Stolen credentials spike 72% in cloud

Cloud security is turning into an identity problem. Not a server problem first, not even a malware problem first — an identity problem. The reason is simple: if an attacker logs in with a real user’s credentials or session token, a lot of the old tripwires never fire. That’s the backdrop for the latest cloud threat research, which keeps landing on the same point — stolen credentials are now one of the main ways attackers get into cloud environments and move around once they’re there. (cloud.google.com) ### What changed here? The clearest new signal comes from Google Cloud’s H1 2026 Threat Horizons report. It says identity compromise underpinned 83% of compromises in the second half of 2025, with attackers increasingly mixing vishing, token theft, and SaaS identity abuse to get in quietly and pull data out. That is a huge tell. It means the(cloud.google.com 1)(cloud.google.com 2) ### Why are stolen credentials suddenly everywhere? Because the supply is exploding. Recorded Future’s 2025 identity threat report says it detected 1.95 billion malware combo-list credential exposures in 2025. It also says the volume accelerated through the year — 50% more credentials appeared in the second half than the first, and the last (cloud.google.com)g cloud and SaaS access at industrial scale. (recordedfuture.com) ### What kind of credentials are attackers after? Not random consumer logins. The valuable stuff is enterprise access — authentication portals, VPNs, remote management tools, cloud platforms, and security tooling. Recorded Future says 63.2% of indexed credentials with identifiable authorization URLs were tied to authentication systems, and 276 million includ(recordedfuture.com) password-and-MFA dance entirely. (recordedfuture.com) ### Why is cloud forensics harder now? Because a valid login can look boring. If an attacker uses stolen credentials against cloud control planes, SaaS admin consoles, or APIs, there may be little or no host-level malware to catch. The evidence lives in identity logs, API calls, token use, and weird permission changes. Google’s report leans hard into “forens(recordedfuture.com)oint — defenders need better telemetry retention and visibility into SaaS integrations and Tier-0 assets, not just endpoint alerts. (services.google.com) ### Are misconfigurations still part of the story? Yes — very much. Stolen credentials are the key, but bad configuration is still the unlocked side door. Google says attackers are successfully targeting unpatched third-party software and permissive user-defined firewall rules. Wiz’s January 2026 roundup adds a concrete example: attackers explo(services.google.com) not “credentials instead of misconfigurations.” It is credentials plus exposed apps, plus weak identity boundaries. (cloud.google.com) ### Didn’t we already know credentials mattered? We did, but the numbers keep getting worse. CrowdStrike’s 2024 threat report already flagged a surge in stolen-credential-driven cloud intrusions, with cloud intrusions up 75% overall and cloud-conscious cases up 110% year over year. What’s different now is the scale and speed of the credentia(cloud.google.com)erated identity, SaaS integrations, and API-driven administration. (crowdstrike.com) ### So what should defenders actually do? Start with identity, not just infrastructure. Use phishing-resistant MFA where possible, watch for stolen-cookie and token abuse, review OAuth and SaaS integrations, and keep cloud audit logs long enough to reconstruct an intrusion. Then close the obvious feeders — patch exposed apps fast, tri(crowdstrike.com)xotic. It is mostly disciplined hygiene, just aimed at the real attack path. (cloud.google.com) ### Bottom line The cloud story now starts with who logged in. If attackers can buy or steal trust faster than defenders can validate it, “normal login activity” becomes the breach. (cloud.google.com)