Verizon 2025 DBIR: Third-party software risk takes the spotlight

It’s that time of year again: Verizon Business has released the 2025 edition of the Data Breach Investigations Report (DBIR), its 18th-annual report on cybercrime. The DBIR is famous for how well it captures the current state of things, analyzing tens of thousands of security incidents to understand the current threat landscape.

While the newest Verizon DBIR stays true to the report's longstanding methodology, this year’s edition is notable for the recurring theme of the unprecedented rise in breaches stemming from third-party organizations — especially notable because this is an attack trend that Verizon Business did not analyze until last year's DBIR. The theme is so integral to this year’s DBIR that the report’s cover has an illustration that reflects the balancing act cybersecurity must perform with the growing dependence on third parties:

If the impossibly balanced shape on the cover makes you uncomfortable, you have begun to understand the challenges modern Chief Information Security Officers (CISOs) face in the current environment.

Verizon 2025 DBIR

Here are the 2025 DBIR’s key themes — including third-party risk — and what they mean for the state of software security.

See white paper and more: Assess and Manage Third-Party Software Security Risk

Third-party software risk is on the rise

The 2024 DBIR found that breaches stemming from third-party software development organizations played a role in 15% of all data breaches Verizon documented, leading the report’s authors to call on organizations to “start looking at ways of making better choices” about which software providers they choose to work with “so as to not reward the weakest links in the chain.”

That report’s focus on attacks targeting third-party software was justified, given the high-profile incidents that marked 2024. Those include exploits of the infamous MOVEit compromise in 2023 and 2024, which heavily impacted a number of organizations that were dependent on the MOVEit software, as well as multiple rounds of nation-state attacks that have targeted weaknesses in VPN appliances made by Ivanti, at one point prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to force federal agencies to take the vendor’s devices offline.

That DBIR's advice has been proved wise in the past year, and the latest report somberly predicts that third-party involvement in breaches will continue to climb in 2025. Of the 12,195 confirmed data breaches that Verizon analyzed for the 2025 DBIR, the percentage involving an attack on a third-party software provider doubled from last year’s report, reaching 30% of all breaches.

This trend demonstrates that the continued reliance on third parties has created a plethora of opportunities for threat actors to carry out supply chain attacks on end-user organizations. The authors of the 2025 DBIR clearly warn organizations about this growing attack vector:

Our guidance from last year persists: Make sure that positive security outcomes from vendors are an important component in the procurement process, and have plans in place to address repeat offenders.

Verizon 2025 DBIR

Secrets are (still) no fun

Software supply chain risks showed up in other ways in this year’s DBIR, particularly regarding the consistent leaking of exposed secrets in third-party environments. With the help of contributor data, the 2025 DBIR analyzed scans of over 400,000 public GitHub repositories for exposed secrets and found that the median time to remediate leaked secrets discovered in a repository was 94 days.

More than three months is a sizable window for threat actors to find and exploit sensitive secrets in order to gain access to an organization’s IT infrastructure, including its software development and continuous integration/continuous deployment (CI/CD) environments.

The 2025 DBIR broke down the kinds of secrets that are exposed in these public repositories, which include those integral to web application infrastructure, software development and CI/CD environments, cloud infrastructure, databases, as well as miscellaneous but important secrets such as Secure Shell (SSH) keys.

The majority of exposed secrets found were based in web application infrastructure (39%), which provide access to web applications and are foundational to how these apps protect organizational data. Of the total number of these secrets found on public repositories, 66% of them were JSON Web Tokens (JWT), which are commonly used in authentication, session management, and access control mechanisms, the DBIR said.

Exposed secrets connected to software development and CI/CD environments were also a significant finding of this year’s report, accounting for 32% of all exposed secrets found on GitHub repositories. According to the DBIR authors, “One of the more surprising findings is that there are a high number of GitLab tokens, representing 50% of all development and CI/CD secrets that are being leaked.”

Cloud infrastructure-based secrets were another major source of security risk, accounting for 15% of all secrets discovered on public repositories. Further analysis found that 43% of these cloud-based secrets are Google Cloud API keys.

This epidemic of secrets exposures highlights how the management of credentials in third-party environments, which end-user organizations do not directly control, has made it increasingly difficult for them to remediate these serious risks.

Third-party cyber-risk management is key

While the 2025 DBIR maintained its humorous tone from previous years, the report imparts a sense of urgency that software supply chain stakeholders must lean into the risks lurking in the code and cloud-based services that are the foundation of so much of the economy.

Whether it be an enterprise consumer that needs to better vet the commercial software products it relies on or software development organizations juggling new features, legacy code, sensitive development secrets, and so on, an awareness of how threat actors are targeting and exploiting software supply chain flaws is critical. And that means third-party software risk management (TPSRM) — including modern software supply chain security with binary analysis — is essential.

While, to some extent, software vendors have long played a part in unintentionally increasing the attack surface for those who use their products and services, over the last two to three years, it has moved from the occasional (and typically minor to moderate) mishap to a much more widespread and insidious problem that can (and sometimes does) have a devastating effect on enterprises.

Verizon 2025 DBIR