In 2025, a data breach occurred somewhere in the world roughly every 2.4 hours. By year’s end, the Identity Theft Resource Center had logged 3,322 confirmed data compromises in the United States alone, a record and a 79% increase over five years. Globally, the damage runs deeper still: the FBI’s IC3 2025 Annual Report recorded $20.877 billion in US cybercrime losses, a 26% increase from 2024.
This page tracks every major breach of 2025, by company, date, records exposed, and threat actor, updated as new incidents are confirmed. Whether you’re a security professional monitoring the threat landscape, a compliance officer verifying vendor exposure, or a consumer trying to understand whether your data is circulating on the dark web, this is the single source you need.
2025 Data Breach Overview: Scale, Scope, and Key Numbers
How Many Data Breaches Occurred in 2025?
US data breaches hit a record 3,322 incidents in 2025, according to the Identity Theft Resource Center. That figure encompasses confirmed breaches, unauthorized exposures, and accidental leaks, and it almost certainly undercounts the real total, since a significant share of breaches go unreported or are discovered months after they occur.
In H1 2025 alone, 7% of reported data compromises were attributed to system and human errors, a volume that already represented 42% of the full-year 2024 total for that category. The acceleration is structural, not incidental: attack surfaces expanded faster than security teams could contain them, and supply chain vulnerabilities gave threat actors a single point of entry into dozens of downstream targets simultaneously.
Supply chain breaches affected 1,251 entities in 2025, nearly double the 2024 figure of 660, despite only a marginal increase in the number of discrete supply chain attacks. Each attack reached more targets.
Total Records Exposed in 2025 vs. Prior Years
Scale matters as much as count. The single most dramatic data point of 2025 came in June, when Cybernews researchers uncovered what is now considered the largest credential exposure in recorded history. Researchers uncovered 30 exposed datasets containing more than 16 billion login credentials, including passwords for Google, Apple, Facebook, Telegram, GitHub, and government services. The dataset was a massive aggregation of credentials stolen by infostealer malware and earlier breaches, hosted openly online, effectively turning into a credential buffet for attackers.
Nearly all of this data, except for one dataset, had never been publicly disclosed before, meaning this was not recycled breach material from prior years, but new, working credentials. The implications are stark: billions of active login sessions were exposed to industrial-scale credential stuffing attacks within hours of the databases going live.
Beyond that single event, 2025 produced a sustained wave of enterprise-level incidents: Salesforce, TransUnion, Oracle, Conduent, Coinbase, Qantas, and dozens more, each adding millions of records to the year’s aggregate exposure. Healthcare alone accounted for the highest per-breach cost for the 15th consecutive year.
The Biggest Single Breach of 2025 by Record Count
The largest breach of 2025 was the 16 billion credential mega-leak discovered in June, which exposed billions of stolen usernames and passwords compiled from years of prior incidents and infostealer malware logs. In sheer volume, it surpassed every prior breach in recorded history, including the 2013 Yahoo breach (3 billion accounts) and the 2024 National Public Data exposure (2.9 billion records).
Among enterprise-targeted attacks, where a specific organization was the victim rather than an aggregation event, Conduent Business Services saw 25.9 million or more records compromised, making it the largest named corporate breach of 2025 by victim count. The Salesforce/Salesloft-Drift SaaS compromise claimed potential exposure of up to 1.5 billion CRM-related records across hundreds of global organizations, though independently verified record counts remain disputed.
2025 Cost of a Data Breach: IBM/Ponemon Report Findings
The headline figure from IBM’s 2025 Cost of a Data Breach Report tells a story with two contradictory threads. The global average cost of a data breach fell to $4.44 million, the first decrease in five years, driven primarily by the widespread adoption of AI and automation in security operations, which IBM estimates saves $1.9 million per breach for organizations that deploy these tools extensively.
But that global decline is misleading in isolation. The average cost of a data breach for US organizations reached $10.22 million, an all-time high for any country, and more than twice the global figure. The divergence is driven by higher US regulatory penalties, more aggressive litigation, and stricter notification requirements.
Healthcare remained the most expensive sector to breach by a significant margin. IBM’s 2025 report puts the healthcare average at $7.42 million per breach, the highest of any industry for the 15th consecutive year, reflecting HIPAA notification costs, the high per-record value of medical data, and the complexity of legacy clinical systems.
The mean time to identify and contain a breach dropped to 241 days in 2025, the lowest figure in nine years of IBM research. Breaches detected within 200 days cost an average of $3.87 million; those exceeding that threshold cost $5.01 million, a $1.14 million premium. Speed of detection, more than almost any other single factor, determines whether a breach becomes a manageable incident or a catastrophic one.
One additional finding signals where the next cycle of breaches is taking shape: third-party vendor and supply chain compromise was the second-costliest attack vector at $4.91 million per incident, while 60% of all breaches included the human element through error, privilege misuse, stolen credentials, or social engineering. The technical and human attack surfaces are converging, and 2025’s breach record reflects that.
Is your organization’s data already circulating from one of these breaches? Run a free dark web exposure scan on DeXpose to see what’s been leaked about your domain, with no setup required.
The Complete 2025 Data Breach List (Sortable by Month, Sector, and Scale)
The 2025 data breach list spans every major sector- healthcare, finance, technology, retail, aviation, education, and government- with confirmed incidents running from January through December without pause. What follows is a month-by-month tracker of the year’s most significant breaches, organized so you can scan by timeframe, identify the organizations involved, understand which data was exposed, and assess scale. Every entry below reflects confirmed or officially disclosed incidents.
How to Use This Tracker
Each monthly section leads with the highest-impact incidents of that period, identified by record count, sector sensitivity, or downstream organizational reach. The data type column reflects the categories of personal information confirmed to have been exposed, not those alleged. Where a record count has not been officially confirmed, the best available estimate from forensic disclosures or regulatory filings is noted. For any organization listed here, DeXpose’s free dark web exposure scan can check whether your domain appears in breach data linked to that incident.
January 2025 Data Breaches
January opened with one of the most significant healthcare disclosures in US history. UnitedHealth Group confirmed that the Change Healthcare ransomware attack, carried out by the ALPHV/BlackCat group in 2024, ultimately compromised the records of 190 million individuals, making it the largest healthcare data breach ever recorded in the United States. Exposed data included health insurance information, medical records, and in many cases, financial details. The breach caused $3.09 billion in losses for UnitedHealth and disrupted claims processing across the healthcare system for months.
Alongside that, PowerSchool, an educational technology company serving over 60 million students, disclosed a breach affecting schools across the US and Canada. Threat actors accessed its support platform using compromised credentials and potentially exposed student and staff records, including names, addresses, Social Security numbers, medical information, and grades.
Other notable January incidents included TalkTalk, where a hacker known as “b0nd” claimed to be selling data on approximately 18.8 million current and former customers after accessing a third-party supplier’s subscription management platform. Location data broker Gravy Analytics disclosed unauthorized access to its AWS storage, with sensitive location data, including movements near the White House and military bases, exposed in a sample posted to a Russian-language forum. The Salt Typhoon espionage campaign, attributed to China’s Ministry of State Security, was formally identified this month as having breached nine US telecommunications companies and stolen over 3,000 files from the US Treasury.
