Google Says Criminal Hackers Used AI To Find Major Software Flaw

Google says it has found evidence that criminal hackers used artificial intelligence to identify a major software vulnerability, marking a notable shift in how serious flaws can be discovered and exploited.

The company’s warning, reported by multiple outlets including Reuters, The New York Times and Politico, describes what Google characterizes as the first confirmed case in which attackers used AI in the discovery phase of a significant security hole. The development ties the emerging use of AI tools directly to high-impact cyber operations, rather than just to phishing and other common scams.

Google did not publicly detail the specific vulnerability in the initial reports, including which product was affected, who the attackers were, or when the activity occurred. The company’s statement focused on the method: using AI to help find a flaw that could then be exploited.

The reports also describe the hackers as criminal actors, underscoring that the activity was not presented as academic research or legitimate security testing. Google’s assessment framed the activity as part of a broader pattern of attackers adopting new techniques as AI systems become more capable and accessible.

The significance is twofold for defenders. First, it suggests that AI can compress the time and effort needed to uncover complex vulnerabilities. Even modest improvements in discovery speed can tilt the balance in favor of attackers, especially when a flaw is unknown to vendors and defenders.

Second, it raises the stakes for software makers and security teams trying to keep pace. Vulnerability discovery has historically required specialized expertise and time-consuming analysis. If AI systems can assist in that process, organizations may face more frequent and more sophisticated attempts to find weaknesses, particularly in widely used software.

For the broader public, the impact depends on what was targeted and how widely the affected software is deployed. Major vulnerabilities can enable remote compromise, data theft, operational disruption, or covert access—outcomes that can ripple from individual users to businesses and critical services. Even when a single flaw is patched, the techniques used to find it can be reused across other products.

What happens next will likely play out on several tracks. Google and other security organizations are expected to keep monitoring for similar activity and to share indicators and research with partners where appropriate. Software vendors may also adjust internal testing practices, including expanding automated and AI-assisted methods intended to find flaws before criminals do.

Regulators and industry groups may also take renewed interest in standards around vulnerability reporting, patching timelines, and the responsible development and deployment of AI tools used in cybersecurity. The core challenge will be strengthening defenses without limiting legitimate security research.

Google’s disclosure adds a concrete datapoint to an escalating reality: as AI becomes a tool for defenders, it is also becoming a tool for criminals.