Google's investigations indicate that insufficient or weak credentials are suspected in almost half of all cyberattacks involving cloud systems.
In a recent report, Google Cloud has shed light on a significant security challenge facing enterprises today: attacks on cloud services due to weak or non-existent credentials. The research underscores the scale and impact of these attacks, with evidence pointing to a surge in cybersecurity incidents as a result.
One of the most striking examples of this trend was the massive credential leak in June 2025, which exposed over 16 billion stolen login credentials. This vast trove of data, sourced from infostealer malware logs and credential-stuffing compilations, granted attackers easy access to a multitude of online services, including VPNs, developer portals, government platforms, and popular consumer services. The report warns that many of these credentials are current and immediately exploitable, posing a major risk to organizations that do not enforce strong passwords or multi-factor authentication (MFA).
Identity and access management (IAM) misconfigurations are identified as the root cause of most cloud breaches. Overly permissive policies, unused credentials, and failure to enforce least-privilege access lead to incidents. By 2023, around half of cloud security incidents stemmed from identity-related mismanagement, resulting in privilege escalations, data leaks, and unauthorized internal or external access.
Attackers exploit these weaknesses not only through stolen credentials but also through vulnerabilities that enable session hijacking and bypassing MFA. Such exploits can lead to administrative account compromise and ransomware deployment. For instance, the recent critical bug in widely used systems like Citrix NetScaler (CVE-2025-5777) has been used by attackers to bypass MFA and gain unauthorised access.
The potential consequences for enterprise security when these credential-related weaknesses are exploited are severe. Data breaches can expose highly sensitive personal, financial, or corporate information, leading to direct financial loss and long-term reputational harm. Account takeovers can disrupt business continuity by granting unauthorised access to critical systems and services. Privilege escalation and lateral movement within cloud environments can expand attacker footholds and increase the scope of damage. The risk of ransomware and other malware deployment via compromised privileged accounts is also increased.
Moreover, the massive scale of leaked credentials can enable industrial-scale phishing and identity theft campaigns. The report warns of the potential for subsequent social engineering attacks after initial access is gained due to poor credential management.
In conclusion, attacks exploiting weak or missing credentials in cloud services are widespread and growing, driven by huge credential leaks and frequent IAM misconfigurations. The report underscores the importance of strong credential management in the fight against cybercrime and attacks linked to nation-state groups. Enterprises must prioritize strong credential hygiene, robust identity management, and continuous monitoring for suspicious access to mitigate these risks and protect their assets.
- Threat intelligence reports suggest that a significant proportion of cloud security incidents are due to attacks exploiting weak or missing credentials, as shown by the massive credential leak in June 2025 that exposed over 16 billion stolen login credentials.
- Cybersecurity professionals must be aware that attackers are not only using stolen credentials but also exploiting vulnerabilities to bypass multi-factor authentication, session hijack, and gain unauthorized access to cloud services, leading to data breaches, account takeovers, and privilege escalation.
- To protect against these threats, data-and-cloud-computing enterprises need to prioritize credential hygiene, strong password policies, adoption of multi-factor authentication, and continuous monitoring for suspicious access, leveraging technology like threat intelligence and identity and access management (IAM) solutions in their cybersecurity strategies.
