetry showed:
- 40% of attacks had suspicious logins
- 31% came from token theft
- MFA interrupt (push fatigue) is also significant
- AiTM present but less common
The point is: MFA helps, but attackers now adjust to whichever part of MFA is weakest.
Conclusion: What the 2025 DBIR Really Tells Us
The numbers in the 2025 DBIR point to something straightforward:
attackers aren’t getting “more creative,” they’re getting more efficient.
Stolen credentials are still an easy way in.
Unpatched edge devices are now one of the fastest-growing targets.
Phishing continues to work because human behavior doesn’t change as fast as technology.
Ransomware keeps showing up because it still makes attackers money.
Third-party weak spots are becoming the new normal.
State-sponsored groups are mixing intelligence work with financial crime.
Nothing in the report suggests attackers are slowing down.
What is changing is the speed of exploitation, the automation behind attacks, and the shrinking gap between vulnerability disclosure and real-world exploitation.
The takeaway is simple:
Organizations that don’t patch their edge devices, don’t rotate secrets, and don’t train employees will end up in next year’s statistics.
The attackers are adapting, so defenders have to move just as fast.
Top comments (0)