The 2025 DBIR is out, and it doesn’t pull any punches. With over 12,000 confirmed breaches analyzed, this year’s report spotlights the usual suspects—ransomware and stolen credentials—alongside growing concerns like third-party failures and the double-edged use of AI. From small businesses to global players, no one came out unscathed, and the tactics are evolving fast.
Forget flashy zero-day exploits—most attackers are walking in the front door. The report shows that 46% of compromised systems were unmanaged, often personal devices holding both work and personal logins. It’s not a firewall gap; it’s that old credential still saved in a browser or buried in a BYOD policy. In many cases, stolen access is the breach.
Ransomware: More frequent, more targeted, and fueled by third parties
Ransomware isn’t slowing down—in fact, it’s hitting harder and more often. According to the 2025 DBIR, ransomware showed up in 44% of all data breaches last year. But the biggest blow landed on small and mid-sized businesses: a staggering 88% of their breaches involved ransomware. For SMBs, it’s no longer if, but when.
Big-name incidents like Snowflake and MOVEit drove the point home: third parties can become liabilities fast. In both cases, simple gaps—like not enforcing MFA or leaving secrets exposed—opened the door. Combine that with Ransomware-as-a-Service (RaaS) and a growing reliance on external vendors, and attackers don’t even need to work that hard. The infrastructure is practically built for them.
Key stats:
- Ransomware appeared in 44% of all breaches (37% increase from last year’s report).
- 88% of SMB breaches involved ransomware.
- 64% of victims refused to pay the ransom.
- Median ransom payment dropped to $115,000, down from $150K.
The credential economy: BYOD, infostealers, and access brokers
Credentials are becoming currency—and too many devices are handing them out for free. The DBIR found that 30% of compromised systems were enterprise-managed, but a larger chunk—46%—were unmanaged, likely BYOD or simply outside IT’s control. These devices often stored both personal and corporate logins. Whether teams are remote, hybrid, or in-office, the risk doesn’t care where the work happens.
The connection to ransomware is striking. Of the organizations hit, 54% had their domains show up in credential dumps, and 40% had corporate email addresses leaked alongside them. These aren't just loose ends—there’s strong evidence that access brokers are using these stolen credentials to sell ready-made entry points, thanks in large part to infostealer malware doing the heavy lifting.
Key stats:
- 30% of compromised devices were enterprise-managed.
- 46% were unmanaged, often BYOD or out-of-policy.
- 54% of ransomware victim domains appeared in credential dumps.
- 40% had corporate email addresses exposed.
- Many leaks involved both personal and business credentials.
AI enters the scene: Empowering both attackers and unwitting employees
AI isn’t just writing poems anymore—it’s writing meticulous phishing emails, deepfakes, and it’s getting scarily good at it. According to the DBIR, the number of malicious emails crafted with GenAI has doubled in the last two years. Attackers are now scaling their social engineering with speed and polish that would’ve taken human effort days to match.
But attackers aren’t the only ones misusing AI. Internally, 15% of employees are accessing GenAI platforms from corporate devices every couple of weeks. Worse, 72% do it with personal email accounts, and 17% with corporate emails that aren’t even protected by SSO or SAML. That’s a wide-open door for sensitive data to end up somewhere it shouldn’t.
Key stats:
- AI-written malicious emails have doubled in 2 years from “5-ish% to 10-ish%”.
- 15% of employees use GenAI tools regularly on corporate devices.
- 72% of users accessed GenAI tools with personal emails.
- 17% used corporate emails without secure authentication.
- Major risk: unintentional data exposure via uploads.
Learn more about How to combat AI cybersecurity threats
Credentials as the dominant attack vector: Just a password from last year
Stolen credentials topped the list again as the most common way attackers got in—22% of breaches started this way, edging out phishing and vulnerability exploits. And when you add phishing-related credential abuse to the mix, it’s clear: the real issue isn’t just tricking users or breaking in—it’s logging in with keys that were already leaked.
So where are attackers getting these keys? Everywhere. Public code repositories like GitHub and GitLab are gold mines for exposed secrets. Infostealer malware continues to quietly scoop up credentials from infected devices. And the dark web? Still busy, still full of credentials being bought and sold like candy.
Key stats:
- 22% of breaches began with stolen credentials.
- Credential abuse + phishing outpace vulnerability exploitation.
- Common sources: Git repos, dark web markets, and infostealers.
- GitLab tokens made up 50% of leaked CI/CD secrets.
- Median time to remediate leaked GitHub secrets: 94 days.
How dark web monitoring helps you fight back credential attacks
DBIR has, once again, laid out the stark reality of credential compromise – it's not an 'if' but a 'how many are already out there?'. For IT leaders, this likely raises familiar concerns: "Another significant threat to address. How can we effectively act on this information without simply adding to our operational burden?" It's a critical question for security professionals.
This is where the value proposition of dark web monitoring becomes evident. Its purpose isn't to contribute another alert to an already complex monitoring environment. Instead, it’s focused on delivering actionable intelligence from dark web online forums and marketplaces, enabling you to address threats before a compromised credential escalates into a significant security incident.
Consider these points:
- Turning unknowns into knowns: The DBIR highlights widespread credential leakage. Dark web monitoring, however, identifies if your organization's specific credentials – from executive accounts to those of new team members – are found within this exposed data on illicit marketplaces or forums. This transforms a general threat into a specific, actionable list for remediation.
- Proactive defense, Not just post-breach cleanup: Relying on user reports or post-incident discovery (such as a ransomware demand) to learn of a compromised credential means you're already in a reactive, damage-control mode. In contrast, dark web monitoring functions like an early warning system, identifying exposed credentials before they are widely exploited. This provides the crucial window to implement protective measures, shifting your team from reactive incident response to proactive risk mitigation, such as mandating password resets for affected accounts or escalating monitoring on potentially compromised users.
- Justifying security investments: Realistically, every security investment must demonstrate clear value. The significant costs associated with a single breach initiated by stolen credentials – encompassing incident response, reputational harm, potential regulatory penalties, and extensive operational disruption – far outweigh the investment in proactively detecting these exposed credentials. This allows you to report to leadership and the board that the organization isn't merely hoping to avoid incidents, but is actively identifying its exposed data where cybercriminals might acquire it. This provides a clear return on investment through tangible risk reduction and, importantly, contributes to greater confidence in your security posture.
- Supporting Compliance Objectives: While not a panacea for all compliance tasks, demonstrating proactive monitoring for compromised credentials is a significant factor in satisfying due diligence requirements for various regulatory frameworks (such as GDPR, HIPAA, and ISO 27001). Auditors typically view such proactive measures favorably, as they indicate a mature approach to risk management that extends beyond reactive responses.
Conclusion: Securing the basics is getting more complex
Getting the basics right isn’t so basic anymore. Tightening controls around BYOD, stolen credential visibility, and third-party access has become urgent. It’s no longer just about securing the network—it’s about protecting identity, trust, and every link in the access chain.
From laptops in home offices to cloud applications and now AI platforms, security needs to be an integral part of the design, not an afterthought hastily bolted on. In this environment, a zero trust mindset isn’t just a buzzword; it’s a fundamental necessity for survival. And knowing what parts of your "trusted" environment have already been compromised on the dark web? That’s becoming a non-negotiable part of that foundation.
Check your dark web exposure and see how Prey helps you take control of your stolen credentials.
