Account compromise has been confirmed as the dominant driver of cloud security incidents, according to the latest research from Google Cloud, with identity abuse linked to the vast majority of breaches observed in recent investigations.
The company’s latest Threat Horizons Report H1 2026, published earlier this week, found that compromised identities were involved in 83% of cloud and software-as-a-service (SaaS) intrusions in the second half of 2025.
The findings draw on incident response investigations conducted by teams including Google Threat Intelligence Group (GTIG) and Mandiant.
The report highlights a growing shift in attacker behavior. While stolen credentials and insufficiently strong passwords historically dominated initial access techniques, threat actors are now exploiting vulnerabilities in third-party software to obtain credentials as well as authentication tokens for access to cloud services.
Data theft was the primary objective in 73% of incidents, underscoring how identity compromise enables hackers to quietly move through cloud environments and pilfer sensitive information without immediately triggering alerts.
Google researchers warned that once attackers are inside a legitimate account or come in possession of authentication tokens, many security controls, such as perimeter defenses, become less effective.
Vulnerability Exploits and Identity Abuse Increasingly Overlap
The report also identifies a structural shift in attackers’s preferred methods of gaining initial access. Software vulnerabilities now account for 44.5% of entry points, surpassing weak credentials at 27.2% for the first time in Google’s tracking.
This trend shows an industry shift veering toward automated vulnerability exploitation. According to the report, the time between the public disclosure of a flaw and its active exploitation has shrunk dramatically, from weeks to just days in many cases.
Attackers often merge these approaches. A vulnerability may be used to deploy malware or extract API keys and OAuth tokens from cloud platforms. This, in turn, provides persistent identity-based access.
GTIG researchers also highlighted real-world attacks involving supply chain compromise techniques, continuous integration/continuous deployment (CI/CD) pipelines’ abuse, and malicious insiders exfiltrating data leveraging cloud storage services. One documented case showed attackers achieving full cloud compromise in less than 72 hours after gaining access through identity-based authentication tools.
For security teams, the findings reinforce the importance of identity-centric defenses. Organizations are advised to strengthen identity and access management (IAM), enforce multifactor authentication (MFA), monitor token deployment, and rapidly patch externally exposed software.
Considering the current growth in adoption of cloud tools, Google researchers concluded that identity security, not perimeter defense, has become the central battleground in modern cyberattacks.
