Identity attacks still match exploitation in Verizon’s 2026 DBIR

At a glance

What this is: Verizon's 2026 DBIR says vulnerability exploitation now leads initial access, but identity abuse remains statistically tied with it once phishing and adjusted credential abuse are combined.

Why it matters: IAM, NHI, and browser-security teams should read this as a warning that attack paths are converging, not replacing one another, so visibility, credential control, and third-party governance still need parallel investment.

By the numbers:

• The 2026 Data Breach Investigations Report includes more than 22,000 confirmed breaches across 145 countries.
• Vulnerability exploitation accounted for 31% of initial access in 2026, up from 20% the year before.
• Identity-related initial access reaches 32% on an apples-to-apples basis when phishing and adjusted credential abuse are combined.
• Credential abuse appears in 39% of all breaches across the full breach chain, not just at first access.

👉 Read Push Security's analysis of the 2026 DBIR identity and browser risk findings

Context

Verizon's 2026 DBIR is not a story about one attack surface replacing another. The core identity governance problem is that vulnerability exploitation, phishing, credential abuse, and pretexting now overlap across the same breach lifecycle, which makes single-control thinking too narrow for modern IAM programmes.

For identity teams, the important question is where access is created, reused, and abused across browsers, cloud apps, and third-party integrations. The report's taxonomy also matters because the way incidents are counted can hide how often credentials, sessions, and consent grants still sit inside the real attack path.

The practical takeaway is that both remediation speed and identity visibility now shape breach outcomes. That is true for human users, service accounts, and AI-adjacent workflows alike, because the attack surface is increasingly shared even when the initial vector looks different.

Key questions

Q: How should security teams respond when credential abuse appears across the whole breach chain?

A: They should treat credential abuse as a lifecycle problem, not just an authentication failure. That means monitoring for token reuse, session hijack, privilege drift, and stale third-party access after the first login event. The goal is to stop valid identity material from becoming reusable attack infrastructure across SaaS, cloud, and remote access services.

Q: Why do browser-based attacks create problems for IAM programmes?

A: Browser-based attacks shift identity risk into the place where users authenticate, approve access, and interact with connected apps. IAM programmes that only watch the IdP miss consent abuse, extension-based data capture, and session theft. Teams need browser-layer visibility to understand the real path from login to compromise.

Q: When should organisations prioritise credential rotation over more detection rules?

A: They should prioritise rotation when stolen secrets, long-lived tokens, or vendor credentials can remain valid long enough to be reused. Rotation matters most when the same identity artefact can open multiple services or support persistence. Detection still matters, but rotation reduces the attacker's usable window after compromise.

Q: How do third-party identities change breach accountability?

A: Third-party identities extend accountability beyond internal users because external access often persists through shared apps, OAuth grants, and cloud permissions. The organisation that owns the data must still know who can act, where access lives, and whether offboarding actually removes it. Without that, vendor risk becomes a direct identity risk.

Technical breakdown

Why breach taxonomies can blur identity risk

The DBIR's headline categories are useful, but they are not cleanly separable. Phishing, credential abuse, and pretexting are different labels for related behaviours that often converge on the same objective: obtaining valid access. The report also notes that some browser-based lures and synchronous voice-based scams sit in adjacent categories, which means identity risk is often wider than a single metric implies. That matters because defenders who optimise only for one vector can miss the combined pattern of credential harvesting, session theft, and consent abuse.

Practical implication: Treat breach metrics as directional signals, not complete inventories, and map them back to concrete identity events such as login, token use, and consent grants.

Why credential abuse still matters after initial access

Credential abuse does not end once a login succeeds. In real breach chains, stolen credentials, tokens, and session artefacts are used again for lateral movement, privilege escalation, and persistence. That is why the DBIR's 39% figure across the full breach progression is more revealing than the 13% initial-access number. It captures the fact that identity material remains valuable long after the first foothold, especially when environments allow broad reuse across SaaS, cloud, and remote access layers.

Practical implication: Build detections around reuse, abnormal session behaviour, and privilege transitions, not only first-login failures.

Why the browser has become an identity control point

The browser now sits at the intersection of credential entry, OAuth consent, AI tool access, and extension-based data collection. That makes it a governance layer rather than a simple user interface. When phishing moves into social media, phone-based pretexting, and malicious downloads, email security only sees part of the problem. Browser-layer visibility is therefore critical for understanding whether identity compromise began with a login prompt, a consent grant, a session hijack, or a user-triggered execution path.

Practical implication: Instrument the browser as an identity surface so teams can observe session creation, consent flows, and extension risk before data leaves the endpoint.

Threat narrative

Attacker objective: The attacker aims to turn either an exploit or a stolen identity into durable access that can be reused for movement, persistence, and monetisation.

