The 2025 Verizon Data Breach Investigations Report (DBIR) provides one of the clearest views yet into how cybercrime is evolving into a mature, interdependent ecosystem. With over 12,000 breaches analyzed, this year’s report reveals a landscape shaped by not just individual threats, but by entire economies of compromise—where infostealers, access brokers, ransomware actors, and third-party platforms are intricately linked.
Summary of Key Takeaways
- Infostealers and ransomware now operate as part of a coordinated threat supply chain, increasingly enabled by traffic distribution systems and malicious adtech infrastructure.
- Vulnerability exploitation—particularly of edge and VPN devices—is sharply up, fueled by automation and rapid weaponization of zero-days.
- Third-party involvement in breaches has doubled, underscoring the fragility of modern supply chains and the blurred lines of accountability.
- Secrets leakage and credential reuse continue to plague developers and ops teams, giving attackers silent access to high-value environments.
- The unsanctioned use of generative AI tools is quietly introducing exposure risk, data sprawl, and weak governance at scale.
Below is a closer look at each of these trends, along with my interpretation of what they signal for cybersecurity leaders today.
1. Infostealers + Ransomware: The Threat Supply Chain Is Real
Perhaps the most chilling theme from this year’s DBIR is the growing interdependence between threat actors. Infostealers aren’t just stealing credentials anymore—they’re fueling a broader criminal economy.
54% of ransomware victims had their credentials appear in infostealer dumps. What’s more, many of these credentials came from unmanaged or BYOD endpoints—devices that existed in a shadow IT grey zone, used for both personal and professional purposes.
What we’re seeing is the emergence of a “stacked kill chain”—one where TDS infrastructure and malicious adtech act as upstream enablers, redirecting traffic to malware loaders, which then hand off credentials to ransomware crews via access brokers. (Note: an access broker is a specialized player whose job is to validate, categorize, and resell compromised access (e.g., to corporate VPNs, RDP endpoints, email accounts). Each layer has its own monetization model, but together they form a coherent pipeline for breach-to-extortion attacks.
This model is efficient, scalable, and disturbingly quiet—because the initial compromise often occurs long before ransomware is even deployed.
2. Vulnerability Exploitation Becomes a Top Initial Access Vector
The report notes a 34% increase in breaches stemming from vulnerability exploitation, with edge devices and VPNs accounting for 22% of them—up from just 3% the year prior.
In practice, this means attackers are turning their attention to network perimeters and management consoles—where patching is hard, visibility is fragmented, and exposure is high. As defenders, we’re now facing adversaries who operate with rapid exploit development cycles, leveraging automation to weaponize zero-days almost as fast as they’re discovered.
This trend reflects a maturing threat actor landscape, where ransomware operators, in particular, are embracing exploit chaining and pre-ransom reconnaissance. It’s no longer enough to protect the core—the edge is the new battlefield.
3. The Third-Party Risk Explosion
In a stat that should give every CISO pause, the DBIR found that 30% of breaches now involve a third-party component—double from last year. These include software providers, SaaS platforms, and managed service vendors. The report references the Snowflake incident, where credential reuse, lack of mandatory MFA, and token management gaps created a perfect storm.
From my vantage point, this goes beyond just vendor management. It’s a wake-up call that the Shared Responsibility Model is often misunderstood or misapplied. Organizations are still treating cloud services like black boxes and underestimating the implications of privilege sprawl, misconfigurations, and stale secrets in partner environments.
It’s also a reflection of how security debt is being externalized across ecosystems—if your vendors are vulnerable, so are you.
4. Secrets Leakage: A Developer-Centric Achilles’ Heel
Secrets management continues to lag behind. The DBIR highlights hundreds of thousands of exposed credentials across public code repositories—many of them API keys, cloud tokens, or session cookies that allow privileged access.
One stat stood out: GitLab tokens made up 50% of leaked CI/CD secrets, and the median time to remediate leaked secrets was 94 days.
This is symptomatic of a deeper issue: security tooling hasn’t kept pace with the speed of modern DevOps. And in environments that rely on automation, orchestration, and microservices, leaked secrets are often silent, privileged footholds for attackers.
We’re no longer just defending against exploits or phishing—we’re defending against automation that’s faster and more persistent than our response workflows.
5. GenAI Risks: Subtle, But Growing
While generative AI hasn’t yet fundamentally changed attacker TTPs, AI-written phishing emails have doubled, and 15% of employees are using GenAI tools from corporate devices—often unsanctioned, and without proper identity governance.
What’s more alarming is that 72% of those accounts used non-corporate emails, suggesting widespread policy gaps. AI platforms are now being treated like shadow SaaS—with all the data exposure risks that entails. This means that AI usage in the enterprise is outpacing security’s ability to govern it. We’re in a phase where innovation is rapid, adoption is informal, and controls are lagging. And in that vacuum, sensitive data is leaking into opaque platforms with unknown retention and access policies.
Final Thoughts
This year’s DBIR makes it clear: cybercrime has scaled—because the infrastructure to support it has matured. We’re not dealing with isolated threats anymore. We’re contending with supply chains of compromise, malvertising ecosystems, and as-a-service models that rival legitimate software businesses in sophistication. Everything is connected—and so are the attackers.
Security must now operate with the same scale, speed, and adaptability as the threats we face. That means rethinking how we monitor unmanaged endpoints, how we secure third-party platforms, and how we track credential misuse across federated environments. It also means balancing investments in existing security solutions (“right of boom”) with preemptive cybersecurity solutions (“left of boom) like predictive threat intelligence and Protective DNS that focus on identifying threat actor infrastructure to stop attacks.
The cyber threat economy has changed—and so must our approach, or we risk becoming easy targets in a highly efficient market of compromise.
Related: Verizon DBIR Flags Major Patch Delays on VPNs, Edge Appliances
