Top 5 data breach causes in 2026 and the identity gaps behind them

At a glance

What this is: This is Zluri's analysis of the five most common breach causes in 2026, showing that familiar failure modes still drive most incidents and that identity and access gaps remain central.

Why it matters: It matters because IAM teams cannot treat breaches as purely technical events when phishing, credentials, offboarding, and cloud permissions all turn identity governance into the first containment layer across human, NHI, and autonomous programmes.

By the numbers:

• Data breaches cost organizations an average of $4.88 million globally in 2025, a 10% increase over the previous year and the highest figure ever recorded.
• Phishing was the initial attack vector in 16% of all 2025 data breaches, with an average incident cost of $4.88 million.
• Credential abuse was the initial access vector in 22% of non-error, non-misuse breaches in 2025.

👉 Read Zluri's analysis of the top 5 data breach causes in 2026

Context

Data breach prevention starts with identity because most high-frequency breach paths do not begin with exotic exploitation. They begin when attackers persuade a person, reuse a stolen credential, exploit an unpatched service, or take advantage of overexposed cloud access. That makes the primary security question one of governance, not just detection.

For IAM and NHI programmes, the significance is straightforward. If access is poorly controlled, offboarding is incomplete, or cloud permissions are broader than they should be, breach likelihood rises long before an attacker reaches sensitive data. The same pattern affects human accounts, service accounts, API keys, and autonomous systems that inherit or consume those identities.

Zluri's framing is useful because it ties familiar breach causes back to execution gaps rather than abstract threat lists. The article is strongest when it treats prevention as a discipline of access control, visibility, and operational follow-through rather than a one-time policy decision.

Key questions

Q: What breaks when credential hygiene is weak in enterprise environments?

A: Weak credential hygiene turns ordinary accounts into standing entry points for attackers. Reused passwords, default secrets, and unrevoked access let adversaries log in instead of breaking in, which makes detection slower and lateral movement easier. The practical risk is not just compromise but expanded blast radius across systems that should never have remained reachable.

Q: Why do phishing and social engineering still succeed against mature IAM programmes?

A: They succeed because they target trust decisions, not just technical controls. Even strong authentication can be undermined if a user is tricked into approving a session, revealing a code, or resetting access under false authority. IAM programmes fail when they assume the person at the keyboard will always validate intent correctly.

Q: How do security teams know whether cloud misconfiguration is becoming a breach risk?

A: Look for permissions and storage paths that no business owner can clearly explain, especially where third parties, SaaS tools, or service accounts can reach sensitive data. If access has been granted faster than it is reviewed, the control environment is drifting. The warning sign is reachability without ownership.

Q: Who is accountable when orphaned accounts or stale access contribute to a breach?

A: Accountability sits with the teams that own identity lifecycle, application access, and offboarding governance, not just the security function. If access is still active after a role change or departure, the organisation has accepted a governance failure. Compliance frameworks expect clear ownership, reviewability, and timely revocation across the access lifecycle.

Technical breakdown

Phishing and social engineering as identity bypass

Phishing works because it bypasses controls that assume users can reliably distinguish legitimate requests from malicious ones. Modern campaigns combine email, voice, collaboration tools, and AI-generated context to impersonate trusted actors and trigger credential entry or action approval. Adversary-in-the-middle phishing is especially effective because it can intercept live sessions after a user authenticates, which means the attacker does not need to break MFA in the traditional sense. The technical lesson is that authentication strength alone does not prevent trust abuse when the user is the control plane.

Practical implication: Treat phishing-resistant MFA, DMARC, and out-of-band verification as baseline controls for high-risk access paths.

Weak and reused credentials as standing access risk

Credential abuse remains effective because many environments still tolerate passwords, default secrets, and accounts that outlive the people or systems tied to them. Attackers use stuffing, spraying, brute force, or stolen passwords from other breaches to reach valid sessions without triggering exploit telemetry. Once inside, low-privilege access often becomes the foothold for privilege escalation and lateral movement. This is why credential hygiene is not just an authentication issue. It is a lifecycle and blast-radius issue: the longer a credential remains valid and broadly useful, the more valuable it becomes to attackers.

Practical implication: Reduce standing access by enforcing password reuse controls, deprovisioning discipline, and regular access review cycles.

Cloud misconfiguration and third-party exposure as control-plane drift

Cloud breaches often happen when storage, permissions, or vendor integrations are configured more broadly than the business intended. In practice, the issue is not that cloud is insecure by default. It is that access paths multiply faster than teams can review them, especially when third parties, SaaS integrations, and shared environments are involved. Misconfiguration becomes dangerous when identities can reach sensitive data without clear ownership, scoped access, or monitoring. For NHI governance, this is where service accounts, tokens, and external connections become breach accelerants if they are not continuously inventoried and scoped.

Practical implication: Continuously inventory cloud access paths and review third-party entitlements before they become ungoverned exposure.

Threat narrative

Attacker objective: The attacker wants valid access to sensitive data or systems with as little noise as possible, then uses that access to expand reach and extract value before containment.

