Takeaways From the Verizon 2023 Data Breach Investigations Report

PUBLISHED ON June 21, 2023
LAST UPDATED September 22, 2023

The Verizon 2023 Data Breach Investigations Report was recently released, and as always, it’s packed with details and descriptions of the past year’s threat landscape.  

The report covers 16,312 incidents and 5,199 confirmed data breaches analyzed between Nov. 1, 2021, and Oct. 31, 2022. We highlight the stats and topics that caught our eye and tie back to trends we see in our own data below. 

Watch Your Web Apps and APIs 

This year, as in most recent years, web applications are, once again, the most popular attacker target. 

The Verizon report found that web applications are the top asset involved in about 60 percent of data breaches, and they are the third most common vector leading to ransomware. Fifty percent of organizations experienced more than 39 web application attacks last year.    

Verizon 2023 Data Breach Investigations Report

Keep in mind that APIs make up roughly 80 percent of all transactions between web applications, highlighting the fact that API security is critical in protecting against attackers.   

Get everything you need to know about API attack protection in our definitive guide.

Attackers are also not one-trick ponies – we see them combining attacks against apps and APIs and using a variety of attack methods and techniques over long periods of time. Tracking attacker behavior, rather than simply looking for signatures of attacks, is key to identifying and these modern attack patterns. 

A Credential Crisis 

The report notes that “the three primary ways in which attackers access an organization  
are stolen credentials, phishing and exploitation of vulnerabilities.” In addition, the Verizon researchers found that 86 percent of web application breaches involve the use of stolen credentials. 

Verizon 2023 Data Breach Investigations Report

Get everything you need to know about how credential stuffing attacks are carried out and how to address them in our blog.

We see this in our own customer base, as credential stuffing attacks are a major pain point for our customers.  

Credential stuffing attacks are defined by attackers attempting to reuse credentials that were compromised in a previous breach in order to log in to another website or application. Knowing that many end users will often reuse the same password on multiple sites, attackers take breached credentials and try them on other high-value applications, such as a bank or online shopping account.  

Why are these incidents becoming so popular? Because attackers can abuse a compromised account in a variety of ways to commit fraud and pursue other malicious goals. For instance, financial accounts can be used to steal funds, retail accounts to illegally buy items, or social media accounts can sway opinions or spread malware. Just to name a few.  

Since data breaches are a relatively common occurrence, attackers have an almost never-ending trove of credentials that they can try against a virtually endless supply of targets. In fact, a recent study has found that there are approximately 15 billion stolen logins stemming from around 100,000 breaches. 

And credential stuffing attacks are becoming much bigger thanks to the use of massive botnets. ThreatX recently helped defend a customer against a credential stuffing attack that used over 1.6 million unique user names across all suspicious requests. It also used more than 86,000 IP addresses. Within hours of the attack starting, the suspicious user agent shows up in more than 2.5 million requests! 

We were able to help our customer block this attack because, rather than trying to block individual IP addresses, we use a variety of detection and analysis techniques to identify and block malicious behavior. 

Get full details on our analysis of a credential stuffing attack.

Lessons of Log4j 

This year’s Verizon DBIR also analyzed Log4j, the dangerous vulnerability disclosed in late 2021. The report found that more than 32 percent of all Log4j scanning activity over the course of the year happened within 30 days of its release. This tells us that attackers act fast and often when a vulnerability is disclosed. The report also points out that “this velocity is an interesting comparison versus organizations’ median time to patch, which is currently 49 days for critical vulnerabilities, a number that has stayed relatively consistent over the years.”

Bottom line: Don’t think patching is a solid solo defense against zero-day vulnerabilities. Protecting APIs and apps at runtime is critical to defend against zero days.  

The limitations of only observing HTTP request and response pairs became obvious immediately after the Log4j disclosure. While the HTTP requests provided a lot of information, it took security engineers longer than they wanted to understand what attackers were targeting, what techniques they were using, and how they were going about it. 

Runtime protection is critical for stopping malware and other malicious runtime threats from impacting APIs and applications in a timely manner, and giving teams time to patch. An application and API security solution that includes events from the application host itself, via process monitoring, would have enough information to quickly take decisive action on runtime threats.  

Learn more about ThreatX’s Runtime API and Application Protection.

Other Stats of Note 

  • Industries that suffered the most web application breaches were finance, healthcare, and information. 
  • Once inside, attackers are moving laterally, such as accessing code repositories or even maintaining persistence with a backdoor.  
  • Forty percent of security incidents feature denial of service. 

Watch how ThreatX protects APIs and apps with real-time, risk-based blocking of attacks, including DDoS and credential stuffing.

About the Author

Jeremy Ventura

Jeremy Ventura is a cybersecurity professional, specializing in advising organizations on information security best practices. He has years of experience in vulnerability management, email security, incident response and security center operations. At ThreatX, he is responsible for the development and presentation of thought leadership across all areas of cybersecurity. Ventura is an industry leader that can regularly be seen in media, blog posts, podcasts and at speaking events. Previously, Ventura has worked at Gong, Mimecast, Tenable and IBM, among other security organizations. Ventura holds a Master’s Degree in Cybersecurity and Homeland Security.