Major Security Incidents & Data Breaches (Disclosed January)
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| UnitedHealth / Change Healthcare | Healthcare | 190 million | PHI, SSNs, financial data | Jan 24 |
| PowerSchool | Education | 60M+ students at risk | Names, SSNs, grades, medical info | Jan 10 |
| TalkTalk | Telecom | ~18.8 million claimed | Names, emails, IP addresses, phone numbers | Jan 27 |
| Gravy Analytics / Unacast | Data Broker | Millions (unconfirmed) | Precise location data | Jan 11–13 |
| Salt Typhoon / US Telecom | Government / Telecom | 9 carriers compromised | Real-time communications, Treasury files | Jan 18 |
February 2025 Data Breaches
In February, a cluster of financial sector incidents occurred. Freddie Mac disclosed a breach exposing consumer names and Social Security numbers, one of the more sensitive disclosures given the organization’s role in the mortgage market. TD Bank confirmed a breach caused by a former employee who accessed and shared customer information including names, contact details, birth dates, account numbers, and transaction records without authorization.
Orange Group disclosed that a hacker identified as “Rey” had remained undetected for over a month inside Orange Romania’s systems before stealing 6.5GB of data, more than 600,000 records, in roughly three hours. The data included customer and employee PII, financial records, and source code, leaked after Orange declined to pay a ransom.
In healthcare, Australian IVF provider Genea disclosed that the Termite ransomware group had stolen 940.7GB of patient data, including names, Medicare numbers, medical histories, diagnoses, treatments, and test results. The disclosure was particularly sensitive given the personal nature of fertility records.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| Freddie Mac | Financial | Undisclosed | Names, SSNs | Feb 19 |
| TD Bank | Financial | Undisclosed | Names, account numbers, transaction history | Feb 8 |
| Orange Romania | Telecom | 600,000+ | PII, financial records, source code | Feb 25 |
| Genea | Healthcare | 940.7GB of data | Names, Medicare numbers, medical records | Feb 26 |
| Episource | Healthcare | 5.4 million | PHI, SSNs, insurance info | Jan 27–Feb 6 (disclosed later) |
March 2025 Data Breaches
March’s defining incident was the Oracle Cloud breach, one of the most consequential and most contested disclosures of the year. A threat actor identified as “rose87168” claimed to have exfiltrated approximately six million records from Oracle’s Single Sign-On and LDAP systems, including Java KeyStore files, encrypted passwords, and key files, potentially affecting more than 140,000 Oracle Cloud tenants. Oracle denied the breach, but multiple security researchers and some customers confirmed the authenticity of sample data, and the incident has since been classified as one of the year’s most impactful supply chain events.
New York University disclosed that an attacker had defaced its website and extracted the personal data of over 3 million applicants, including names, test scores, intended majors, family backgrounds, and financial aid details, dating back to 1989. Jaguar Land Rover was reported to have suffered a breach via compromised Jira credentials, likely obtained through infostealer malware, with 700 internal documents including development logs, source code, and employee credentials published externally.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| Oracle Cloud | Technology / Cloud | ~6 million (140,000+ tenants) | SSO data, JKS files, encrypted credentials | Mar 25 |
| New York University | Education | 3 million+ applicants | Names, SSNs, test scores, financial aid data | Mar 22 |
| SpyX Stalkerware | Consumer Tech | ~2 million | iCloud credentials, messages, photos, IP addresses | Mar 19 |
| Jaguar Land Rover | Automotive | Internal scope undisclosed | Source code, dev logs, employee credentials | Mar 31 |
April 2025 Data Breaches
April was dominated by healthcare. Yale New Haven Health System disclosed a breach affecting 5.5 million individuals, detected on March 8 and disclosed April 11. Attackers copied patient data including names, dates of birth, addresses, Social Security numbers, race and ethnicity, and medical record numbers. The electronic medical record system and financial accounts were reportedly not accessed.
Blue Shield of California disclosed that a Google Analytics misconfiguration, active from April 2021 to January 2024, had shared protected health information with Google Ads, affecting 4.7 million members. The exposed data included insurance plan details, medical claim information, and patient financial responsibility data. VeriSource Services disclosed a breach affecting four million employees and their dependents at client companies, including names, addresses, dates of birth, and Social Security numbers.
Hertz Corporation disclosed that the Clop ransomware gang had exploited zero-day vulnerabilities in Clio’s file transfer platform, compromising data for over one million individuals across Hertz, Dollar, and Thrifty brands, including names, contact information, credit card details, driver’s licenses, and, in a small subset, passport and Social Security numbers.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| Yale New Haven Health | Healthcare | 5.5 million | Names, SSNs, medical record numbers, DOB | Apr 11 |
| Blue Shield of California | Healthcare / Insurance | 4.7 million | PHI, insurance plan details, claims data | Apr 9 |
| VeriSource Services | HR Outsourcing | 4 million | Names, SSNs, DOB, addresses | Apr 28 |
| Hertz Corporation | Automotive / Rental | 1 million+ | Names, credit card data, driver’s licenses, passports | Apr 14 |
| WK Kellogg Co | Consumer Goods | Undisclosed | Employee names, SSNs | Apr 4 |
May 2025 Data Breaches
May produced three high-profile corporate incidents that collectively illustrated the year’s dominant attack pattern: insider access, third-party compromise, and social engineering.
Coinbase confirmed a breach affecting nearly 70,000 users after cybercriminals bribed overseas customer support agents to extract sensitive account data. Attackers then attempted to extort Coinbase for $20 million. Coinbase refused, announced a $20 million reward for information leading to arrests, terminated the involved insiders, and shut down the relevant overseas support contracts. Exposed data included names, contact details, government-issued IDs, partial Social Security numbers, and limited banking metadata.
Marks & Spencer confirmed a major cyberattack linked to Scattered Spider that caused over 72 hours of online system outages over the Easter weekend and exposed customer personal data including names, email addresses, postal addresses, and dates of birth. Analysts estimated operational losses approaching £300 million.
AT&T faced scrutiny over a claimed dataset of 31 million customer records posted to a dark web forum, including names, dates of birth, tax IDs, contact details, and residential addresses. AT&T did not confirm the breach, but security researchers treated the sample data seriously. Ascension disclosed breaches affecting 437,000 patients linked to failures at third-party vendor systems.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| Coinbase | Crypto / Financial | ~70,000 users | Names, IDs, partial SSNs, home addresses | May 13 |
| Marks & Spencer | Retail | Hundreds of thousands (est.) | Names, email, postal addresses, DOB | May 23 |
| AT&T | Telecom | 31 million claimed (unconfirmed) | Names, DOB, tax IDs, contact details | May 26 |
| Ascension | Healthcare | 437,385 patients | PHI, SSNs, insurance data | May 15 |
| Adidas | Retail | Hundreds of thousands (est.) | Names, emails, phone numbers | May 23 |
June 2025 Data Breaches
June produced the single largest data exposure in recorded history. Cybernews researchers uncovered 30 exposed datasets containing more than 16 billion login credentials, usernames, passwords, session tokens, and cookies, compiled from infostealer malware campaigns and prior breaches, and linked to services including Google, Apple, Facebook, GitHub, Microsoft, and government portals. Nearly all of the data had not been previously disclosed, indicating fresh, active credentials rather than recycled breach material. The scale exceeded the global population, meaning most individuals were exposed more than once.
