Learn the seven types of data breaches and how to defend against each one.
• “Security breach” and “data breach” get used interchangeably but they’re not the same. A security breach is any unauthorized access. A data breach is when attackers actually reach sensitive data. The distinction changes what GDPR or HIPAA requires you to disclose, so get it right before you file anything
• Seven breach types cover virtually every incident: credential theft, phishing, ransomware, insider, supply chain, cloud misconfiguration, and physical theft. Credential theft is the most common. Insider and supply chain are the most expensive
• If you’re trying to figure out which type hit you, start with the entry point. Did attackers have valid login details? Credential theft. Was a vendor involved? Supply chain. Was data exposed without any attacker at all? Cloud misconfiguration or a physical breach (like a stolen laptop)
• No single control stops all seven types. MFA blocks stolen passwords at login, though stealer logs include session cookies that bypass it. Offline backups let you recover from ransomware without paying. Vendor monitoring catches supply chain risk upstream. Credential monitoring catches stolen passwords before attackers log in
Stolen credentials were involved in 22% of breaches and phishing caused another 16%, according to the Verizon 2025 DBIR. Costs vary widely by type though. Supply chain attacks average $4.91 million per incident, well above the $4.44 million overall mean.
Each breach type has a different entry point and a different defense. Treat all breaches the same way and you’ll get caught off guard.
This guide breaks down the seven most common types of data breaches, with real examples and the specific controls that stop each one.
Use this table to spot which data breach types you’re most exposed to. The full breakdown for each follows below.
| Type | Typical entry point | Detection difficulty | Primary defense |
|---|---|---|---|
| Credential theft | Valid login from stolen password | Very hard (looks legitimate) | MFA + credential monitoring |
| Phishing / social engineering | User clicks a fake link or is manipulated | Medium (email filter may miss) | MFA + phishing-resistant auth |
| Ransomware / extortion | Initial access + lateral movement + encryption | Visible once it triggers | Offline backups + segmentation |
| Insider threat | Legitimate employee access | Very hard (the access is authorized) | Least privilege + UEBA |
| Supply chain | Compromised vendor or software update | Hard (upstream, outside your perimeter) | Vendor assessment + vendor monitoring |
| Cloud misconfiguration | Public S3 bucket, open database | Medium (scanners find it eventually) | Config auditing + automated compliance |
| Physical | Stolen laptop, unauthorized access to hardware | Easy once reported | Device encryption + access controls |
Not all breaches look the same. How attackers get in, and how you stop them, depends on the breach type.
Data breach is a security incident where sensitive data is accessed or exposed by unauthorized parties. Breaches are categorized by how attackers get in, from stolen credentials and phishing to ransomware and insider access. Each type requires different detection and prevention strategies.
IBM’s 2025 report found that the average breach costs $4.44 million. But that number varies dramatically by breach type. Insider breaches cost $4.92 million. Supply chain attacks cost $4.91 million. Credential theft costs $4.67 million. Knowing which types you’re most vulnerable to helps you invest in the right defenses.
The two terms get used interchangeably, but they mean different things.
A security breach is any unauthorized access to your network or accounts. An attacker getting in is a security breach, even if no data was actually stolen or exposed.
A data breach is a security breach where sensitive data actually gets accessed or exposed. Attackers got in AND accessed something they shouldn’t have.
The distinction matters for three reasons:
Regulatory notification. Most data breach notification laws (GDPR, HIPAA, CCPA) trigger on data exposure, not on intrusion alone. A security breach where attackers were blocked before reaching data may not require public disclosure. A data breach almost always does.
Insurance claims. Cyber insurance policies usually differentiate between the two. Coverage limits and deductibles can vary widely based on whether data was confirmed exposed.
Incident response scope. A security breach requires investigation and containment. A data breach requires all of that PLUS data classification and affected-party notification, often with regulatory filings on top.
Every data breach is a security breach. Not every security breach is a data breach. When you’re in the middle of an incident, this distinction decides how much of the response playbook you need to run.
This is the most common type of data breach and the hardest to detect.
