Cloud breaches shift toward identity exploits

A new report from Fortinet’s FortiGuard Labs highlights the rapid evolution of cloud threats, revealing that attackers are increasingly bypassing misconfigured storage to exploit identity and API weaknesses, according to Campus Technology.

The 2025 Global Threat Landscape Report shows cloud breaches now commonly begin with over-permissioned accounts, credential leaks in public code repositories, and unauthorized logins from unfamiliar geographies. According to Fortinet telemetry, 25% of incidents started with reconnaissance activities such as API enumeration or probing exposed assets, while 70% involved suspicious logins from unusual locations. “Cloud services now sit at the center of modern operations, and identity has become one of the most critical security perimeters,” the report noted. Attackers are often using legitimate cloud services to mask their movements, employing multi-stage tactics that include privilege escalation and lateral movement. MITRE ATT&CK analysis confirms that discovery and initial access are the most common tactics. Fortinet warns that unless organizations rethink how they monitor and mitigate cloud risks, attackers will continue gaining ground.