Aflac disclosed a breach in which Scattered Spider used stolen credentials to access internal systems and extract policyholder data including Social Security numbers, health details, and insurance claims information. Hawaiian Airlines reported a system disruption, likely caused by ransomware, affecting backend operations, though no customer data was confirmed to have been exposed. Glasgow City Council was hit by a ransomware attack that disabled public-facing services and raised concerns about the exposure of citizen data.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| 16 Billion Credential Dump | Cross-sector | 16 billion credentials | Usernames, passwords, session tokens | Jun 18–20 |
| Aflac | Insurance | 22.65 million | SSNs, PHI, insurance claims, ID numbers | Jun 12 |
| Glasgow City Council | Government | Undisclosed | Citizen records (under investigation) | Jun 19 |
| Zoomcar | Transportation / Tech | 8.4 million | Names, emails, phone numbers, addresses, vehicle registration numbers | Jun 13 |
| Hawaiian Airlines | Aviation | None confirmed | Internal systems disrupted | Jun 26 |
July 2025 Data Breaches
July’s most striking breach involved McDonald’s, where a recruitment chatbot was compromised because it was secured with the default password “123456.” The lapse exposed the personal data of nearly 64 million job applicants, including names, email addresses, phone numbers, resumes, and work histories, making it one of the year’s largest consumer breaches and entirely attributable to a basic access control failure.
Anne Arundel Dermatology suffered a ransomware attack that affected approximately 1.9 million patients, exposing names, birthdates, medical diagnoses, and insurance details. Allianz Life Insurance disclosed a breach caused by social engineering targeting a third-party CRM provider, exposing customer names, contact details, and insurance policy numbers. Microsoft SharePoint environments were targeted through a zero-day vulnerability known as ToolShell, with attackers deploying web shells to access internal documents, credentials, and procurement blueprints across affected organizations.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| McDonald’s | Retail / Consumer | ~64 million applicants | Names, emails, resumes, phone numbers | Jul 11 |
| Anne Arundel Dermatology | Healthcare | ~1.9 million | Names, medical diagnoses, insurance data | Jul 17 |
| Allianz Life Insurance | Insurance | Undisclosed | Names, emails, policy numbers | Jul 27 |
| SharePoint (ToolShell) | Technology | Multiple orgs affected | Internal docs, credentials, procurement data | Jul 28 |
| France Travail | Government | ~340,000 | Names, national IDs, contact details | Jul 11 |
August 2025 Data Breaches
August was the month the Salesforce / ShinyHunters campaign became undeniable. Google confirmed that ShinyHunters compromised its Salesforce-hosted customer database in a campaign that began as early as June and remained undetected for weeks. The same campaign reached Workday, which confirmed its business contacts were extracted through weaknesses in connected Salesforce integrations. Air France and KLM reported a customer data exposure incident involving a third-party contact center platform.
TransUnion disclosed the month’s most consequential identity data breach: 4.4 million individuals had their names, PII, and Social Security numbers exposed after attackers accessed systems through a compromised third-party application. The intrusion began in July, went undetected until August, and drew regulatory attention given TransUnion’s role as a consumer credit bureau.
Workforce confirmed a RansomHub ransomware attack that exfiltrated approximately 500GB of data, affecting 144,189 individuals. Connex Credit Union disclosed a breach affecting approximately 172,000 customers. Orange SA confirmed a second breach, separate from the February incident, linked to the Warlock ransomware group, which leaked approximately 4GB of enterprise customer data.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| TransUnion | Financial / Credit | 4.4 million | Names, PII, SSNs | Aug 28 |
| Salesforce / Google exposure | Technology / SaaS | Millions of contacts (est.) | Business contact data, emails | Aug 23 |
| Workday | HR Technology | Undisclosed | Business contact metadata | Aug 18 |
| Manpower | Staffing | 144,189 | Employee and candidate records | Aug 12 |
| Air France & KLM | Aviation | Hundreds of thousands (est.) | Names, emails, loyalty numbers | Aug 7 |
| Connex Credit Union | Financial | ~172,000 | Customer account information | Aug 11 |
September 2025 Data Breaches
September brought three major third-party cascades. Collins Aerospace’s passenger processing platform, used by airlines and airports across Europe, was hit by a ransomware attack on September 19 that disrupted operations at Heathrow, Brussels Airport, and Berlin Brandenburg Airport simultaneously, stranding tens of thousands of passengers and forcing manual boarding procedures. The system, used by dozens of carriers, created a single point of failure with cross-border impact.
Volvo Group disclosed that its HR software provider, Miljödata, had been hit by ransomware from the DataCarry group, exposing employee names and Social Security numbers for some US-based staff, with roughly 870,000 records affected across Miljödata’s full client base. Kering, owner of Gucci, Balenciaga, and Alexander McQueen, confirmed a ransomware attack that stole sensitive internal files via third-party systems, potentially exposing design and operational documents.
Harrods disclosed that attackers accessed systems tied to its loyalty programs, exposing customer names, contact details, loyalty IDs, partial payment data, and purchase history for tens of thousands of customers. Wealthsimple confirmed a breach via a compromised vendor account, exposing customer names, email addresses, and limited account metadata.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| Collins Aerospace / European Airports | Aviation / Infrastructure | Operational disruption; data under investigation | Aviation operations, possible PHI | Sep 19 |
| Volvo / Miljödata | Automotive / HR | ~870,000 | Employee names, SSNs | Sep 25 |
| Kering (Gucci, Balenciaga, AMQ) | Luxury / Retail | Undisclosed | Internal files, design documents, employee data | Sep 15 |
| Harrods | Retail | Tens of thousands | Names, contact info, loyalty data, purchase history | Sep 27 |
| Wealthsimple | Fintech | Subset of 3M+ users | Names, emails, account metadata | Sep 9 |
October 2025 Data Breaches
October concentrated some of the year’s most technically significant incidents. F5 disclosed on October 15 that a nation-state actor had maintained long-term access to its internal systems, stealing portions of BIG-IP source code, details of undisclosed vulnerabilities, and customer configuration data. CISA issued an Emergency Directive in response, one of only a handful issued that year, given the downstream risk of exploit development against organizations running F5 infrastructure.
Qantas Airways disclosed a breach affecting 5.7 million customer records, accessed through a third-party contact center platform. Exposed data included names, email addresses, and Frequent Flyer numbers, with no payment or passport data involved. SimonMed Imaging confirmed that 1.27 million patient records had been exfiltrated between January and February 2025, with the Medusa ransomware group responsible. Oracle disclosed a second incident: an active extortion campaign targeting Oracle E-Business Suite customers via CVE-2025-61882, a zero-day that enables unauthenticated remote code execution in ERP systems.
A dataset known as “Synthient Stealer Log Threat Data” was added to Have I Been Pwned this month, containing credentials for roughly 183 million unique email accounts harvested through infostealer malware, with approximately 16.4 million email addresses not appearing in any prior public dataset.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| Qantas Airways | Aviation | 5.7 million | Names, emails, Frequent Flyer numbers | Oct 15 |
| F5 Networks | Technology / Security | Internal (nation-state) | Source code, vulnerability data, config data | Oct 15 |
| SimonMed Imaging | Healthcare | 1.27 million | PHI, names, insurance data | Oct 10 |
| Oracle EBS (CVE-2025-61882) | Technology / ERP | Dozens of orgs (ongoing) | ERP data: finance, HR, supply chain | Oct 6 |
| Synthient Stealer Log Dump | Cross-sector | 183 million email accounts | Credentials harvested via infostealer | Oct 21 |
| Collins Aerospace / Dublin Airport | Aviation | Employee data (scope under investigation) | Internal HR and operational data | Oct 26 |
November 2025 Data Breaches
November’s most structurally significant disclosure came from OpenAI, which confirmed that its analytics provider Mixpanel had been compromised, exposing user IDs, project identifiers, customer email addresses, and API usage metadata. OpenAI turned off the Mixpanel integration and audited all external analytics pipelines, a signal to the broader SaaS ecosystem about the exposure risk carried by third-party analytics tools sitting adjacent to production environments.