Attackers get valid passwords from two main sources: third-party data breaches where employee passwords were reused, and infostealer malware that harvests saved browser passwords. Phishing pages that capture login details are another common source. Those credentials end up on dark web marketplaces, often within hours.
Then attackers log in. Your firewall sees a legitimate user. Your EDR sees normal behavior. Nothing triggers an alert because the credentials are real.
The Verizon 2025 DBIR found that stolen credentials were involved in 22% of all breaches. IBM found that these breaches cost $4.67 million on average and take 246 days to detect, the longest of any attack vector.
The Ticketmaster breach in 2024 showed exactly how this works. It exposed data on 560 million customers. Attackers used credentials stolen by infostealer malware to access Ticketmaster’s Snowflake cloud account. No exploit was needed. They had valid login details.
What would have caught this? Those Ticketmaster credentials came out of infostealer logs that hit criminal marketplaces before the attackers logged in. Dark web monitoring for stealer logs surfaces these specific credentials so you can force a reset before attackers buy them.
MFA on the Snowflake console would have helped too, though infostealer logs often include session cookies that bypass MFA anyway. Mandate password managers to eliminate reuse across corporate and personal accounts. And enforce phishing-resistant MFA (FIDO2, passkeys) on any high-value system, especially cloud admin consoles.
Attackers don’t need to find a technical vulnerability when they can trick someone into handing over their credentials.
Phishing is the second most common breach vector, responsible for 16% of breaches according to IBM’s 2025 report. The average phishing breach costs $4.8 million.
Modern phishing goes far beyond obvious scam emails. Attackers research their targets and clone real login pages. The fakes are hard to distinguish from legitimate ones. Even security-aware employees get caught when the fake is convincing enough.
Business email compromise (BEC) takes this further. Attackers impersonate executives to authorize wire transfers or data access. No malware involved. Just a convincing email from what looks like the right person.
In 2020, attackers called Twitter employees and convinced them to hand over internal tool access through social engineering. They hijacked high-profile accounts including Barack Obama and Elon Musk. Pure human error, no technical exploit.
The Twitter attack wasn’t email at all. It was a phone call. No email filter catches that. What would have helped: a callback verification process for any elevated-access request, and dual authorization on privileged internal tools so one employee can’t grant the access alone.
For the more common email-based phishing, MFA blocks phished passwords at login, but modern phishing kits that relay sessions in real time or capture session cookies can bypass it entirely. Phishing-resistant MFA (FIDO2, passkeys) handles those cases. Email filtering catches the obvious fakes. Regular phishing simulations train employees to spot the rest, though no training program is 100% effective.
Ransomware has evolved from simple encryption to a double extortion model. Attackers steal your data first, then encrypt your systems. Even if you restore from backups, they threaten to publish the stolen data unless you pay.
IBM’s 2025 report found that ransomware incidents cost $5.08 million on average when the attacker disclosed the breach. The average ransom payment dropped to about $1 million in 2025 (down 50% from 2024), but total attack costs keep climbing because recovery and legal expenses don’t go down.
63% of victims now refuse to pay, up from prior years. But refusing to pay doesn’t mean the breach is cheap.
Colonial Pipeline is a classic example. They paid a $4.4 million ransom in 2021 after attackers used a single compromised VPN password to access their network. The password had been reused from a previous breach. That one credential shut down fuel delivery across the eastern US.
The Colonial Pipeline attack was preventable. That reused password showed up in a previous breach, which means credential monitoring would have flagged it. Catch the leaked password first and you force a reset before attackers buy it.
When prevention fails and you get hit anyway, you need damage control. Offline, tamper-proof backups let you recover without paying. Network segmentation limits how far attackers can spread from their initial foothold.
Not all breaches come from the outside. Sometimes the person causing the breach already works for you.
Insider threat is a security risk from someone with legitimate access to your systems, like an employee or contractor. Insider threats can be malicious (deliberate theft or sabotage) or accidental (sending data to the wrong person, misconfiguring access controls). Both types create real breaches.
