In a reversal of a long-standing trend, researchers at IBM’s X-Force threat intelligence unit say they have observed a 44% increase in cyber attacks that begin with the exploitation of vulnerable public-facing applications, outpacing credential abuse by a significant margin.
In recent years, a quip that runs along the lines of “attackers don’t hack the cloud, they log in” has become a popular adage in the cyber community, reflecting a surge in attacks beginning with phished or stolen credentials.
Logging in legitimately means threat actors do not have to burn valuable hoarded zero days, and can get away with disguising their attacks as everyday activity, taking the path of least resistance in search of a payday.
Although the misuse of valid accounts still accounted for just under a third of the cases represented in the X-Force data, the latest report suggests the exploitation of vulnerabilities, which its researchers claim formed the initial access vector in 40% of incidents it tracked last year, is seeing a renewed burst of enthusiasm among threat actors.
What is more, the team says artificial intelligence (AI) tools may be driving this trend by making it easier for attackers to seek out misconfigured, unprotected or vulnerable applications. They said this highlights a critical need for stronger access controls, rigorous patching and secure deployment practices.
“Attackers aren’t reinventing playbooks, they’re speeding them up with AI,” said Mark Hughes, IBM global managing partner for cyber security services.
“The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed. With so many vulnerabilities requiring no credentials, attackers can bypass humans and move straight from scanning to impact.
“Security leaders need to shift to a more proactive approach, using agentic-powered threat detection and response to identify gaps and catch threats before they escalate,” said Hughes.
X-Force said its penetration tests still revealed “persistent weaknesses” in both software configuration and credential hygiene, with misconfigured access controls a common entry point across the board.
AI is a multifaceted problem for defenders
But that is not to say credential theft has diminished as an initial access vector – indeed, the X-Force report also identified a growing identity problem around AI, particularly when it came to some of the more popular generative AI services available to the public.
The researchers found that more than 300,000 ChatGPT credentials were exposed in 2025 thanks to the use of infostealer malware, a signal that the major AI platforms are subject to the same levels of risk as core enterprise software-as-a-service solutions.
Compromised AI chatbot credentials go beyond merely accessing personal accounts, the report said – they can be further abused to manipulate outputs, inject malicious prompts and, most worrying for enterprise security teams, exfiltrate sensitive data.
X-Force said this underscored a clear need for security leaders to assess their organisations’ AI use – particularly shadow use of public services – and enforce stricter policies around it.
And common with many other market observers – all of whom release similar reports around this time every year – the X-Force unit also observed a 49% increase in active ransomware groups compared with this time last year, with many smaller, transient operators running low-volume campaigns that complicate attribution somewhat.
This trend is also being driven in part by AI, which is increasingly playing a peripheral role in automating ransomware operations, and looking ahead, X-Force said it expected ransomware gangs would give over more tasks, such as reconnaissance and advanced attacks, to maturing AI models.
