- Google report shows that attackers are switching to software flaws over weak credentials
- Vulnerabilities now account for 44.5% of cloud breaches, exploited within days
- Third-party SaaS integrations are increasingly being abused for data theft and access
To break into cloud environments, cybercriminals are relying less on weak credentials and more on third-party software vulnerabilities, new research from Google has found.
The Cloud Threat Horizons report claims that as early as 2025, most compromises still relied on weak or missing credentials. But in the second half of the year, attackers began to increasingly exploit vulnerabilities in externally managed software.
The shift was also quite significant. Software vulnerabilities now account for 44.5% of initial access vectors, taking a larger share than weak credentials (27.2%) for the first time ever. Misconfigurations now account for 21%, and exposed interfaces 4.9%.
The article continues below
Change of tactics
The report also states that hackers are exploiting these flaws much faster than ever before. Apparently, the window between vulnerability disclosure and exploitation dropped from weeks to mere days, and in some cases attackers were able to deploy cryptominers within 48 hours of the vulnerability becoming public.
Crooks are also abusing third-party integrations and SaaS relationships, Google said. Of all cloud intrusions tracked through 2025, one-fifth (21%) involved compromised trusted third-party relationships.
“Similar to a SaaS supply chain compromise, UNC6395 leveraged compromised OAuth tokens associated with the Salesloft Drift application to perform extensive discovery and mass exfiltration of sensitive data from Salesforce tenants,” Google said.
“We also saw several intrusions involving the theft and misuse of Salesforce Gainsight tokens to gain unauthorized access to victim environments.”
This is an important pivot point. Misconfigured databases are generally seen as the biggest cause of data leaks, and if cloud storage providers improved identity protection and secure default configurations, and companies learned a thing or two about securing their cloud infrastructure, it means the industry is moving in the right direction.
It also means that attackers are increasingly targeting the weaker links around the cloud platform itself, such as third-party applications, developer tools, CI/CD pipelines and SaaS integrations.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
