The humanity of data breaches

TL;DR

The 2025 Verizon Data Breach Investigation Report (DBIR) found that human involvement in data breaches remained similar to last year, hovering around 60%. In this blog, we break down:

1. What is human involvement in data breaches?
2. How to interpret the frequency of human involvement in data breaches
3. Strategies for addressing human-gated security vulnerabilities

The Verizon data breach investigations report (DBIR)

Last month, Verizon released its 2025 DBIR. It contains valuable insights and incident analysis spanning industry, country, and personnel. The 12,000 incidents studied this year are the most this report has seen to date, surpassing last year’s record.

Aligned with trends across the cybersecurity industry, the frequency of data breaches increased dramatically this year, correlated with increased global reliance on digital services and infrastructure. Simply put, more digital reliance means more potential points of failure, especially when factoring in internal accidents alongside external threat actors.

Among the key findings this year is the continued trend of human involvement in data breaches. 60% of breaches involved a human element, roughly the same as the 61% of breaches studied the previous year.

It’s worth noting that ‘breaches’ are differentiated from ‘instances’ in this report, which becomes more relevant in this section in particular. An incident is a security event that compromises the integrity, confidentiality, or availability of an information asset. In contrast, a breach is a specific kind of incident that results in the confirmed disclosure of data to an unauthorized party. A DDoS attack, for example, is most often classified as an Incident, but not a Breach.

How are humans involved in data breaches?

The term ‘Human Involvement’ sounds understandably ambiguous. What threshold constitutes involvement? The report acknowledges that “all breaches involve humans to some degree,” but separates human involvement from “fully automated exploit chains or hacking activity leading to a breach in which a human was not a gating factor.” They give examples like picking up the phone, opening a phishing email, or visiting the wrong website as human involvement, just as much as accidentally leaving data credentials in a public repository. There are many ways people can lead to breaches. The breadth of human involvement is among the reasons people are considered the weakest link in cybersecurity.

The report identified common categories of human involvement in data breaches. Topping the list is “Credential abuse” at 32%. These breaches occur when malicious actors exploit system vulnerabilities through leaked or stolen credentials, often resulting from poor security practices, such as the use of predictable or reused passwords. Multi-factor authentication (MFA) or company-wide identity providers (IdPs) can help mitigate the risk of a hacker entering the system via stolen credentials.

Next on the list are breaches from “Social actions,” at 23%. This category overlaps with credential abuse as well as the fourth category, “Malware interactions” (7%), since social actions like phishing often lead unsuspecting victims to install malware or accidentally expose credentials.

The third highest on the list are breaches from “Errors,” at 14%. This category does not overlap with Social actions, since these errors (exposing credentials in a public repository, misconfiguring servers for easy exploitation) lack the influence of outside actors. Instead, the Errors category arises from poor development practices, which may be attributed to a lack of tools or training.

What does this mean?

Credential abuse being the largest category in human-gated actions makes intuitive sense. Hackers gaining entry by exploiting system vulnerabilities is generally not a human-gated method, so despite being a significant percentage of overall breaches, it won’t represent a large percentage in this category. Instead, abuse of system credentials tops the charts, since it’s a very human-gated portion of development.

The human involvement section of the DBIR is disheartening in some ways, though it inspires optimism in others. The high number of human-gated errors in the breach report speaks to the number of preventable errors that led to expensive and disastrous breaches in the past year. The term preventable is used here to describe errors that an individual or company can knowingly improve upon.

On the flipside, these breaches also present an opportunity to learn from and prevent future ones. The prevalence of these kinds of breaches marks an actionable opportunity to improve security practices.

How do we prevent human-gated breaches?

There are two primary methods for preventing human-gated breaches: systems and training. Each method approaches the same issue from a different angle.

Implementing new software systems, like multi-factor authentication, professional secrets management solutions, or single-sign-on with an identity provider, provides developers with the framework they need to avoid the mistakes of manual security action and control. These systems use secure-by-design principles to prevent common errors from occurring in the first place.

A professional secrets management solution securely stores, rotates, and synchronizes secrets across the organization, removing the need for manual secrets management actions. Implementing an effective secrets management system prevents secrets from ending up in repositories, one of the more common human-gated errors that leads to free system access for anyone who scans the right public repository.

The report specified what kinds of keys ended up in public repositories the most:

• Web Application infrastructure (39%)
• Development and CI/CD (32%)
• Cloud Infrastructure (15%)
• Database (5%)
• Misc (5%)

The other method for reducing human-gated errors is to implement frequent and routine company-wide training. This ensures all employees actively use the security systems already in place, and teaches them to recognize phishing emails and other social action scams more easily. Without systems and tools, employees don’t have the necessary infrastructure to do their jobs in a security-conscious manner, but without training, they won’t know how to do so, even with the appropriate tools.

Prevent secrets in repositories with Doppler

Doppler features secret referencing tools and integrates with your favorite secrets scanning tool so DevOps can rein in its secrets sprawl and prevent secrets from ending up in repositories in the future. For more information on how to pair these two, check out our blog. When secrets referencing is coupled with zero-downtime automated secrets rotation, DevOps can quickly rotate exposed secret values across the organization without interrupting CI/CD workflow.

Check out our tutorial and see how Doppler can boost your security!

Take a tour

FAQ