Verizon DBIR 2026: Credentials Still #1, Infostealers Industrialised

The 2026 DBIR covers incidents between 1 November 2024 and 31 October 2025 — 12,195 confirmed breaches across more than 80 contributing organisations. The headline numbers are not surprising; they are stable in the wrong direction.

Credentials lead initial access for the second year in a row. Stolen credentials served as the initial access vector in 22% of confirmed breaches. In the basic-web-application pattern, the figure is 88%.

Credential stuffing is now constant background noise. Across two years of authentication telemetry from contributing identity providers, the median day saw 19% of authentication attempts as credential stuffing — automated retries of password lists against any reachable login. That figure is not a spike; it is the baseline.

Infostealers have industrialised credential harvest. The report finds that infostealer malware reached 30% of corporate-managed and 46% of unmanaged devices that held company credentials. The harvested passwords are then aggregated into the leak ecosystem that Constella, SpyCloud, and other intelligence vendors continuously process — billions of records per year.

Password hygiene is not recovering. Of compromised passwords analysed, only 3% met basic complexity criteria. The same handful of trivial passwords ("123456", "password") account for hundreds of millions of compromises each. In the median user account, only 49% of passwords across services were distinct from one another.

The implication for identity architecture has not changed since the 2024 and 2025 reports, only sharpened: password-based authentication, even with push-based MFA, is no longer a defensible primary control for anything that matters. The architectural response is phishing-resistant authentication, continuous session evaluation, and the assumption that any credential not yet in a breach corpus soon will be.