Skip to content

Browser-Based Attacks on the Rise: Key Findings from the 2026 DBIR

Every year, the Verizon Data Breach Investigations Report serves as a benchmark for the industry. Its value comes not just from the headline numbers but from the convergence signals: when multiple independent data sources point to the same structural shift in how attackers operate, that convergence is worth paying attention to.

This year’s report highlights a significant trend: attacks are increasingly living in the browser. The 2026 DBIR confirms this shift, with data showing that credential theft and shadow AI usage are on the rise.

Shadow AI Has Become a Mainstream Enterprise Risk

Shadow AI was identified as the third most common non-malicious insider action observed in Data Loss Prevention (DLP) datasets, representing a fourfold increase from the previous year. Employees are not typically trying to exfiltrate data; rather, they are using the fastest available tool for a task, which increasingly means pasting internal documents or source code into a personal ChatGPT session before their organization has had time to approve and provision a governed alternative.

The scale of unauthorized AI usage in enterprise environments is one of the report’s most significant findings: 67% of users are accessing AI services on corporate devices through personal, non-corporate accounts, and 45% of employees are now considered regular AI users. Keep Aware’s browser telemetry further provides insight into how these AI services are being used.

Credential Abuse and the Browser's Detection Gap

The 2026 DBIR found that 39% of breaches involved credential abuse. Keep Aware’s attack data from 2025 puts browser-based credential theft as the number one browser-based attack, accounting for approximately 41% of observed threat activity. Compounding this attack vector is the fact that the vast majority of these attacks are invisible to traditional tooling.

Browser Extensions: Privileged, Ungoverned, and Expanding

The average enterprise had more than 15% of users with unauthorized AI extensions installed, according to the 2026 DBIR. However, the extension problem is broader than AI tooling alone. Keep Aware’s extension telemetry shows that 13% of unique browser extensions observed across our customer base were classified as high or critical risk.

ClickFix and Browser-Native Social Engineering

The Verizon DBIR found ClickFix accounted for 2.7% of browser-detected attacks—a small share that nonetheless signals an evolution in browser-based social engineering. This threat begins in the browser—often by encountering compromised websites and sometimes through LLM chat responses—but quickly continues on the endpoint, compromising the machine with info stealers and remote access to attackers.

Conclusion

The 2026 DBIR confirms that attacks are increasingly living in the browser. With credential theft and shadow AI usage on the rise, it is clear that traditional tooling is no longer sufficient to detect these threats. Browser-layer visibility is essential for detecting and preventing these types of attacks.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *