The recently released 2025 Data Breach Investigations Report delivers a sobering but vital snapshot of the current cybersecurity environment. With over 12,000 confirmed breaches analyzed, the defining revelation isn’t some breakthrough in attacker sophistication, it’s the persistent success of low-friction intrusions. Weak credentials, exposed internet-facing systems, and insecure third-party connections continue to be the entry points of choice.

These seemingly simple gaps, when left unresolved, open the door to increasingly damaging attacks, from ransomware campaigns to espionage operations.

What’s especially concerning is how often these risks emerge in environments where control is fragmented. Third-party SaaS platforms, unmanaged personal devices, and loosely governed remote access tools create blind spots that security teams struggle to monitor or enforce. Attackers thrive in these shared-responsibility zones, where accountability is diffused and assumptions about trust often go untested.

Overlay that with the rapid integration of generative AI tools and sprawling developer ecosystems, and the challenge becomes even more complex. Sensitive data is now being shared with external models, tokens are being exposed in code repos, and critical infrastructure is often built on top of vendor APIs that lack strong security baselines.

Why It Matters: CIOs and technology leaders must ensure that identity, device, and vendor security are treated as core operational risks, not siloed technical concerns. This means accelerating automation in patch management, enforcing MFA and token expiration policies, validating third-party controls continuously (not just at onboarding), and formalizing how generative AI tools are used and monitored across the enterprise.

• Credential abuse remains the most reliable path to breach and BYOD is making it worse: Over 88% of Basic Web Application Attacks in 2025 involved stolen or brute-forced credentials. This included logins harvested by infostealer malware from personal devices that mixed business and personal usage. In a sample of compromised credentials, 46% came from non-managed (i.e., not corporate-controlled) devices, suggesting that bring-your-own-device (BYOD) environments, whether official or unofficial, are still a major weak point. Attackers don’t need to break down doors when credentials are being left in the open.

• Third-party exposure has doubled, and it’s reshaping how attackers gain access: Third-party involvement in breaches surged from 15% to 30% this year. Threat actors are exploiting both technical flaws, like zero-day vulnerabilities in partner platforms, and poor vendor security practices such as missing MFA or exposed credentials in public code repositories. The MOVEit and Snowflake-related breaches showed how attackers chain together credential reuse, token theft, and missing authentication policies to access sensitive data across environments. These failures don’t just expose vendors—they expose every organization connected to them.

• Vulnerability exploitation is surging, especially on edge devices and VPNs: Exploited vulnerabilities are now the initial attack vector in 20% of breaches, a 34% year-over-year increase. Edge-facing devices and virtual private networks (VPNs) accounted for 22% of these cases, up dramatically from 3% the year before. Organizations often prioritized patching these assets, but only about 54% of known vulnerabilities were fully remediated, with a median remediation time of 32 days. Unfortunately, attackers now exploit many vulnerabilities on day zero, meaning patch delays, even by a few days, offer a dangerous window.

• Ransomware is still growing but fewer victims are paying, and ransoms are shrinking: Ransomware was involved in 44% of breaches this year, with smaller businesses hit the hardest, 88% of SMB breaches involved ransomware. However, the trend in ransom payments is shifting. Only 36% of victims paid their attackers in 2024, compared to 50% two years ago. The median ransom amount dropped from $150,000 to $115,000, likely due to better incident response preparation and a decline in successful extortion. Still, the overall presence of ransomware continues to expand, often following the use of stolen credentials or exploitation of edge vulnerabilities.

• Espionage-motivated breaches are increasing and now include financially driven nation-states: Breaches attributed to espionage rose to 17%, with attackers increasingly using the same initial access techniques as cybercriminal groups, exploiting software flaws and abusing credentials. Notably, 28% of state-sponsored breach incidents had financial motives, suggesting some actors are moonlighting for profit or blending economic espionage with cybercrime. These groups are particularly aggressive in targeting VPNs, management consoles, and infrastructure that remains exposed to the internet.

Go Deeper -> 2025 Data Breach Investigations Report – Verizon