DoorDash confirmed a breach involving a compromised third-party service provider that exposed customer names, email addresses, phone numbers, and partial card details, as well as certain driver account information. Hyundai AutoEver America disclosed unauthorized access to employee HR systems affecting several thousand current and former staff. Under Armour disclosed a ransomware incident in which attackers accessed internal corporate systems, claiming to have accessed data linked to millions of records, though Under Armour had not confirmed the scale at the time of initial disclosure.
A third-party vendor used by JPMorgan Chase, Citigroup, and other major Wall Street institutions disclosed a breach that exposed customer names, contact details, and account-related identifiers across multiple financial firms simultaneously.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| OpenAI / Mixpanel | Technology / AI | Undisclosed (API users) | User IDs, emails, usage metadata | Nov 27 |
| DoorDash | Consumer Tech / Delivery | Undisclosed | Names, emails, phone numbers, partial card data | Nov 13 |
| Under Armour | Retail | Millions claimed (unconfirmed) | Internal documents, employee records | Nov 17 |
| Hyundai AutoEver America | Automotive | Several thousand employees | Employee names, HR records | Nov 25 |
| Wall Street Banks Vendor | Financial | Tens of thousands (est.) | Customer names, account identifiers | Nov 24 |
| Askul | Retail | Thousands (est.) | Customer names, contact info, order data | Nov 3 |
December 2025 Data Breaches
December closed the year with a sweep of disclosures across consumer, education, and telecom sectors.
University of Phoenix disclosed that a third-party service provider had experienced unauthorized access, compromising the data of approximately 3.5 million individuals, including current and former students, applicants, and staff, and exposing names, dates of birth, Social Security numbers, and internal identification records. The scale placed it among the largest education sector breaches of the year.
Petco disclosed a breach caused by a software misconfiguration that made files publicly accessible without restriction. Exposed data included customer names, Social Security numbers, driver’s license numbers, financial account details, and dates of birth. 700Credit disclosed that 5.8 million records were compromised in a breach affecting automotive finance data. Allianz Life disclosed its final breach count from a July–September incident: 1.4 million customers had their data exposed. SoundCloud confirmed unauthorized access to member data. Freedom Mobile confirmed a third-party breach exposing customer names, phone numbers, and email addresses. Inotiv, a pharmaceutical research services provider, confirmed a ransomware incident affecting 9,542 individuals.
| Organization | Sector | Records Affected | Data Type | Date Disclosed |
|---|---|---|---|---|
| University of Phoenix | Education | 3.5 million | Names, SSNs, DOB, student/employee IDs | Dec 22 |
| 700Credit | Automotive / Financial | 5.8 million | Automotive finance and consumer data | Dec 12 |
| Allianz Life Insurance | Insurance | 1.4 million | Names, contact details, policy information | Dec (final disclosure) |
| Petco | Retail | 500+ confirmed (more likely) | Names, SSNs, financial account details, DL numbers | Dec 5 |
| SoundCloud | Consumer Tech | Undisclosed | Member account data | Dec 15 |
| Freedom Mobile | Telecom | Subset of customers | Names, phone numbers, emails, billing addresses | Dec 3 |
| Inotiv | Pharmaceutical Research | 9,542 | Names, addresses, SSNs, DOB | Dec 5 |
If your organization's name appears anywhere in this tracker, or if you rely on any of the vendors listed, run a free dark web exposure scan to check whether your domain's credentials have been compromised. You can also check specific email addresses for potential breaches using DeXpose's email data breach scan.
Biggest Data Breaches of 2025 | The Top 10 by Records Exposed
The biggest data breaches of 2025 ranged from a 16-billion-credential mega-dump that dwarfed every prior incident in recorded history to precision insider attacks against individual crypto platforms. Ranked by confirmed or credibly estimated record counts, the ten incidents below define the year’s breach landscape and, collectively, exposed the personal data of hundreds of millions of people worldwide.
#1, The 16 Billion Credential Dump, Cross-Sector Aggregation, Infostealer Infrastructure
No breach in 2025, or in any prior year, came close to the scale of the credential dataset uncovered by Cybernews researchers in June. Thirty exposed databases containing more than 16 billion login records were found sitting openly accessible online, compiled from years of infostealer malware campaigns and prior breach aggregations. The records included usernames, plaintext and hashed passwords, session tokens, and browser cookies tied to accounts at Google, Apple, Facebook, GitHub, Microsoft, Telegram, and dozens of government portals across multiple countries.
What distinguished this event from a routine credential aggregation leak was the data’s freshness. Researchers confirmed that nearly all records, except for one dataset, had never been publicly disclosed before. These were not recycled entries from the 2013 Yahoo breach or 2019 Collections dump. They were active, working credentials exfiltrated from live systems through infostealer malware families including LummaC2, Vidar, and Raccoon, harvested from infected endpoints over the preceding 12 to 18 months and warehoused for bulk sale or deployment in credential stuffing attacks.
The 16 billion figure exceeds the global population, meaning the average exposed individual appeared in the dataset more than twice. Security researchers noted that the consolidated, openly hosted format of the databases, rather than fragmented dark web forum posts, indicated that the data was being staged for industrial-scale automation: credential-stuffing bots capable of testing millions of logins per hour against major platforms.
Attack vector: Infostealer malware aggregation (LummaC2, Vidar, Raccoon and variants). Threat actor: Multiple, unattributed; dataset compiled from numerous independent campaigns. Data exposed: Usernames, passwords (plaintext and hashed), session tokens, browser cookies. Disclosed: June 2025
#2, Conduent Business Services, 25.9 Million+
Conduent processes government benefits, healthcare claims, and back-office payments for public sector clients across the United States. When the SafePay ransomware group maintained unauthorized access to its network from October 2024 through January 13, 2025, the downstream impact affected some of the most financially vulnerable Americans in the country, including Medicaid recipients, unemployment claimants, and food assistance beneficiaries in states such as Texas, Oregon, Wisconsin, and Oklahoma.
SafePay claimed to have stolen more than eight terabytes of data and threatened to release it publicly if ransom demands went unmet. The stolen data included names, Social Security numbers, addresses, medical histories, and health insurance details. The breach’s confirmed scope expanded dramatically as state-level regulatory filings came in: Texas alone reported 15.4 million affected individuals, up from an initial estimate of four million, with Oregon and other states adding to the total. By early 2026, the breach had affected over 25 million Americans, making it one of the largest cybersecurity incidents in recent US history.
The attack’s nearly three-month access window meant that by the time Conduent detected and contained the intrusion, the full extraction was complete. Conduent’s own SEC filing confirmed that “the data sets contained a significant number of individuals’ personal information associated with our clients’ end-users.” It noted that to the company’s knowledge, the exfiltrated data had not been released on the dark web or publicly disclosed. That status may have changed since.
Attack vector: Ransomware (SafePay); network access maintained for ~3 months. Threat actor: SafePay ransomware group. Data exposed: SSNs, names, addresses, medical histories, health insurance details. Disclosed: April 2025 (SEC 8-K); state notifications continued through late 2025
#3, Salesforce / SaaS Cascade, Up to 1.5 Billion CRM Records Claimed
The Salesforce breach of 2025 was less a single incident than a months-long campaign by ShinyHunters that used compromised OAuth tokens and third-party integration weaknesses to move laterally across Salesforce-connected enterprise environments. The campaign began as early as June, remained undetected across multiple affected organizations through August, and became public knowledge in September when ShinyHunters began contacting victims directly with extortion demands.
