Google Cloud: 47% of Cloud Incidents From Weak Credentials

Google Cloud's Threat Horizons Report for H2 2025 provides cloud-specific threat intelligence that reinforces identity's dominance as an attack surface. The central finding: weak or absent credentials accounted for 47.1% of all cloud incidents in H1 2025.

When combined with misconfigurations (29.4%), over 76% of cloud security incidents stem from identity and configuration failures, not sophisticated exploits or zero-day vulnerabilities.

The report documents increasing exploitation of user identities in hybrid environments for persistent access and lateral movement between on-premises and cloud systems. Attackers are specifically targeting the identity bridge between traditional infrastructure and cloud: the federated trust relationships, synchronized credentials, and shared service accounts that connect these environments.

For organizations with hybrid infrastructure, which is nearly everyone, this data highlights a specific architectural risk. The identity boundary between on-premises and cloud is often the weakest link. Federated authentication, cross-environment service accounts, and synchronized directory services create attack paths that span both environments.

Google Cloud's recommendations center on least-privilege IAM, MFA, and credential hygiene, all foundational identity architecture controls. The fact that nearly half of cloud incidents are caused by credential weakness suggests that many organizations have not yet implemented these basics in their cloud environments, even if they are mature in on-premises identity management.