IBM 2026 X-Force Threat Index Reports 44 Percent Rise in App Exploits

Key Takeaway

IBM 2026 X-Force Threat Index finds that AI-accelerated cyberattacks are increasing across North America, with vulnerability exploitation, ransomware fragmentation, credential theft, and supply-chain compromise exposing persistent gaps in basic security controls.

The Story

IBM released its IBM 2026 X-Force Threat Index on February 25, 2026, reporting that North America became the most attacked region globally, accounting for 29% of cases observed by IBM X-Force in 2025, up from 24% in 2024 and marking the first time in six years the region led. The report links a 44% surge in attacks exploiting public-facing applications to missing authentication controls and AI-enabled vulnerability discovery, and says vulnerability exploitation accounted for 40% of incidents observed in 2025. IBM also reports accelerating credential theft tied to AI tool adoption, including over 300,000 ChatGPT credential sets advertised on the dark web in 2025, and rising supply-chain and third-party compromises driven by trusted developer identities, CI/CD platforms, and SaaS integrations.

The Facts

• North America leads in cyberattack volume (29%)

  IBM 2026 X-Force Threat Index observed North America accounting for 29% of total cases in 2025, up from 24% in 2024, making it the most targeted region for the first time in six years.

• 44% surge in attacks via public-facing applications

  Exploitation of public-facing applications rose 44% year over year and became the most common initial access vector, linked to missing authentication controls, misconfigurations, and complex application stacks that broaden the attack surface.

• Vulnerability exploitation is now the top attack vector (40%)

  Vulnerability exploitation accounted for 40% of incidents observed by X-Force in 2025; IBM notes many exploited vulnerabilities did not require authentication, increasing the value of strong access control and patch governance.

• Ransomware groups surged and the ecosystem fragmented

  X-Force observed a 49% year-over-year increase in active ransomware and extortion groups, while publicly disclosed victim counts rose roughly 12%. The IBM 2026 X-Force Threat Index report also describes fragmentation: the share of attacks attributed to the top 10 groups dropped by 25%, and X-Force identified 109 distinct extortion groups in 2025 (up from 73 in 2024).

• Supply chain and third-party compromises nearly quadrupled since 2020

  Large supply chain and third-party compromises increased nearly fourfold over the past five years, with attackers exploiting trusted developer identities, CI/CD platforms, SaaS integrations, and downstream trust relationships to propagate compromise.

• Credential harvesting remains the most common impact

  Compromised accounts continue to fuel attacks, with IBM emphasizing that foundational identity controls remain central to reducing real-world incidents.

• ChatGPT credential theft expanded into a dark web marketplace

  In 2025, over 300,000 ChatGPT credential sets were advertised on the dark web, driven largely by infostealer malware operators expanding targets to include AI services. IBM 2026 X-Force Threat Index also highlights password reuse across personal and enterprise accounts as an indirect path from low-value credentials to higher-value enterprise access.

• Compromised AI accounts create AI-specific risks

  Beyond account takeover, attackers can manipulate outputs, exfiltrate sensitive data, or inject malicious prompts, increasing the need for strong authentication and conditional access controls around AI platforms.

• AI is compressing the attacker lifecycle

  IBM says attackers are using AI to speed research, analyze large datasets, iterate on attack paths in real time, scale phishing, and refine social engineering, shortening the window between discovery and impact.

• Manufacturing remains the most attacked sector (27.7%)

  For the fifth consecutive year, manufacturing accounted for 27.7% of incidents observed by IBM 2026 X-Force Threat Index, with data theft reported as the most common outcome; IBM notes financial services and insurance as the next-most targeted sectors.

• Security fundamentals still fail in practice

  IBM states that the most consequential security outcomes still hinge on the maturity of foundational controls, and that persistent gaps in baseline practices translate into operational disruption, data compromise, and high-loss incidents.

Recommendations for Organizations

• Secure AI platforms as core enterprise infrastructure with strong authentication and conditional access controls.
• Modernize authentication and treat identity as critical infrastructure with centralized governance and continuous risk-based access controls.
• Continuously identify weaknesses (insecure code, weak credentials, misconfigurations, missing patches) through proactive practices such as monitoring and frequent penetration testing.
• Map and monitor external exposure across the surface, deep, and dark web for leaked credentials and attacker signals.
• Strengthen patch governance and configuration hygiene to reduce the most exploited attack paths.

Why This Matters

The IBM 2026 X-Force Threat Index frames AI as an accelerant, not a replacement, for attacker playbooks: faster discovery and exploitation make foundational gaps in identity, access control, patching, and configuration hygiene more costly, while fragmentation in ransomware and rising supply-chain compromise increase both the pace and unpredictability of incidents.

This article was drafted with the assistance of generative AI. All facts and details were reviewed and confirmed by an editor prior to publication.