The claimed scope, 1.5 billion CRM records spanning hundreds of global enterprises, has not been independently verified at that figure, and Salesforce has disputed the top-line number. What is confirmed is that named downstream victims include Qantas (5.7 million customers), Stellantis, Farmers Insurance, and several financial institutions whose data appeared in ShinyHunters’ extortion materials. The October 2025 ransom demand against Salesforce itself, combined with a separate extortion attempt targeting individual enterprise clients, was consistent with ShinyHunters’ established playbook from the 2024 Snowflake campaign.
The Salesforce breach matters structurally because it demonstrated how a single SaaS platform compromise can simultaneously affect hundreds of enterprise customers, each of whom stores millions of their customers’ records on that platform. The attack vector was not a zero-day in Salesforce’s core platform but rather the sprawling ecosystem of third-party integrations, OAuth connections, and shared support infrastructure that surrounds it.
Attack vector: OAuth token compromise; third-party integration weaknesses; supply chain lateral movement. Threat actor: ShinyHunters. Data exposed: CRM records, contact data, account details, business intelligence, in some cases financial data. Disclosed: September–October 2025
#4, TransUnion, 4.4 Million Confirmed
TransUnion’s August 2025 breach was notable not just for its scale but also for what it exposed: the credit bureau held some of the most sensitive consumer identity data of any organization in that year’s breach landscape. The 4.4 million confirmed affected individuals had their names, addresses, Social Security numbers, dates of birth, and credit-related identifiers accessed after attackers exploited a compromised third-party application to gain entry to TransUnion systems.
The intrusion began in July and went undetected until August, a dwell time that gave the attacker full access to complete consumer credit profiles across the discovery window. ShinyHunters claimed responsibility, consistent with the group’s broader 2025 campaign targeting consumer data aggregators and financial platforms. TransUnion began sending breach notification letters in late August and September, triggering a wave of consumer action queries and class action filings.
The particular sensitivity of TransUnion’s data made this breach more dangerous per record than most. Credit bureau files contain the exact combination of identifiers, SSN, DOB, full legal name, current and prior addresses, that enable synthetic identity fraud at scale, meaning the downstream exposure risk extends years beyond the breach date.
Attack vector: Third-party application compromise; credential exploitation. Threat actor: ShinyHunters (claimed). Data exposed: Names, SSNs, DOB, addresses, credit identifiers. Disclosed: August 28, 2025
#5, Oracle Cloud, ~6 Million Records, 140,000+ Tenants
The Oracle Cloud breach disclosed in March 2025 involved unauthorized access to Oracle’s Single Sign-On and LDAP authentication infrastructure, the systems that govern identity and access across Oracle’s entire cloud customer base. A threat actor identified as “rose87168” claimed to have exfiltrated approximately six million records, including Java KeyStore files, encrypted SSO passwords, and LDAP configuration data tied to more than 140,000 Oracle Cloud tenants.
Oracle publicly and consistently denied the breach. Multiple independent security researchers and a subset of affected customers confirmed the authenticity of sample data posted by the attacker. This discrepancy created significant uncertainty for the thousands of enterprises running Oracle Cloud infrastructure. The attacker offered to sell the stolen data and, separately, solicited help from affected companies to decrypt the password hashes in exchange for removal from the dataset.
The October 2025 follow-on incident, exploitation of CVE-2025-61882, a zero-day in Oracle E-Business Suite allowing unauthenticated remote code execution in ERP systems, suggested that initial access or intelligence from the March breach may have informed subsequent targeting of Oracle’s on-premise and hybrid customer base.
Attack vector: SSO and LDAP infrastructure compromise; zero-day exploitation. Threat actor: “rose87168” (identity unattributed). Data exposed: SSO credentials, JKS files, encrypted LDAP passwords, tenant configuration data. Disclosed: March 25, 2025
#6, Coinbase, ~97,000 Confirmed; Potential Exposure for 69,461 via Maine AG
The Coinbase breach of May 2025 was the year’s defining insider threat case. Cybercriminals bribed multiple overseas customer support contractors to extract account data from Coinbase’s internal systems over a period of months before making a $20 million extortion demand. Coinbase refused, fired the contractors, shut down the relevant overseas support operation, and announced a $20 million reward for information leading to arrests. This public stance set a notable precedent for how a major financial platform could respond to extortion without capitulating.
The Maine Attorney General filing confirmed 69,461 directly affected individuals, though researchers noted that the compromised access window and the number of contractors involved suggested broader potential exposure. Data accessed included full names, home addresses, phone numbers, email addresses, images of government-issued IDs, partial Social Security numbers, masked bank account numbers, and account balance metadata. For a crypto platform whose users are high-value targets for SIM swapping and account takeover attacks, the ID and address exposure was especially consequential.
Attack vector: Insider threat; bribed overseas customer support contractors. Threat actor: External criminal organization (identities under investigation). Data exposed: Names, addresses, government IDs, partial SSNs, masked financial data. Disclosed: May 13, 2025
#7, Qantas Airways, 5.7 Million Customers
Qantas disclosed in October 2025 that 5.7 million customer records had been accessed through a compromised third-party contact center platform, the same Salesforce-connected support infrastructure implicated in the broader ShinyHunters campaign. Exposed data included full names, email addresses, dates of birth, phone numbers, and Frequent Flyer membership numbers. Critically, Qantas confirmed that no passport data, payment card information, or passwords were included in the exposed dataset.
The breach was significant both for its scale and for the precision of the data type; Frequent Flyer numbers combined with full PII create a viable attack package for loyalty fraud, account takeover, and targeted phishing against high-value travellers. Qantas notified affected customers directly and recommended they monitor for suspicious contact.
Attack vector: Third-party contact center platform compromise (Salesforce ecosystem). Threat actor: ShinyHunters (attributed via Salesforce campaign). Data exposed: Names, emails, DOB, phone numbers, Frequent Flyer numbers. Disclosed: October 15, 2025
#8, WestJet, 1.2 Million Customers, Passport Data Included
WestJet’s October 2025 breach was smaller than Qantas by record count but more damaging by data type. Approximately 1.2 million customer records were compromised through a third-party reservation and check-in system, with exposed data including names, email addresses, dates of birth, phone numbers, loyalty program details, and, in a subset of cases, passport numbers and expiry dates. Passport exposure substantially increases downstream identity fraud risk, as passport data enables border fraud, synthetic identity creation, and document forgery that email or loyalty data alone cannot.
WestJet confirmed that the breach originated with a third-party vendor and that its core reservation infrastructure was not directly compromised. Affected customers were notified individually.
Attack vector: Third-party reservation system compromise. Threat actor: Unattributed. Data exposed: Names, emails, DOB, loyalty data, passport numbers (subset). Disclosed: October 2025
#9, 700Credit, 5.8 Million Automotive Finance Records
700Credit provides credit decisioning and compliance tools to automotive dealerships across the United States, which means its dataset is a concentrated pool of consumers who had recently applied for vehicle financing, containing the full credit application data those individuals submitted. The December 2025 breach exposed 5.8 million records, including names, Social Security numbers, dates of birth, addresses, income information, and employment details.
The automotive finance context is significant: this data is among the most complete financial identity packages available in a single record, combining the SSN and DOB of a traditional credit bureau file with income and employment context that enables both credit fraud and account takeover at banks and lenders.