1. Entry begins with phishing, stolen credentials, unpatched software, or an exposed cloud permission rather than a novel exploit.
2. Escalation follows when the attacker uses valid access, overbroad permissions, or session interception to move from initial foothold to broader reach.
3. Impact occurs when sensitive data is accessed, exfiltrated, or disrupted, often through accounts or systems that should have been revoked or constrained earlier.

Breaches seen in the wild

• 230M AWS environment compromise — 230M AWS environments compromised via exposed .env files with cloud credentials.
• New York Times breach — New York Times source code and credentials exposed via GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishing is no longer just a human-awareness problem, it is an identity assurance failure. The article's phishing section shows that attackers now combine AI-generated context, real-time session interception, and impersonation across channels to defeat trust at the moment of authentication. That means the old assumption that a user can visually validate a request before acting is already too weak for modern breach conditions. The practitioner conclusion is that authentication design must be paired with explicit verification of intent, not just user presence.

Standing credential exposure remains the most repeatable breach condition across NHI and human identity programmes. Weak, reused, or orphaned credentials convert ordinary access into persistent attack surface, especially when deprovisioning and review cycles lag behind real-world change. 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to our 52 NHI breaches analysis. The practitioner conclusion is that lifecycle control, not inventory alone, determines whether access stays defensible.

Misconfigured cloud access creates identity blast radius faster than teams can govern it. Once storage, SaaS integrations, or third-party permissions outgrow the review process, the environment develops hidden paths to sensitive data that no one fully owns. This is where NHI governance becomes material because service accounts, tokens, and vendor integrations often carry the broadest privileges with the weakest oversight. The practitioner conclusion is to treat cloud access sprawl as a governance defect, not just an infrastructure issue.

Identity governance is now the shared control plane across human, NHI, and autonomous risk. The article's five causes all converge on the same pattern: access exists longer, broader, and more ambiguously than the business can defend. 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to our Ultimate Guide to NHIs. The practitioner conclusion is that breach prevention has become a lifecycle discipline, not a point-in-time security exercise.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to 52 NHI Breaches Analysis.
• Only 5.7% of organisations have full visibility into their service accounts, which leaves breach investigation and entitlement review structurally incomplete.
• Forward pivot: If your programme is still discovering identities late, the practical next step is Ultimate Guide to NHIs for lifecycle, rotation, and offboarding governance.

What this signals

Standing access is the real breach accelerator. When access survives role changes, vendor changes, and system changes, attackers inherit a security problem that the business already normalised. In practice, this means access review cadence, offboarding speed, and entitlement ownership matter more than policy statements.

The operational signal for teams is clear: cloud and identity programmes need to be measured by how quickly they shrink exposed paths, not by how many tools they have deployed. A mature programme should be able to show who owns each privileged path, when it was last reviewed, and whether it still needs to exist.

The broader market signal is that breach prevention is becoming an identity lifecycle discipline across humans and machines alike. NHI visibility, credential revocation, and third-party access control are no longer separate workstreams; they are the same control problem expressed through different actors.

For practitioners

• Harden phishing-resistant access paths Use hardware-key or passkey-based MFA for high-risk accounts, pair it with out-of-band verification for unusual requests, and remove SMS codes from privileged workflows.
• Eliminate standing credential reuse Mandate password managers, block credential reuse, and revoke accounts immediately when roles change or employment ends so credentials do not outlive accountability.
• Review cloud permissions as a living control Inventory SaaS, storage, and vendor-linked access paths continuously, then recertify who can reach sensitive data rather than relying on one-time configuration reviews.
• Track unpatched exposure by business criticality Move critical systems to risk-based patching windows, prioritise internet-facing assets, and maintain an end-of-life register for software that can no longer be secured in place.

Key takeaways

• The article shows that the most common breach causes still cluster around identity failure, not exotic exploitation.
• The scale is material, with average breach costs at $4.88 million globally and credential abuse remaining one of the most repeatable entry paths.
• The most effective response is lifecycle governance, because access that is not revoked, reviewed, or constrained becomes breach surface.

Key terms

• Phishing-resistant mfa: Authentication methods that do not rely on shared secrets or one-time codes easily replayed by attackers. In practice, this usually means hardware keys or passkeys that bind the login to the legitimate site and device, making session interception and credential replay much harder.
• Standing privilege: Access that remains continuously available rather than being granted for a specific task or time window. It increases breach impact because an attacker who reaches the account can use it immediately, and a defender must rely on detection rather than prevention to limit abuse.
• Orphaned account: An identity that still exists after the person, process, or system it belongs to is no longer active. Orphaned accounts are especially dangerous because ownership is unclear, review is delayed, and attackers can exploit them as persistent access paths without triggering obvious business alarms.
• Cloud misconfiguration: A security failure caused by incorrect permissions, exposure settings, or integration design in cloud services. It is often less about the cloud platform itself and more about access paths that were created quickly, left broad, and never fully revalidated against actual business need.

Deepen your knowledge

Phishing-resistant MFA, lifecycle governance, and NHI access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is dealing with recurring credential and offboarding risk, it is worth exploring.

This post draws on content published by Zluri: The Top 5 Common Causes of Data Breaches in 2026. Read the original.