Verizon DBIR: 22% of Breaches Start with Stolen Credentials

The Verizon Data Breach Investigations Report is the industry's largest empirical breach dataset. The 2025 edition analyzed over 22,000 security incidents and 12,000 confirmed data breaches from November 2023 through October 2024.

The central finding for identity security professionals: stolen credentials were the initial access vector in 22% of all confirmed breaches, the single highest category. In attacks against basic web applications, the figure rises to 88%.

Additional findings with identity implications: - 19% of all daily authentication attempts at SSO providers are credential stuffing attacks - Third-party involvement in breaches doubled to 30% year-over-year - Espionage-related breaches increased 163%, now accounting for 17% of incidents - Human error contributed to 60% of breaches

The credential stuffing statistic deserves particular attention. If nearly one in five authentication attempts at your SSO provider is an attack, then your identity infrastructure is under continuous assault. This is not an occasional threat. It is a persistent operational reality.

The doubling of third-party involvement also has direct identity architecture implications. Partner access, vendor integrations, and supply chain identities represent a growing proportion of breach vectors. Identity architecture must extend governance beyond organizational boundaries to encompass the full ecosystem of identities that access your systems.