Attack vector: Undisclosed (under investigation at time of reporting). Threat actor: Unattributed. Data exposed: Names, SSNs, DOB, addresses, income and employment data. Disclosed: December 2025
#10, Allianz Life Insurance, 1.4 Million Policyholders
Allianz Life’s breach, which began through a social engineering attack on a third-party CRM provider in July and was fully scoped by December’s final disclosure, affected 1.4 million customers. The exposed data included policyholder names, contact details, dates of birth, and insurance policy numbers, sufficient for insurance fraud, policy surrender fraud, and targeted phishing against a customer base that skews older and higher-net-worth.
The Allianz Life breach was emblematic of a pattern repeated throughout 2025: the insurer’s own systems were not directly compromised. The attack reached customer data through a third-party vendor with CRM access, a route that bypassed Allianz Life’s own security controls entirely.
Attack vector: Social engineering targeting third-party CRM provider. Threat actor: Unattributed. Data exposed: Names, contact details, DOB, insurance policy numbers. Disclosed: July 2025 (initial); December 2025 (final scope confirmed)
Honorable Mentions | Breaches with Outsized Impact Despite Lower Record Counts
Record count is not the only measure of a breach’s significance. Several 2025 incidents affected far fewer individuals than the top ten. Still, they caused disproportionate damage due to the sensitivity of the data, the criticality of the affected systems, or the downstream organizational impact.
F5 Networks (October 2025) sits at the top of this list by potential downstream consequence. A nation-state actor’s confirmed theft of BIG-IP source code and undisclosed vulnerability data from F5 did not expose consumer PII at scale. Still, it handed an advanced threat actor a blueprint for exploiting one of the most widely deployed network infrastructure products in the world. CISA’s Emergency Directive response reflected the severity: the downstream blast radius of weaponized F5 vulnerabilities could extend to thousands of enterprises simultaneously.
Change Healthcare / UnitedHealth (January 2025) technically belongs in the top ten by record count, at 190 million. Still, since the underlying breach occurred in 2024 and the 2025 disclosure was a final scope confirmation rather than a new incident, it was excluded from the ranked list. By any measure, it remains the largest healthcare breach in US history and deserves prominent recognition here.
PowerSchool (January 2025) exposed data on tens of millions of students and staff across North America through a single credential compromise, and the unique sensitivity of children’s educational records, which cannot be easily changed or reissued, creates long-tail identity fraud risk that extends across decades.
Red Hat GitLab / Crimson Collective (October 2025) compromised source code repositories, internal developer credentials, and unreleased vulnerability research, a breach where the value lies not in PII volume but in intellectual property and potential exploit development.
Coinbase-style insider threat patterns appeared across multiple organizations in 2025 at a frequency that led the ITRC to flag insider-enabled breaches as an emerging structural category for the year, incidents where record counts were modest but the combination of high-value targets, physical ID data, and financial account access created outsized individual harm.
The common thread across all honorable mentions: data type and system criticality routinely matter more than raw record count when assessing the real-world damage a breach produces.
If your organization uses any of the vendors, platforms, or infrastructure providers listed in this section, your exposure risk extends beyond direct breaches to supply chain incidents that affected your customers. Run a free dark web exposure scan to check what data linked to your domain is already in circulation.
Salesforce Data Breach 2025 | A Full Timeline
The 2025 Salesforce data breach was not a single incident but a coordinated, months-long campaign by ShinyHunters that exploited the trust relationships between Salesforce and its enterprise customers, ultimately reaching over 700 organizations worldwide and producing one of the most consequential SaaS supply chain attacks in recorded history. Salesforce’s own platform was never compromised, but that distinction offered little protection to the hundreds of companies whose customer data was extracted through it.
The August and September 2025 Salesforce Breach, What Happened
The campaign’s origins date back to June 2025, when a threat group tracked by Google’s Threat Intelligence Group under the UNC6040 label executed the first confirmed attack against a Salesforce customer environment. The target was Google itself. Attackers called Google employees posing as IT support, a voice phishing technique known as vishing, and walked them through installing a maliciously modified version of Salesforce’s own Data Loader tool. Once the employee authenticated through Salesforce’s legitimate verification page, an OAuth access token was silently issued to the attacker’s instance of Data Loader. From that point onward, all subsequent data extraction ran under the victim’s own credentials, thereby remaining invisible to standard authentication monitoring. The stolen dataset contained approximately 2.55 million records from Google’s Salesforce CRM instance, primarily business names, phone numbers, and internal sales agent notes for SME customers. Google confirmed the breach on August 5, 2025.
The attack’s technical architecture was precise. The attacker configured OAuth Device Flow via a local Salesforce Data Loader, generating an 8-character code. The Data Loader then listened for successful authentication tied to that code. When a victim was vished into visiting Salesforce’s verification page and entering the code, an access token was issued to the attacker’s instance, allowing all subsequent exfiltration to run silently on behalf of the victim, in small chunks, with no public-facing anomaly.
Starting in September, ShinyHunters escalated from targeted vishing to automated exploitation of a structural misconfiguration in Salesforce Experience Cloud. They deployed a modified version of AuraInspector, a tool created by Mandiant, that not only identified vulnerable sites but also automatically extracted data from them. The technical centerpiece was a bypass of Salesforce’s GraphQL API query limit: Salesforce caps guest user queries at 2,000 records per request, but ShinyHunters discovered that using the sortBy parameter circumvented this restriction entirely. After Salesforce patched that method, the group claimed a second bypass and continued operations. This second phase ran largely autonomously, requiring no human interaction from victim employees, and dramatically extended the campaign’s reach.
A parallel attack track ran simultaneously through Salesloft. Attackers compromised Salesloft’s GitHub repositories between March and June 2025, laying groundwork for OAuth token theft. In August, they leveraged Drift integration tokens to infiltrate hundreds of Salesforce customer environments, with evidence of data exfiltration beginning August 12. Salesforce revoked the affected Drift tokens on August 20 and removed the Drift app from its AppExchange. Drift went offline for system hardening on September 3.
Salesforce issued an advisory on August 7, two days after the Google disclosure, stressing that the platform itself had not been compromised and attributing incidents to social engineering targeting individual customer environments. On August 18, Salesforce announced it would restrict use of uninstalled connected apps, blocking non-admin users from authorizing them, a direct countermeasure against the Data Loader vishing technique.
ShinyHunters’ Role: The October 2025 Extortion Incident
ShinyHunters had been present throughout the campaign, but October brought the group’s involvement into full public view. On October 5, the Scattered LAPSUS$ Hunters victim-shaming and extortion blog published a list of more than three dozen companies whose Salesforce data had been stolen, including Toyota, FedEx, Disney/Hulu, and UPS, with each entry specifying the volume of stolen data and the date of retrieval, with stated breach dates ranging between May and September 2025.
ShinyHunters set an October 10 deadline, threatening to leak 1 billion records unless Salesforce paid a ransom by 11:59 PM ET. Salesforce refused. Reports confirmed that Salesforce declined to pay the ransom following the Salesloft Drift attack. On October 10, the FBI seized a BreachForums domain that ShinyHunters had been using as its data leak extortion site.
Despite the takedowns, ShinyHunters leaked partial data from six companies, Qantas, Gap, Vietnam Airlines, Albertsons, FujiFilm, and Engie Resources, via dark web mirrors. Then, abruptly, the group declared the campaign “over,” citing an inability to continue after FBI disruption. In a Telegram post, ShinyHunters announced “The era of forums is over,” signaling a shift to Telegram-based extortion operations and even teasing an Extortion-as-a-Service model for 2026.
