Verizon says attacks via weak spots outnumber those using stolen credentials

Even before Anthropic's supposedly particularly powerful AI model Claude Mythos Preview, software vulnerabilities were exploited more frequently for cyberattacks for the first time in 19 years than stolen credentials. At least that's what US provider Verizon determined based on data from 2025 for its latest Data Breach Investigations Report (DBIR), which has now been published. In the previous year, a security vulnerability was at the beginning of almost a third of all cyberattacks, also thanks to the help of AI technology. While software manufacturers previously often had months to close vulnerabilities and prevent attacks, in the current AI world, only hours are available for this, it continues.

Cybersecurity in transition

Overall, Verizon's security team sees a fundamental shift in cybersecurity, and this was already the case in 2025; newer data has not yet been evaluated for the report. In the previous year, AI technology primarily ensured that criminals could automate and scale their proven techniques, the responsible parties summarize. In defense, one could have kept pace if one had done the same: “But who knows? Given the rapid development of AI capabilities, this assessment may already be outdated by the time this report is finally published,” it says, mainly with a view to Anthropic's new technology.

Anthropic presented Mythos at the beginning of April and explained that the model is so dangerous that it is only made available to companies working on IT security. The AI model had already identified thousands of high-risk zero-day vulnerabilities, it was said at the time. At the same time, AI technology is significantly more capable of developing a working exploit for such vulnerabilities, and sometimes several are exploited in conjunction with each other. Therefore, only companies that can use the tool to improve IT security have gained access. Since then, the number of identified and closed vulnerabilities, for example in browsers like Firefox, has been increasing rapidly. This is associated with the promise that all vulnerabilities can be found this way. However, there are also cases where the AI is not so successful.

Verizon's Data Breach Investigations Report now warns of further developments, all of which are more or less connected to the rapid advancement of AI technology. For example, criminals are increasingly relying on social engineering via mobile devices, i.e., trying to trick people out of money via text messages or phone calls. The success rate here is 40 percent higher than with traditional phishing. It also warns of the dangers of shadow AI, i.e., AI tools not approved by employers in the workplace. In addition, attacks on supply chains have increased massively. The entire report is over 120 pages long and can be viewed online.

Read also

Mythos Preview von Anthropic: PR-Trick oder Security-Katastrophe?

(mho)