X-Force Threat Intelligence Index 2026
Report highlights
44% increase in the exploitation of public-facing applications
X-Force observed a rise in the exploitation of public-facing applications as an initial access vector in 2025 due to an increase in supply-chain attacks targeting development ecosystems and trusted infrastructure.
56% of disclosed vulnerabilities did not require authentication to successfully exploit
The number of vulnerabilities tracked by X-Force approached 40,000 in 2025 and over half didn’t require authentication for an attacker to successfully exploit. This finding may reflect gaps in secure-by-design implementation as attackers are finding success without using credentials, MFA bypass or even end user interaction.
>300K ChatGPT credentials observed for sale on the dark web
In 2025, infostealer malware enabled the exposure of over 300,000 ChatGPT credentials, demonstrating that AI platforms have reached the same credential risk as other core enterprise SaaS solutions. While none of the credentials posted were still valid, the credentials consistently corresponded to infostealer infections and leaked credentials collections observed in 2024 and earlier.
X-Force tracked nearly 40,000 vulnerabilities in 2025. Over half didn’t require authentication for an attacker to successfully exploit.
~4x increase in the number of major supply chain or third party breaches over 5 years
Adversaries increasingly exploited developer trust and identity integrations to steal credentials, pivot into cloud environments and maintain persistence across interconnected systems. Sprawling third‑party dependencies create hard‑to‑secure attack surfaces—where one weak link can expose many targets. Once largely confined to nation‑state actors, these supply chain attack techniques are now being adopted by financially motivated and other criminal threat groups, reflecting a clear trickle‑down of advanced tactics.
49% increase in active ransomware groups compared to 2024
Fragmentation continues in the space, with 109 different ransomware extortion groups identified by X-Force in 2025. Up from 73 groups in 2024, this fragmentation reflects a lower barrier to entry: threat actors frequently reuse leaked tooling, follow established playbooks or shift between group identities, enabling many small operators to conduct opportunistic, low-volume attacks.
Manufacturing was the top-targeted industry for the fifth year in a row
The sector accounted for 27.7% of incidents, up only slightly from 26% last year. This figure is only a few tenths of a percent higher than the finance and insurance sectors, which accounted for 27% in 2025 and 23% in 2024.
29% of attacks targeted North America
The region accounted for nearly one third of total cases. Up from 24% in 2024, North America became the most attacked region for the first time in 6 years. Conversely, Asia Pacific saw a decrease from 34% to 27%.
Strengthen security and compliance with IBM IAM services, streamlining identity across hybrid cloud environments.
Optimize your security program with IBM’s global, vendor-independent threat response services.
Build a secure identity foundation with IBM Verify to simplify access, improve authentication, and scale with confidence.