1. Entry occurs when attackers exploit a vulnerability or harvest credentials through phishing, pretexting, or browser-based lures to obtain valid access.
2. Escalation follows when stolen credentials, tokens, or session artefacts are reused for lateral movement, privilege gain, or persistence across SaaS and cloud services.
3. Impact is the completion of breach objectives through ransomware deployment, data theft, or third-party compromise that extends the blast radius beyond the first account.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security has not weakened in the DBIR data, it has converged with vulnerability exploitation. The report's apples-to-apples comparison shows identity-related initial access at 32% versus 31% for vulnerability exploitation, which means the market is not moving away from identity risk. It is showing that identity and exploit paths are now equally material in the breach entry mix. For practitioners, that makes identity governance a parallel control plane, not a secondary one.

Credential abuse is still the durable breach primitive because it survives first access. The 39% full-chain figure is more important than the initial-access slice because it captures how stolen credentials, tokens, and sessions keep working after entry. This is the real operational problem for IAM and NHI teams: the same identity artefact can enable escalation, persistence, and repeat abuse. Practitioners should treat credential material as a lifecycle asset with downstream blast radius.

Browser-layer identity control is now a governance boundary, not a visibility nice-to-have. The DBIR's social engineering and browser-delivery patterns show that email-centric security models miss a large part of credential harvesting and consent abuse. Browser sessions are where users authenticate, grant access, and interact with AI services, which makes them the point where identity telemetry, extension control, and session risk converge. Teams should treat the browser as part of the identity stack.

Third-party identity hygiene remains one of the most stubborn breach accelerants. The DBIR's third-party figures line up with a broader governance failure: organisations still struggle to see and remediate vendor access quickly enough. That means access reviews, OAuth visibility, and offboarding discipline are not separate controls, they are one dependency chain. Practitioners need to manage external identities as part of the same lifecycle system that governs internal users.

Identity blast radius is the right named concept for this year's data. Once credentials, sessions, OAuth grants, and third-party links become portable across environments, the initial vector matters less than how far the identity can travel. That is why a single compromise now extends from the browser into SaaS, cloud, and partner ecosystems. The practitioner implication is to measure and reduce the distance an identity artefact can move after compromise.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, ahead of inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For a broader governance lens, see 52 NHI Breaches Analysis for recurring failure patterns across real incidents.

What this signals

Identity blast radius: the practical problem is no longer whether a credential is stolen, but how far that credential can travel once it is used. That pushes teams toward session-aware monitoring, OAuth inventorying, and browser telemetry rather than relying only on perimeter and inbox controls.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the governance gap is structurally bigger than many IAM roadmaps assume. The programme implication is clear: external access needs the same lifecycle discipline as internal access, or breach accountability will stay fragmented.

The browser has become the operational layer where identity, consent, and AI usage intersect, which means teams should watch for extension risk, session reuse, and unmanaged OAuth grants as early warning signals. The right control set is not just authentication, but continuous visibility into where identity material is active and how it is being reused.

For practitioners

• Map identity events across the breach chain Correlate login, token issuance, consent grants, privilege changes, and session reuse so you can see how a single identity artefact behaves after first access.
• Instrument browser-layer telemetry Capture browser session context, extension activity, and consent flow history because email controls alone cannot explain browser-based credential harvesting or AI tool exposure.
• Shorten credential exposure windows Prioritise rotation and revocation for API keys, OAuth tokens, and shared credentials that can survive beyond their intended use and later power lateral movement.
• Review third-party access as a lifecycle problem Tie vendor onboarding, offboarding, and permission change reviews to OAuth app inventories and cloud entitlements so external access does not outlive the business relationship.

Key takeaways

• The DBIR shows that identity attack paths remain as material as vulnerability exploitation once adjusted for taxonomy changes and full breach-chain activity.
• Credential abuse is still the durable breach primitive because stolen identity material keeps working after initial access and can drive lateral movement, persistence, and ransomware outcomes.
• Practitioners should treat browser visibility, third-party OAuth oversight, and credential lifecycle control as one governance problem rather than separate security projects.

Key terms

• Identity Blast Radius: The distance a compromised identity artefact can travel once an attacker obtains it. In practice, this includes how far a token, session, OAuth grant, or shared credential can be reused across systems before it is revoked or detected.
• Browser-Layer Identity Control: The use of browser telemetry and policy to govern identity events that happen inside the session, such as login, consent, extension activity, and data movement. It treats the browser as part of the identity stack, not just a rendering surface.
• Credential Abuse: The misuse of valid identity material such as passwords, tokens, API keys, or session artefacts. It is not limited to first access, because the same credential can be reused for escalation, persistence, lateral movement, or access to third-party services.
• OAuth Consent Abuse: The exploitation of user or admin consent flows to gain access to data or applications without needing to steal a password. For identity teams, this is a governance problem because delegated access can persist unless it is inventoried, reviewed, and removed.

Deepen your knowledge

Identity blast radius, credential lifecycle control, and browser-layer visibility are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to close the gap between initial access and full breach-chain abuse, it is worth exploring.

This post draws on content published by Push Security: analysis of Verizon's 2026 Data Breach Investigations Report and its implications for identity security. Read the original.