Google Report: Software Flaws Have Overtaken Stolen Passwords as the Top Way Into Cloud Systems
Google's Threat Horizons H1 2026 report found that exploited software vulnerabilities now account for 44.5% of cloud intrusions, surpassing credential theft for the first time since the report began.
VaultTools · March 11, 2026
Photo on Unsplash
Table of Contents
- What the report found
- Vulnerabilities overtake credentials for the first time
- The collapsing window between disclosure and attack
- Cloud storage as an exfiltration channel
- What this means for file tool choices
- Sources
What the Report Found
On March 11, 2026, Google Cloud published its thirteenth Threat Horizons report, a bi-annual survey of active threats across Google Cloud and enterprise cloud environments. The report covers observed incidents from the second half of 2025 and draws on intelligence from Google’s Threat Intelligence Group (GTIG).
The headline finding breaks a pattern that has held since the report series began in 2021: exploiting software vulnerabilities has overtaken stealing or abusing credentials as the primary method attackers use to gain initial access to cloud systems.
Vulnerabilities Overtake Credentials for the First Time
In the second half of 2025, software vulnerabilities accounted for 44.5% of initial access vectors in observed cloud intrusions. Weak or absent credentials fell to 27.2%, down sharply from 47.1% in the first half of 2025. Remote code execution (RCE) incidents increased nearly five-fold within that same window, rising from 2.9% to 13.6%.
The shift reflects a change in attacker behavior. Rather than waiting to acquire valid credentials through phishing or purchase on dark-web markets, threat actors are increasingly scanning for unpatched third-party applications and exploiting known vulnerabilities directly. The report notes that targets included both Google Compute Engine and Google Kubernetes Engine workloads, and that attackers primarily targeted publicly documented CVEs.
Credential abuse has not disappeared. The report also documents voice-based phishing attacks where threat actors impersonated internal IT staff to pressure help desks into resetting credentials and disabling multi-factor authentication. But credential abuse is no longer the leading entry point.
The Collapsing Window Between Disclosure and Attack
The second major finding concerns speed. Google’s data shows that the gap between a vulnerability becoming publicly known and being actively exploited in cloud attacks has collapsed from weeks to days.
One documented case involves a remote code execution vulnerability in a third-party application layer. Google observed threat actors deploying cryptocurrency-mining software within approximately 48 hours of the vulnerability’s public disclosure. The exploitation was automated and required no human targeting of specific organizations.
This acceleration matters because it eliminates the mitigation window that patch management processes rely on. Traditional enterprise patching cycles run on schedules of days to weeks. When attackers can exploit a disclosed flaw within two days, those cycles provide no protection for the interval between announcement and patch deployment.
Cloud Storage as an Exfiltration Channel
A secondary finding in the report addresses insider data theft. Cloud storage platforms have become the fastest-growing channel for data exfiltration by insiders with legitimate access. The report found that personal cloud storage usage surpassed email as the preferred exfiltration method, and that insiders frequently combined multiple methods in a single incident.
This trend is structurally different from the vulnerability and credential threats described above. It does not require an external attacker. An employee with authorized access to documents uploads those files to a personal cloud account. The documents leave the organization without triggering most endpoint detection tools, because the upload resembles normal cloud activity.
The report did not identify a technical countermeasure to this pattern beyond visibility tooling and access controls.
What This Means for File Tool Choices
The Google data points to two separate but reinforcing risks associated with cloud-based file processing tools.
The first is infrastructure risk. When a user uploads a file to an online conversion, compression, or editing tool, that file lands on server infrastructure running third-party software stacks. The Threat Horizons data shows that software vulnerabilities in cloud environments are now being exploited within 48 hours of disclosure. The tools a user chooses for routine file tasks are running on this infrastructure.
The second is the exfiltration pattern. Cloud-hosted file tools require users to upload documents before processing begins. For sensitive files, that upload is structurally identical to the insider exfiltration behavior the report describes: a file moves from a local device to a cloud environment, where visibility and control over its subsequent handling belong to the platform operator, not the user.
Tools that run entirely inside the browser using WebAssembly remove both vectors. The file is never transmitted to a server, so there is no cloud infrastructure to compromise and no upload to intercept or retain. Processing happens locally and the result stays on the user’s device. The Google Threat Horizons findings make the architectural case for local processing in terms that go beyond individual privacy preferences and into measurable operational risk.
Sources
- Cloud Threat Horizons Report H1 2026 (Google Cloud)
- Software vulnerabilities push credential abuse aside in cloud intrusions (Help Net Security)
- Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials (Infosecurity Magazine)
- Google Cloud Security Threat Horizons Report #13 (H1 2026) Is Out! (Anton on Security, Medium)
- Cloud CISO Perspectives: New Threat Horizons report highlights current cloud threats (Google Cloud Blog)