- Google report shows attackers shifting to software flaws over weak credentials
- Vulnerabilities now account for 44.5% of cloud breaches, exploited within days
- Third-party SaaS integrations increasingly abused for data theft and access
To break into cloud environments, cybercriminals are relying less on weak credentials and more on third-party software vulnerabilities, new research from Google has found.
The Cloud Threat Horizons Report claims early in 2025 most compromises still relied on weak, or missing credentials. However, in the second half of the year, attackers increasingly started exploiting vulnerabilities in externally managed software.
The shift was quite significant, too. Software vulnerabilities now account for 44.5% of initial access vectors, taking up a bigger share than weak credentials (27.2%) for the first time ever. Misconfigurations now take up 21%, and exposed interfaces 4.9%.
Changing tactics
The report also states that the hackers are exploiting these flaws much faster than ever before. Apparently, the window between vulnerability disclosure and exploitation shrunk from weeks to mere days, and in some cases, attackers were able to deploy cryptominers within 48 hours of the vulnerability becoming public.
Crooks are also abusing third-party integrations and SaaS relationships, Google said. Of all cloud intrusions tracked throughout 2025, a fifth (21%) involved compromised trusted third-party relationships.
“Akin to a SaaS supply chain compromise, UNC6395 leveraged compromised OAuth tokens associated with the Salesloft Drift application to conduct extensive discovery and bulk exfiltration of sensitive data from Salesforce tenants,” Google said.
“We also saw several intrusions involving theft and abuse of Salesforce Gainsight tokens to gain unauthorized access to victim environments.”
This is an important pivot. Misconfigured databases are generally seen as the biggest cause of data leaks, and if cloud storage providers improved identity protections and secure default configurations, and businesses learned a thing or two about securing their cloud infrastructure, it means the industry is moving in the right direction.
It also means attackers are increasingly targeting the weaker links around the cloud platform itself, such as third-party applications, developer tools, CI/CD pipelines, and SaaS integrations.