IBM found that malicious insider breaches cost $4.92 million on average, the most expensive of any attack vector. They’re also harder to detect because the person has permission to access the data. The activity looks normal. Only the intent is wrong.
Accidental insider threats are more common than malicious ones. An employee emails a spreadsheet of customer data to the wrong recipient. A developer pushes API keys to a public GitHub repo. A manager shares credentials over an unsecured channel.
In 2023, a Tesla employee leaked personal data of over 75,000 employees to a German news outlet. The data included names, addresses, and Social Security numbers. Tesla confirmed it was an insider who violated company policies.
What would have caught this? Two things directly. Data loss prevention (DLP) flags mass transfers of sensitive data leaving the network, exactly the pattern of exporting 75,000 records. And access reviews would have raised the question of why one employee needed that much HR data in the first place.
Beyond the Tesla-specific defenses, least privilege access limits what any single person can reach, and insider threat detection watches for unusual behavior from legitimate accounts.
Detection signals worth watching: large file downloads outside normal patterns, access to systems the employee doesn’t work with, off-hours activity from accounts that keep business hours, and mass email forwards to personal addresses. None of these prove malicious intent on their own. Together they often point to an insider already collecting data before their exit.
When your vendor gets breached, their problem becomes your problem.
Supply chain attacks are the second most expensive breach type at $4.91 million per incident. They also take the longest to resolve at 267 days on average (IBM 2025). The challenge is that you’re not being attacked directly. The compromise happens upstream.
Attackers target vendors because one compromised vendor gives them access to hundreds or thousands of downstream customers. It’s more efficient than attacking each company individually.
The SolarWinds attack in 2020 is still the largest known supply chain breach. Attackers inserted malicious code into a routine software update. Over 18,000 organizations downloaded the compromised update, giving attackers access to government agencies and Fortune 500 companies. The breach went undetected for over 14 months.
The MOVEit breach in 2023 followed a similar pattern. Attackers exploited a vulnerability in a widely used file transfer tool, compromising data from hundreds of organizations that used the service.
Both SolarWinds and MOVEit make the same hard point: you can’t fully prevent upstream compromise, so plan for it. Limit vendor access to the minimum they actually need. Have an incident plan ready for when a vendor gets hit, because eventually one will. And assess vendor security practices before you give anyone privileged access to your environment.
The signal most teams miss: a vendor’s employee credentials showing up in stealer logs or breach dumps. That means something has gone wrong in the vendor’s environment, and your data is now at risk through their access. Extending your dark web monitoring to cover your vendors’ domains catches this signal early.
See our guide on third-party risk management for the full framework.
Misconfigured cloud services have caused some of the largest data leaks in recent years. Unlike other breach types, these aren’t attacks at all. Nobody breaks in. The data is just sitting there, exposed.
Common misconfigurations include publicly accessible S3 buckets on AWS and databases with default credentials. Automated scanners find these within hours of exposure.
The problem is growing because cloud environments are complex and change constantly. A single misconfigured setting can expose millions of records. And because there’s no attacker to detect, traditional security tools don’t flag it.
In 2022, Microsoft disclosed that a misconfigured endpoint exposed business transaction data of over 65,000 entities. The data was accessible to anyone with the URL. No authentication required.
Audit cloud configurations against your provider’s security benchmarks. Automate compliance checking so misconfigurations get flagged before they’re exploited. Never use default credentials. And treat cloud security as an ongoing process, not a one-time setup.
The least technical breach type and the one most companies overlook.
Physical breaches happen when someone steals a laptop or accesses a server room without authorization. They don’t require any hacking skills. They just require physical access.
In 2017, a Lifespan Health System employee left an unencrypted laptop in their car. It was stolen. The laptop contained protected health information on 20,431 patients. HHS fined Lifespan $1.04 million, not because the laptop was stolen, but because they’d already decided encryption was necessary and still hadn’t done it.
Encrypt all devices. Enforce screen locks. Restrict physical access to server rooms and data centers. Have a process for remote wiping lost devices. And make sure terminated employees return all hardware immediately.