Investigators refined their picture of the threat actor over the course of the campaign. Mandiant initially attributed the activity to ShinyHunters (UNC6240), but later assessed that the operation involved a merged or cooperative entity combining members from ShinyHunters, Scattered Spider, and Lapsus$, a configuration investigators labelled Scattered LAPSUS$ Hunters. The combination of ShinyHunters’ data-theft-for-extortion model with Scattered Spider’s English-language vishing expertise explained why the attacks were both technically sophisticated and highly effective against English-speaking corporate environments.
1 Billion Records Claim: Verified vs. Disputed
The scale claim at the center of the Salesforce breach story, that ShinyHunters stole approximately one billion records across the campaign, sits in contested territory. ShinyHunters reported on October 3 that approximately 1 billion records from 39 companies were potentially impacted, with personal information stolen and samples leaked, along with ransom demands. BleepingComputer reported that the group later told them they had stolen over 1.5 billion Salesforce records from 760 companies using specifically the compromised Salesloft Drift OAuth tokens.
What is independently verified is more modest but still significant. The confirmed downstream victims, Google (2.55 million records), Stellantis (18 million claimed by ShinyHunters, contact data only per Stellantis), Farmers Insurance (1.1 million), Qantas (5.7 million), TransUnion (4.4 million), Adidas, Cisco, Workday, Air France-KLM, and others, account for tens of millions of records across named organizations alone. The blast radius extended to over 700 organizations, and the automated AuraInspector campaign that ran through September added an unknown number of records from misconfigured Experience Cloud sites.
Salesforce disputed the top-line billion-record figure, maintaining that its platform was not breached and that the incidents resulted from customers’ own security posture and third-party integrations. That position is technically defensible; the Salesforce core platform was never directly penetrated, but it does not diminish the real exposure customers experienced when their data was exfiltrated through it. Salesforce faced 14 lawsuits by September 25, reflecting the legal exposure that accrues to a platform when its ecosystem becomes a vector for mass customer data theft, regardless of where technical responsibility is assigned.
Cloudflare Support System Connection and Downstream Victims
Cloudflare’s involvement in the Salesforce campaign illustrates how the OAuth token theft phase created a second wave of downstream exposure beyond Salesforce customers themselves. In early September, Cloudflare confirmed that its Salesforce instance had been breached using stolen tokens and that the breach may have included support case data. Investigators found 104 Cloudflare API tokens among the exfiltrated material.
The significance of Cloudflare’s compromise extended beyond Cloudflare’s own data. Cloudflare’s support systems contain case records from thousands of enterprise clients, meaning stolen support case data could include API credentials, internal architecture details, network configuration information, and vulnerability disclosures submitted by Cloudflare customers in the course of resolving technical issues. A single breach of a support infrastructure provider creates a cascading intelligence package for subsequent targeting.
Through the stolen Drift OAuth tokens and downstream secrets recovered from that access, attackers also claimed stolen sensitive data from Zscaler, Tenable, Palo Alto Networks, CyberArk, Nutanix, Qualys, Rubrik, Elastic, BeyondTrust, Proofpoint, and Cato Networks. This roster reads as a comprehensive map of enterprise security vendors. Whether attackers were collecting competitive intelligence, searching for vulnerability data applicable to customer environments, or building a target list for future campaigns, the concentration of security industry victims in the Salesforce breach cascade was not coincidental.
The Cloudflare disclosure prompted the broader security industry to audit its own Salesforce integrations and connected app permissions, a response that came months after the initial vishing wave had already run its course.
Who Was Affected: Farmers Insurance, Qantas, Stellantis, and More
The confirmed victim list from the Salesforce breach campaign is one of the most varied in any single coordinated attack on record, spanning aviation, automotive, insurance, luxury retail, technology, financial services, and cybersecurity.
Farmers Insurance was among the first confirmed major victims outside the technology sector. On May 30, 2025, one of Farmers’ third-party vendors detected suspicious activity involving an unauthorized actor accessing a vendor database containing Farmers’ customer information. The vendor’s monitoring tools allowed it to detect and contain the activity quickly, but not before data on 1.1 million customers was extracted. Written notifications went out to affected customers in August. The exposed data included customer PII; no payment information was confirmed in filings.
Qantas Airways confirmed in October that attackers had stolen data through a third-party contact center platform connected to its Salesforce environment, exposing the personal information of 5.7 million customers, including names, email addresses, dates of birth, phone numbers, and Frequent Flyer numbers.
Stellantis, the world’s fifth-largest automaker by volume and owner of Jeep, Dodge, Fiat, Alfa Romeo, Chrysler, Peugeot, and nine other brands, confirmed in late September that attackers had accessed customer contact data through a third-party service provider’s platform supporting North American customer service operations. ShinyHunters claimed to BleepingComputer that they had stolen over 18 million Salesforce records from Stellantis, including names and contact details. Stellantis confirmed that the compromised platform did not store financial or sensitive personal information.
TransUnion’s 4.4 million-record breach was also linked to the Salesforce campaign. Other confirmed victims included Air France, KLM, Coca-Cola, Cisco, Adidas, and LVMH, the latter encompassing Dior, Louis Vuitton, Tiffany & Co., Givenchy, and Balenciaga customer datasets. The luxury sector exposure was particularly notable, since LVMH’s Salesforce environment likely contained high-net-worth customer profiles with purchase histories, loyalty data, and in some cases personal shopping preferences, a package of considerable value for targeted fraud.
The common thread across every victim was not a failure in Salesforce’s platform but a failure in the governance of the SaaS ecosystem surrounding it. OAuth tokens issued to third-party integrations, connected apps approved without ongoing audit, and support staff reachable by vishing- these were the actual attack surfaces. Once a third-party app holds broad OAuth scopes, a stolen token operates as a standing authentication bypass that skirts interactive login and many MFA controls entirely. In the Salesforce campaign of 2025, that architectural reality became a master key to hundreds of enterprise environments simultaneously.
If your organization uses Salesforce, or any of the downstream vendors named in this campaign, run a free dark web exposure scan to check whether credentials or data linked to your domain have already been extracted. For specific email address exposure, use DeXpose's email data breach scan.
TransUnion Data Breach 2025: 4.4 Million Records and ShinyHunters
The 2025 TransUnion data breach exposed the personal information of 4,461,511 Americans, including names, Social Security numbers, and dates of birth, after attackers exploited a third-party application connected to TransUnion’s US consumer support operations. The incident is linked to the ShinyHunters extortion group and forms part of the broader Salesforce-connected campaign that struck dozens of major organizations across 2025. For the millions of people whose data was exposed at one of the country’s three major credit bureaus, the risk profile is especially severe: TransUnion handles financial and identity data on over a billion consumers worldwide, including 260 million US citizens, making any breach of its systems a high-value event for identity thieves.
Timeline of the TransUnion Breach (July–September 2025)
The incident occurred on July 28, 2025, and was discovered two days later on July 30. That two-day gap reflects less a failure of detection than the standard forensic process: a TransUnion spokesperson clarified that the company “identified and contained this event within hours” of it happening, but that it is common industry practice to designate a later “date of discovery” to reflect a more complete assessment following the initial response.
TransUnion cited unauthorized access through a third-party Salesforce-connected app as the cause of the breach. The credit reporting firm did not name the third-party application involved, but said it has been working with law enforcement and third-party cybersecurity experts to investigate the attack. Based on the investigative record, the breach fits squarely within the Salesloft Drift OAuth token campaign, the same mechanism ShinyHunters used to reach Google, Cisco, Qantas, Farmers Insurance, Stellantis, and over 700 other organizations through the summer of 2025.
