- A Google report shows that attackers are turning to software vulnerabilities due to weak credentials.
- Vulnerabilities now account for 44.5% of cloud breaches, exploited within days
- Third-party SaaS integrations are increasingly used for data theft and access purposes.
To break into cloud environments, cybercriminals are relying less on weak credentials and more on vulnerabilities in third-party software, according to a new Google study.
The Cloud Threat Horizons report claims that as of early 2025, most compromises still relied on weak or missing credentials. However, during the second half of the year, attackers began to increasingly exploit vulnerabilities in externally managed software.
The change was also quite significant. Software vulnerabilities now account for 44.5% of initial access vectors, occupying a larger share than weak credentials (27.2%) for the first time. Configuration errors now represent 21% and exposed interfaces 4.9%.
Article continues below
Change tactics
The report also states that hackers are exploiting these vulnerabilities much faster than ever before. Apparently, the time between vulnerability disclosure and exploitation shortened from weeks to just days, and in some cases, attackers were able to deploy cryptominers within 48 hours of the vulnerability being published.
Scammers also abuse third-party integrations and SaaS relationships, Google said. Of all cloud intrusions tracked throughout 2025, a fifth (21%) involved compromised trusted third-party relationships.
“Similar to a SaaS supply chain compromise, UNC6395 leveraged compromised OAuth tokens associated with the Salesloft Drift application to perform deep discovery and mass exfiltration of sensitive Salesforce tenant data,” Google said.
“We also saw several intrusions involving the theft and misuse of Salesforce Gainsight tokens to gain unauthorized access to victims’ environments. »
This is an important pivot. Misconfigured databases are generally considered the leading cause of data leaks, and if cloud storage providers have improved identity protection and secured default configurations, and if companies have learned a thing or two about securing their cloud infrastructure, it means the industry is moving in the right direction.
This also means that attackers are increasingly targeting the weakest links around the cloud platform itself, such as third-party applications, developer tools, CI/CD pipelines and SaaS integrations.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
