For years, the biggest threat to the security of a public system was the easy password. The classic “123456” on the administrator account. Also the shared access between ten people or the session that nobody closed.
But according to Google's Cloud Threat Horizons Report H1 2026, that is changing. The report, which looks at the second half of 2025, shows that the most commonly used attack vector was no longer credential theft, but the exploitation of vulnerabilities in the software installed by users. 44.5% of intrusions started there. Weak passwords, which until the first half of the same year accounted for 47.1% of initial accesses, fell to 27.2%. A complete turnaround in less than twelve months.
Why this matters especially in the public sector
Government agencies are not the most obvious target for a cyberattack. They don't have cryptocurrencies or handle credit cards. But they do have something that is worth a lot: citizen data, access to critical infrastructure and, in many cases, systems developed or adapted internally with little technical oversight.
This is where vibecoding comes in.
The term, popularized in the last two years, describes a way of developing software where the programmer does not write code line by line: he asks an AI (Artificial Intelligence) tool to do it and approves what appears on his screen. The result is functional and often quite good. But with a particularity: who approves it does not always understand what they are approving.
In the private sector, this is already generating debate. In the public sector, where technical teams are smaller, budgets are tighter and the pressure to digitize is higher than ever, the phenomenon is amplified. Municipalities that previously could not afford their own development can now have an application ready in hours. This is a real advance. But it is also software that no one reviewed and with vulnerabilities that no one knows about... until a cybercriminal exploits them.
The time that no longer exists
The most worrying data in Google's report is not the percentage of attacks but their speed.
In the past, when a vulnerability was released, organizations had weeks to apply the patch. That window allowed IT/Systems teams to plan, test and update without rushing. In 2025 that window collapsed. Attackers went from public disclosure to active exploitation in a matter of days. In some cases documented by Google, they deployed cryptocurrency miners in less than 48 hours from the announcement of the flaw.
For any public agency that depends on the goodwill of small teams, no budget, no audit, no technical training or a system developed with IA without a formal review process, that margin of days does not exist in practice and the patch arrives when it arrives, when something has already happened.
The credentials did not disappear: they were added
It would be a mistake to read this report as “passwords no longer matter”. What the data shows is an accumulation of problems, not a replacement.
83% of the compromises in cloud environments analyzed involved at some point credential theft, phishing or abuse of SaaS service tokens. Attackers walk through a door and look for keys inside. Y 73% of the incidents were aimed at data theft.
In a public agency that translates into: municipal registry, employee files, files in process, contracts, medical records, medical records if there is an integrated health system. Information that has no obvious market price, but that can be used for extortion, for espionage or simply to paralyze the operation of a government.
What this means for decision makers
The instinctive response is usually technical: “systems need to be upgraded”, “personnel need to be trained”. This is necessary, but not sufficient.
The underlying problem is one of technological governance (who decides what software is installed in a municipality, who allows the implementation of software developed with AI without adequate supervision, what process exists to apply patches when a vulnerability appears, or who has real visibility over access).
Vibecoding is not the enemy. It is a tool. The problem is adopting it without the controls that any serious development process requires: code review, dependency management, access auditing, incident response protocols.
In the public sector, these controls do not always exist because no one demanded them. And because, until now, attacks came through the weak password door, which is easier to understand and easier to communicate.
The new attack surface is more technical, faster and harder to see. But the consequences for management are the same: systems down, data compromised, citizens affected and officials answering questions no one wants to answer.
What can be controlled
Not all the news is bad. The same Google report documents that improvements in identity controls and secure default settings pushed attackers into more sophisticated vectors. In other words: when one door closes, attackers look for another. That's not a failure; it's evidence that the controls work.
For public agencies that are in the process of digitization, there are concrete decisions that reduce exposure:
- Require software vendors to have a permanent updating process and response times in case of vulnerabilities. It is not enough for the system to work: it must be maintainable.
- Separate systems according to their criticality. When the systems are internal, it is not necessary for everything to be on the same network or with the same level of access. A shift system does not need to have the same perimeter as the records system or the payroll system.
- Implement multifactor authentication for administrative access. This is the most cost-effective control available and is still lacking in most public agencies in the region.
- Have a protocol, however basic, for when something goes wrong. Know who calls whom, what gets disconnected first, and how the incident is communicated to the public.
The digital transformation of the State does not stop because new risks appear. But it does require that decision-makers understand that to digitize without considering security is to build on shaky ground.
Vibecoding is not a problem, but its misuse is the cause of an undesirable effect; however, good technological governance is the key to secure systems, vibecoded or not.
Data source: Google Cloud Threat Horizons Report H1 2026.
