Most Breaches Aren't Hacking. They're Human Failures.

My take

I've spent years responding to security incidents, and the pattern is always the same. It's not a sophisticated exploit. It's not a zero-day. It's a human being who made a mistake, took a shortcut, or didn't know any better. The 2026 Verizon DBIR found that 95% of breaches involve human error. That's not a statistic. That's the whole story. The human factor is the single largest threat to any organization, and no amount of tooling is going to fix it if the people aren't trained and the culture doesn't prioritize security.

Terminal

# developer committed .env to the repo three months ago
$ git log --all --diff-filter=A -- '*.env' --format='%h %ae %s'
a3f7c21 dev@company.com added environment config
$ git show a3f7c21:.env
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
DB_PASSWORD=admin123
STRIPE_SECRET_KEY=sk_live_...
# the .env was deleted in the next commit
# but git remembers everything. so does anyone watching.

It's not the exploit. It's the person.

Here's what I see over and over: companies running end-of-life software, admin panels sitting on the public internet with default credentials, S3 buckets open to the world, API keys committed to GitHub repos. Nobody 'hacked' these organizations. A person left the door open and someone walked in. In May 2025, a researcher found an unprotected database with 184 million credentials stored in plain text. Emails, passwords, login links. Readable by anyone. Not encrypted. Not hashed. Plain text.

# admin panel with default credentials, exposed to the internet
$ curl -s https://admin.internal.company.com/login \
$   -d 'username=admin&password=admin' -o /dev/null -w '%{http_code}'
200
# that's it. full admin access. no exploit needed.
# the username is admin. the password is admin.

Phishing works because people are helpful.

Phishing is not a technology problem. It's a human nature problem. People want to be helpful. They see an email from what looks like their CEO asking for something urgent, and they act. They click the link. They enter their credentials. They download the attachment. In 2025, UCLA staff fell for phishing and vishing attacks that tried to redirect their direct deposit information. Harvard's alumni systems were breached after a phone-based social engineering attack. Starbucks had employee PII including SSNs leaked through a phished portal. Add AI-generated phishing to the mix and the emails are getting harder to spot every quarter. The grammar is perfect, the context is relevant, and the sender looks legitimate.

Insider threats aren't always malicious.

Most insider threats aren't disgruntled employees stealing data. They're well-meaning people who don't know the policy, take shortcuts to get their job done, or have way more access than they need. Over-permissive user accounts are everywhere. People get provisioned on day one and never get reviewed again. They change roles, change teams, but the access stays. Three years later someone has admin access to systems they haven't touched in two years.

# how many users have admin access and haven't logged in for 90+ days?
$ aws iam generate-credential-report > /dev/null && \
$   aws iam get-credential-report --output text --query Content | \
$   base64 -d | awk -F, 'NR>1 && $5!="N/A" && $5<"2026-03-01"' | wc -l
17
# 17 users with active credentials who haven't logged in since March
# every one of those is a door waiting to be opened

Physical security is security.

If I can walk into your office because someone held the door open for me, sit down at an unlocked workstation, and pull the drives out of your machines, you have been compromised. No firewall, no EDR, no SIEM is going to stop that. Tailgating, unlocked screens, sensitive documents on desks, server rooms with default door codes. Security doesn't stop at the firewall. It starts at the front door.

Default passwords are an invitation.

It's 2026. There are still network devices, printers, IoT cameras, and internal tools running with factory default passwords. admin/admin. admin/password. root/root. These aren't hidden. They're in the product documentation. Specops analyzed over six billion stolen passwords in 2025 and found 53 million uses of 'admin' and 56 million uses of 'password.' Changing the default password takes 30 seconds. Not changing it can cost you everything.

# scanning internal network for devices with default credentials
$ nmap -sV --script http-default-accounts 192.168.1.0/24 2>/dev/null | \
$   grep -A2 'Valid credentials'
192.168.1.14 - HP LaserJet - admin:admin
192.168.1.38 - Hikvision Camera - admin:12345
192.168.1.102 - Netgear Switch - admin:password
# three devices, three default passwords
# the camera has a view of the server room

Convenience is the enemy of security.

I've walked into doctor's offices and seen unlocked workstations with patient data on screen. Sticky notes on monitors with passwords written in marker. Shared logins because 'it's easier.' Weak password policies because strong ones generate too many helpdesk tickets. Healthcare workers were caught pasting real patient data, including names, medical record numbers, diagnoses, and HIV lab results, into AI chatbots. 77% of employees who use ChatGPT at work have copied company data into it. Every one of these is a human choosing convenience over security, and every one of them is an open door. The password on the sticky note isn't a technology failure. It's a culture failure.

AI makes the attacker faster, not smarter.

Now add AI to this. Automated recon that maps your entire attack surface in minutes. Phishing emails generated with perfect context from scraped LinkedIn profiles. Credential stuffing at scale with AI-generated variations. Exploit code written faster than your team can patch. And on the other side, your own employees are feeding sensitive data into AI tools every day, giving attackers information they didn't even have to steal. The attackers aren't getting smarter. They're getting faster. And the gap between their speed and your hygiene is the real vulnerability.