Google says 2021 was a record year for zero-day hacks

News
By published

58 zero-day exploits were identified in a new record year, says Google

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Google's in-house security team has warned that zero-day security threats are becoming a bigger risk than ever before.

In its annual round-up of the zero-day threat landscape, the Google Project Zero team noted that 58 distinct threats were identified in 2021, the biggest number seen since it began investigating back in 2014.

This is up from the 25 exploits discovered in 2020, and nearly double the amount seen for most years covered by the investigation.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Zero-day threat

Somewhat dishearteningly, the team noted that methodology used by zero-day attackers doesn't appear to have changed or evolved much from previous years, with the same bug patterns and exploitation techniques still proving popular.

“When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities,” wrote Google. “We’d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year.” 

However, Google does also note that the increase in reported zero-days may actually be a good thing, as it means more threats are being reported and publicly disclosed.

"We perform and share this analysis in order to make 0-day hard," Maddie Stone from the Project Zero team wrote in a blog post announcing the findings. "We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities."

"2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard over and over and over about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world."

"The decisions we make in the security and tech communities can have real impacts on society and our fellow humans’ lives."

Read more

> This nasty Windows 10 zero-day vulnerability finally has an unofficial fix

> This dangerous Windows zero-day lets you instantly become an admin

> Google Chrome users urged to update immediately or risk attack

Overall, Google says the industry does appear to be improving when it comes to the "detection and disclosure" of zero-day exploits, but it does warn that these are still "baby steps".

The company is calling for a number of steps to boost progress, including establishing an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited. 

Google also says that vendors and security researchers alike should do better at sharing exploit samples or techniques, and more effort is also needed on reducing memory corruption vulnerabilities or rendering them unexploitable. 

TOPICS
Mike Moore
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Read more
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Android phone malware
Over 25 new malware variants created every single hour as smart device cyberattacks more than double in 2024
Hacker Typing
Racing against time on a menacing caldera: survey finds majority of organizations take days to tackle critical vulnerabilities, each of them a potential open goal for cybercriminals
Flags of Iran, China, Russia and North Korea on a wall. China North Korea Iran Russia alliance
Cybercrime is helping fund rogue nations across the world - and it's only going to get worse, Google warns
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
Representational image of a hacker
The 10 worst software disasters of 2024: cyberattacks, malicious AI, and silent threats
Latest in Security
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
ID theft
Hackers claim Orange attack, threaten to leak 1TB of data
A computer file surrounded by red laser beams
Free online file converters could infect your PC with malware, FBI warns
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Latest in News
Adobe AI agents
Adobe launches 10 new AI agents to automate key marketing workflows
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Leaked Galaxy S25 Edge pricing gives us a clearer idea of how the super-slim phone will fit into Samsung's lineup
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip SE may launch months after the Galaxy Z Flip 7
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
iPhone 12
The iPhone 17 Air could come with a key charging benefit, new leak claims
Nvidia GTC 2025
Nvidia, Google, and Disney's AI-powered Star Wars robot is absolutely the droid I've been looking for
More about security
ransomware avast

Billions of credentials were stolen from businesses around the world in 2024
ID theft

Hackers claim Orange attack, threaten to leak 1TB of data
Adobe Photoshop AI tools in action

What is Adobe Photoshop: Everything we know about the image editor’s AI tools
See more latest
Most Popular
Adobe AI agents
Adobe launches 10 new AI agents to automate key marketing workflows
Xbox Adaptive Joystick
The Xbox Adaptive Joystick has arrived, and you can buy it now exclusively at the Microsoft Store
Nvidia GTC 2025
Nvidia, Google, and Disney's AI-powered Star Wars robot is absolutely the droid I've been looking for
Frank Castle holding Matt Murdock against a locker in Daredevil: Born Again episode 4
Daredevil: Born Again episode 4 ending explained: who is Muse, what does Sic Semper Systema mean, who is Adam, and more big Marvel questions answered
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Leaked Galaxy S25 Edge pricing gives us a clearer idea of how the super-slim phone will fit into Samsung's lineup
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip SE may launch months after the Galaxy Z Flip 7
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Google Pixel 9 front and back
Leaked Google Pixel 9a promo materials reveal almost everything – and a launch could be just hours away
iPhone 12
The iPhone 17 Air could come with a key charging benefit, new leak claims
Google HEalth AI checkup updates
Google reveals 6 ways it's using AI to improve health care, from crowdsourced advice to personalized cancer treatments