- Google report shows attackers turning to software flaws instead of weak credentials
- Vulnerabilities now account for 44.5% of cloud breaches and are exploited within days.
- Third-party SaaS integrations are increasingly abused for data theft and access
To break into cloud environments, cybercriminals rely less on weak credentials and more on third-party software vulnerabilities, according to new research from Google.
The Cloud Threat Horizons report states that in early 2025 most compromises still depended on weak or missing credentials. However, in the second half of the year, attackers increasingly began to exploit vulnerabilities in externally managed software.
The change was also quite significant. Software vulnerabilities now represent 44.5% of initial access vectors, occupying a larger proportion than weak credentials (27.2%) for the first time. Misconfigurations now account for 21% and exposed interfaces for 4.9%.
Article continues below.
Changing tactics
The report also claims that hackers are exploiting these flaws much faster than ever. Apparently, the window between the vulnerability’s disclosure and its exploitation was reduced from weeks to just days, and in some cases, attackers were able to deploy cryptominers within 48 hours of the vulnerability becoming public.
Criminals are also abusing third-party integrations and SaaS relationships, Google said. Of all cloud intrusions tracked throughout 2025, one-fifth (21%) involved compromised relationships with trusted third parties.
“Similar to a SaaS supply chain compromise, UNC6395 leveraged compromised OAuth tokens associated with the Salesloft Drift application to conduct extensive discovery and mass exfiltration of sensitive data from Salesforce tenants,” Google said.
“We also saw several intrusions that involved theft and abuse of Salesforce Gainsight tokens to gain unauthorized access to victims’ environments.”
This is an important pivot. Misconfigured databases are generally considered the leading cause of data leaks, and if cloud storage providers have improved identity protections and secure default configurations, and businesses have learned a thing or two about how to protect their cloud infrastructure, it means the industry is moving in the right direction.
It also means that attackers are increasingly targeting the weakest links in the cloud platform itself, such as third-party applications, development tools, CI/CD pipelines, and SaaS integrations.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
