What Security Leaders Need to Know About the 2026 DBIR: 50% of Ransomware Victims Had Credential Exposure Within 95 Days

By Bill Bradley, Product Marketing

Half of all organizations that fell victim to ransomware in the 2026 Verizon Data Breach Investigations Report (DBIR) had a credential or infostealer event occur within 95 days before the attack. Not 95 days after, but before. The credential exposure preceded the breach, sitting in criminal marketplaces as a priced, purchasable entry point while the countdown ran. That single finding reframes how identity and security leaders can read the rest of the report. The headline numbers (credential abuse dropping to 13% of initial access, vulnerability exploitation rising to 31%) tell a surface-level story of attackers shifting tactics. The deeper story, visible when you look at credentials across the entire breach progression rather than just the front door, is that stolen credentials still appear in 39% of all breaches and remain the mechanism that enables lateral movement, privilege escalation, and persistence once attackers are inside.

As a contributing organization for the second consecutive year, Flare had a part in shaping the report. For identity and security leaders, the data is worth reading carefully. The numbers are guiding where your program needs to be to best protect your organization and the identities that are part of it, whether employees, partners, suppliers, or customers.

Here is how to interpret the findings that matter most.

While Credential Abuse is Down, There’s a Catch

Stolen credentials as the initial access vector dropped to 13% of breaches. This may sound like good news, but there’s more to the story. 

Credential abuse didn’t decline because organizations got better at protecting credentials. It declined because attackers found a faster lane, and in some cases, a more persuasive one. The underlying supply of stolen credentials is still growing. Moreover, credential abuse remains a simple and often undetectable vector, until it’s too late.

Part of the story is pretexting. The DBIR reports that pretexting reached 6% of all breaches this year and has become a more common initial access vector specifically for ransomware and extortion attacks. Pretexting is social engineering built on fabricated trust: an attacker constructs a believable scenario, usually over voice or text, to convince someone to hand over credentials or grant access directly. It doesn’t show up in the “credential abuse” column because the credential wasn’t technically stolen, but the outcome is identical. The attacker ends up with valid access to your environment, and their actions never trigger an alert because the login looked legitimate.

Think of it like this: if someone used to pick your lock 30% of the time and now they do it 13% of the time, that doesn’t necessarily mean your door is safer. It means they’ve also started manipulating people into handing over the key, or quietly copying it while you weren’t looking.

When you see credential abuse as an initial access vector drop to 13%, read it as a redistribution, not a reduction. Attackers are still going after credentials. They are just diversifying how they get them, splitting effort between infostealers harvesting them quietly in the background and pretexting campaigns asking for them directly. The DBIR makes this point directly: if you consider credential abuse at any point in the breach progression, not just initial access, it sits on top at 39%. The 13% figure is a piece of a larger problem, and credentials are still the chokepoint.

The important number isn’t 13%. It’s what the DBIR found when it looked at ransomware victims specifically: 50% of organizations that fell victim to ransomware had a credential or infostealer event occur within 95 days prior to the attack. Credential exposure is the countdown to the breach.

Stolen Credentials Still Power 36% of All Breaches

Separate from initial access vectors, the DBIR tracks what actions appeared across all confirmed breaches. Stolen credentials hold steady at 36%, meaning even when attackers get in through a vulnerability, stolen credentials are what they use once they’re inside. They enable lateral movement, privilege escalation, and persistence. They are the mechanism, not just the entry point. What’s more likely to go undetected: someone running an exploit, or a login among thousands?

For identity and security leaders, the implication is direct. Monitoring how attackers get in is necessary but not sufficient. You need visibility into the credential exposure that determines what attackers can do once they’re there.

The Initial Access Broker Economy has a Published Price List

One of the more sobering sections of this year’s report examines initial access brokers, the criminal intermediaries who compromise organizations and then sell that access to ransomware operators. The DBIR found that standard user accounts sell for around $700. Administrative accounts fetch close to $1,300. In healthcare, those numbers carry a different kind of weight. Flare found that within the healthcare industry, 74% of nearly 61,000 healthcare-exposed logs contained EHR/EMR access, the systems holding patient demographics, SSNs, diagnoses, medications, and insurance data. When credentials provide access to clinical systems, cyber risk becomes patient safety risk.

Those prices represent your organization’s credentials listed in criminal marketplaces, waiting for a buyer. The ransomware group doesn’t have to find your security gaps or vulnerabilities, and only have to shop for credentials. The DBIR is explicit that ransomware operators increasingly outsource the initial access phase entirely, purchasing what IABs have already harvested from infostealer campaigns.

The gap between a credential appearing in a stealer log and that credential being used against you is narrowing. Speed of detection and remediation is the baseline requirement. Automation through integrations with Entra and Okta can enable this at machine speed.

Third-Party Exposure Grew 60% Year Over Year

Third-party involvement in breaches increased 60% from last year’s dataset, reaching 48% of total breaches. The DBIR describes three distinct vectors: 

• data stolen from a vendor’s environment and used against that vendor’s systems
• credentials from a vendor’s environment used to reach your data directly
• lateral movement from a vendor connection into your network

The commonality across all three is identity. In every scenario, a compromised credential is the instrument. Your perimeter security is only as strong as the identity hygiene of every third party with access to your systems.

What this Means for your Security Program

Reading the DBIR through a strategic lens and not purely a statistical one, the direction is clear. Threat actors have industrialized and specialized. They have marketplaces, brokers, AI assistance for phishing and vulnerability research, and documented playbooks that run faster than most security teams can manually respond to. Each link in the value chain has threat actors solely focused on one piece, meaning they have expertise and scale.

The direction the DBIR points toward isn’t more alerts. The human element was present in 62% of breaches, and social engineering continues to evolve toward mobile-centric vectors where click rates run 40% higher than email. Your analysts cannot manually track what criminal markets know about your organization’s identities.

What’s required is continuous, automated visibility into credential exposure before it becomes access, combined with automated remediation. Monitoring dark web forums, infostealer marketplaces, and Telegram channels to surface exposures tied to your specific domains and act on them before the 95-day window closes.

The 2026 DBIR is built on 31,000 incidents, of which 22,000 were confirmed breaches. Its underlying message is that the fundamentals still matter most, and credential exposure left unaddressed is a countdown, not just a risk. The organizations that avoid becoming next year’s data points will be those that detect exposed credentials at the point of sale (not the point of use) and remediate at machine speed.