When you’re looking at an active incident, the right response depends on the breach type. Here’s how to figure that out fast.
Start with the entry point. Do the logs show valid credentials being used? Credential theft. Was there a successful phishing email before the incident? Phishing. Was a file encrypted or a ransom note dropped? Ransomware. Did an employee have unusual access patterns? Insider threat. Was a vendor or software vendor’s portal involved? Supply chain.
Check for the victim-report signal. Cloud misconfigurations and physical breaches usually get reported TO you, not detected BY you. A security researcher emails about an open S3 bucket. IT files a lost laptop report. These types often skip the attacker step entirely.
Watch for overlap. Real incidents rarely fit one clean category. A phishing email that captures credentials becomes a credential theft breach the moment attackers log in. A ransomware attack usually starts with either credential theft or phishing. When you see two types, the EARLIER one (the entry point) is usually the one that matters for prevention going forward.
Three common misreads to avoid:
No single control stops every breach type. The seven types above exploit different weaknesses, from stolen credentials and human judgment to vendor trust and configuration errors.
The most effective protection combines:
Credential theft is the thread that runs through most of these. Phishing steals credentials. Infostealers harvest them. Insider threats abuse them. Supply chain attacks exploit vendor credentials. Monitoring for leaked passwords is the one control that addresses the most common element across all breach types.
Book a demo to see how Breachsense monitors the dark web for your organization’s exposed credentials.
The seven most common types are credential theft, phishing and social engineering, ransomware and extortion, insider threats, supply chain breaches, cloud misconfiguration, and physical breaches. Credential theft is the most common, involved in 22% of breaches according to the Verizon 2025 DBIR.
Malicious insider breaches cost $4.92 million on average, followed closely by supply chain breaches at $4.91 million. Credential-based breaches cost $4.67 million. The most expensive breach type for YOUR company depends on what data you hold and how fast you detect the breach. See our data breach statistics for the full cost breakdown.
Credential theft. The Verizon 2025 DBIR found that stolen credentials were the top initial access vector. Attackers get passwords from third-party breaches and infostealer malware. Then they log in as if they’re the real user.
Each type needs different controls. MFA blocks stolen passwords at login (though session cookies in stealer logs can bypass it). Email filtering and training reduce phishing. Offline backups protect against ransomware. Access reviews catch insider threats. Vendor assessments address supply chain risk. Dark web monitoring catches exposed credentials across all breach types.
It’s when attackers compromise a vendor or software provider to reach their customers. The SolarWinds attack is the best-known example. Attackers trojanized a software update to breach thousands of downstream organizations. Supply chain breaches cost $4.91 million on average and take 267 days to resolve.
An insider threat is one TYPE of data breach. It happens when someone with legitimate access, like an employee or contractor, either deliberately steals data or accidentally exposes it. Not all insider threats are malicious. Sending sensitive data to the wrong email address counts. See our guide on insider threats.
A security breach is any unauthorized access to your network or accounts. It doesn’t necessarily mean data was stolen. An attacker who got in but was stopped before reaching sensitive data caused a security breach but not a data breach. All data breaches are security breaches; not all security breaches are data breaches.
A security breach is unauthorized access to systems. A data breach is the subset of security breaches where sensitive data was actually accessed or exposed. The distinction matters for notification laws, insurance claims, and incident response scope. Regulatory rules like GDPR and HIPAA typically trigger on data exposure, not on an intrusion alone.
Insider threats and credential theft tie for the hardest to detect. Both use legitimate access, so traditional security tools see nothing wrong. The user had permission; only the intent or context was wrong. IBM’s 2025 report found credential-based breaches take 246 days to detect on average, the longest of any attack type.
Data Breach Prevention Credential Monitoring Dark Web Monitoring Cybersecurity
What is data breach prevention? Most security tools watch for attackers inside your network. By then, it’s often too …
Threat Intelligence Dark Web Monitoring Infostealer Malware Ransomware Identity Security
What 2025 actually looked like Breachsense has indexed 90+ billion identity records across third-party breaches, …