The discovery of the Heartbleed and Shellshock "designer bugs" combined with insecure development practices let hackers compromise at least one billion records containing personally identifiable information (PII) in 2014, according to IBM.
The IBM X-Force 2015 research report highlighted data loss as one of the fastest growing threats facing businesses, claiming it detected a 20 percent increase on the 800 million breaches detected in 2013.
The UK was the second most breach-ridden nation in the world, accounting for 3.4 percent of recorded security incidents. However, that figure pales in comparison to the US's 70.5 percent share of incidents.
The researchers highlighted software vulnerabilities as one of the largest factors contributing to the growth. IBM detected 9,200 new security vulnerabilities affecting more than 2,600 vendors in the final quarter of 2014 – the highest increase ever recorded by IBM during the 18 years it has run the report.
The discovery of the critical "designer bugs", such as Heartbleed and Shellshock, was listed as another contributing factor.
"2014 was also unique in that the underlying libraries that handle cryptographic functionality on nearly every common web platform - including Microsoft Windows, Mac OS X and Linux - were found to be vulnerable to fairly trivial remote exploitations capable of stealing critical data," read the report.
"Besides igniting a trend of labelling high-profile designer vulnerabilities with a catchy name and logo, these types of vulnerabilities affected a large percentage of websites and, in many cases, were fairly easy to exploit by using scripts and automated tools."
Heartbleed is a flaw in the OpenSSL implementation of the transport layer security (TLS) protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.
Shellshock is a bug in Unix-based or Unix-like operating systems' Bash code, so affects both Linux and Mac OS X. The bug could be exploited by hackers to target critical infrastructure systems.
IBM said these bugs are being aided and abetted lax security practices within the development community. The paper highlighted IBM's experience tracking an Apache Cordova flaw as proof of developers' poor security practices.
"In July 2014, IBM X-Force discovered a series of vulnerabilities in the Android version of Cordova, which we disclosed privately to the Apache Foundation. Fixes or mitigations for these vulnerabilities were provided by the Cordova development team in 31 August," read the report.
"In order to highlight the severity of the vulnerabilities in respect to real-world exploitability, we also demonstrated a proof of concept showing how a complete, remote, end-to-end attack could be constructed, and provided accompanying technical details.
"At the time of public disclosure, we started tracking Android applications from various categories that are based on Cordova. Of these applications, 91 percent were initially discovered to be exploitable."
IBM is one of many companies to criticise mobile application developers for poor security practices.
McAfee reported many "popular" applications are still missing critical Heartbleed Secure Sockets Layer (SSL) patches, in its McAfee Labs Threats Report: February 2015 research paper.
Maarten Ectors, Canonical's vice president of next-generation networks and proximity cloud, told V3 that the nature of software development means further Heartbleed- and Shellshock-level flaws will appear in the very near future.
The IBM researchers said they expect the number of breaches to continue to increase, warning many workers are still not practising even basic cyber security. The paper listed poor password security as a particularly pressing problem.
"Whether users have predictable or weak passwords, or they reuse passwords across the internet and the enterprise, the ability for attackers to gain access as a result of poorly managed authentication policies is concerning," read the paper.
"In one notable example, more than six million accounts at a popular cloud storage provider were compromised.
"While the cloud storage provider itself was not breached, login data from other breaches, as well as malware, keyloggers and phishing tactics, allowed attackers to access accounts."
The IBM research follows widespread efforts within the security community to improve the security of open source projects, such as OpenSSL.
Earlier in March, researchers from Cryptography Services announced plans to launch a huge independent audit of OpenSSL security as a part of a wider push by the Linux Foundation to improve open source projects' cyber defences.
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps