A report published by Google Cloud found nearly half (46%) of the observed security alerts involved a service account that was overprivileged.

The Threat Horizons report for the first half of 2025 also notes that 46% of the time initial access was gained because there was an absence of passwords or reliance on weak passwords being employed. The next two common methods for gaining access are misconfigurations (34%) and compromises of user interfaces/application programming interfaces (17%).

More troubling still, once access was gained, more than half of these incidents (62%) led to additional lateral movement across a cloud environment. The report also notes increased searches for insecure private keys (14%) and manipulation of access tokens (11%). Google also notes that 10% of alerts involved service account keys being accessed from an unexpected location.

Cris Kittner, chief analyst for the product engineering team at Google Cloud, said the report makes it clear there is still a greater need for cloud security vigilance as cyberattacks continue to increase in volume and sophistication. In addition to targeting the accounts of individuals that have elevated privileges, cybercriminals are specifically looking for ways to access data, she said.

For example, Google during the second quarter of 2024 observed a widespread campaign where a group of threat actors made use of Kinsing malware, also known as H2Miner, to target publicly exposed PostgreSQL databases. The use of a cronjob utility along with a backup command and control (C2) server, suggests they aim to ensure persistent access while continuing to evade detection once access is gained by using brute force techniques to crack weak credentials, the report noted.

The data stolen from those databases then winds up being used to drive a ransomware attack. The Mandiant arm of Google Cloud in the third quarter of 2024 observed data belonging to 1,242 organizations being posted on some type of data leak site (DLS). Google Cloud now expects in the next report that the number of posts to DLS in 2024 will surpass the 4,522 posts to DLS in 2023, by a few hundred posts.

More than a decade after the arrival of cloud computing, it’s clear organizations are still struggling to come to terms with how to secure these services. While cloud service providers are responsible for securing their own infrastructure, security configuring those services and the applications that run on them is the responsibility of an IT team. Unfortunately, many of the services are programmatically configured by application developers who have little to no cybersecurity expertise. Not surprisingly, a lot of mistakes are then made that cybercriminals are becoming increasingly adept at exploiting.

Google, in the interest of improving overall cloud security, is stressing the importance of securing the identities of everyone who has access to cloud services by using, for example, multifactor authentication, said Kittner. Additionally, organizations should ensure that least privilege principles are followed to ensure that anyone accessing a cloud service can only invoke the narrowest set of services required, she added. Too often, application developers, for example, are given more access privileges than required, simply because no one is actually managing that process, Kitner noted.

There’s little doubt that cyberattacks aimed at cloud services are going to continue to increase. The real issue is determining how best to first thwart as many as possible and then, secondly, limit the blast radius of the hopefully occasional breach, that at this point, is all but inevitable.