In the days that followed containment, TransUnion kicked off its full response protocol, bringing in external forensic experts and starting through regulatory notifications. In addition to the Texas AG disclosure, the breach was also reported to the Attorneys General of California, Iowa, Washington, Massachusetts, New Hampshire, Montana, and Maine. By late August, roughly 4.46 million individuals were notified. Notification letters began reaching affected consumers around August 26, nearly a month after the breach date, a delay that became a focus of subsequent class action filings.
The threat actors claimed 13 million records were exposed in total, with about 4.4 million US consumers affected according to the official data breach notification. The discrepancy between the attackers’ claimed figure and TransUnion’s confirmed count is consistent with how ShinyHunters has handled other campaign victims: the group typically inflates scope in extortion demands while organizations confirm a narrower, forensically verified number. In addition to the personal information that TransUnion reported as compromised, addresses, email addresses, and phone numbers were also stolen according to the hackers’ claims, data categories that TransUnion’s own notifications did not explicitly enumerate but did not categorically deny.
The FTC had already recorded nearly 750,000 identity theft complaints by June 30, 2025, before the TransUnion breach was even disclosed, putting the year on track to be one of the worst on record for consumer identity exposure.
What Data Was Exposed
According to the disclosure to the Texas Attorney General, the exposed information includes names, Social Security numbers, and dates of birth. TransUnion’s own breach notification letters confirmed these three categories as the core of what was compromised, with the specific data elements varying by individual depending on what was held in the third-party support application at the time of access.
TransUnion stressed that the breach did not involve its core credit database or internal systems, a technically important distinction that nonetheless offers limited comfort to affected consumers. The combination of full legal name, Social Security number, and date of birth is precisely the data package required to commit the most damaging forms of identity fraud: opening new lines of credit, filing fraudulent tax returns, applying for government benefits, and creating synthetic identities by layering real SSNs against fabricated names and addresses.
This data can be used to open fraudulent credit accounts or apply for loans using the victim’s name. The particular danger of a credit bureau breach, as opposed to a retail or social media breach, lies in the context: TransUnion’s data is already pre-formatted for interaction with the financial system. Attackers who obtain it do not need to enrich it or cross-reference it with other datasets. It arrives as a ready-made identity theft toolkit.
The breach notification letters used a placeholder field, <<impacted data elements>>, to personalize the disclosure to each recipient, meaning different individuals received notifications specifying different combinations of affected data fields. If your letter lists a Social Security number among your impacted elements, your exposure risk is at the higher end of the spectrum.
TransUnion’s Official Response and Notification Letters
TransUnion contained the incident within hours of discovery and limited it to the vendor-hosted application. Rapid containment helped prevent lateral movement into core credit systems, and public statements consistently stressed that credit reports and core credit information were not accessed.
To support those impacted, TransUnion is offering complimentary credit monitoring and identity protection services for 24 months through its myTrueIdentity platform. These services include credit monitoring, identity protection, identity resolution support, and $1 million in identity theft insurance. Affected individuals are encouraged to enroll in the free credit monitoring service within 90 days of receiving their notification letter. TransUnion is also providing proactive fraud assistance through Cyberscout, a TransUnion company specializing in fraud remediation.
As news spread, legal scrutiny intensified, and class actions were filed that focused on the adequacy of third-party security controls and the timeliness and completeness of notices. Strauss Borrelli and Kolbe LLP mobilized for class action claims, with litigation focused on whether the organization violated state or federal laws by failing to protect consumer data adequately. The other point of contention was the delayed notification, considering it took a month to begin notifying affected persons. Class-action lawsuits are already being filed against TransUnion, seeking accountability and compensation for individuals whose private information was exposed.
In response to the breach, TransUnion has enhanced its security controls and continues to monitor its systems for any suspicious activity. The company has not publicly named the specific third-party application involved, nor confirmed whether it has terminated or restructured that vendor relationship.
What to Do If You Received a TransUnion Data Breach Letter
Receiving a TransUnion breach notification letter means your personal information was confirmed as part of the 4.4 million records exposed on July 28, 2025. The steps below address both the immediate risk window and the longer-term exposure created by SSN-inclusive breaches.
Enroll in the free monitoring immediately. Affected individuals have 90 days from receiving their notification letter to enroll in 24 months of free credit monitoring through TransUnion’s myTrueIdentity platform, which includes $1 million in identity theft insurance and fraud remediation support through Cyberscout. Do not let this window lapse; the monitoring is free, and the coverage period is meaningful.
Place credit freezes at all three bureaus. A credit freeze is the single most effective structural protection against someone opening new accounts in your name. Critically, you must freeze your file at all three bureaus independently, TransUnion, Experian, and Equifax, because lenders may check any of the three. A freeze at TransUnion alone leaves two open doors. Credit freezes are free, do not affect your existing accounts or credit score, and can be lifted temporarily when you need to apply for new credit.
Place a fraud alert. A fraud alert at any one of the three bureaus triggers that bureau to notify the other two, requiring lenders to take additional steps to verify your identity before opening new accounts. A standard fraud alert lasts one year. If you are a confirmed identity theft victim, an extended seven-year fraud alert is available.
Review your credit reports for unfamiliar activity. Pull your free reports from all three bureaus at annualcreditreport.com and look for accounts, inquiries, or addresses you don’t recognize. Unfamiliar hard inquiries are an early signal that someone has attempted to open credit in your name. File a dispute immediately if you find unauthorized accounts.
Stay alert to downstream fraud attempts. The data exposed- name, SSN, and date of birth- gives criminals enough to impersonate you in financial and government contexts well beyond credit accounts. Watch for unexpected tax filing rejections, unfamiliar benefit claims, or medical bills for services you did not receive. These are signatures of synthetic identity fraud and tax fraud, respectively, both of which can follow SSN exposure by months or years.
Understand your legal options. Class-action lawsuits are forming against TransUnion, and those whose data was exposed may have grounds to participate. Consulting a data breach attorney costs nothing upfront in most class action structures and allows you to evaluate whether participation is appropriate for your situation.
Check your dark web exposure. The TransUnion breach is part of a broader ShinyHunters campaign that extracted data from hundreds of organizations. Your exposure likely extends beyond this single incident. A free dark web exposure scan will show whether your domain or credentials have appeared in other breach datasets circulating on dark web markets and forums, giving you a more complete picture of your current risk profile than a single breach notification letter can provide. For personal email exposure, use DeXpose's email data breach scan.
Oracle Data Breach 2025 | Cloud Infrastructure Under Attack
The Oracle data breach of 2025 was not a single incident but a sequence of three distinct compromises that struck different parts of Oracle’s infrastructure throughout the year, each exploiting unpatched or outdated systems and initially met with denial. The Oracle data breach refers to a series of confirmed security incidents in 2025 in which unauthorized actors gained access to Oracle’s cloud infrastructure and several of its enterprise product lines. For the 140,000-plus enterprise tenants whose authentication credentials were exfiltrated in March, and for the organizations running Oracle E-Business Suite targeted in October, the exposure represented a direct path into production environments, not a peripheral data store.
The March 2025 Oracle Cloud Breach, Access Vector and Scope
On March 21, 2025, CloudSEK’s XVigil discovered a threat actor, “rose87168,” selling 6 million records exfiltrated from Oracle Cloud’s SSO and LDAP systems. The data being sold on BreachForums included Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager JPS keys, collectively representing the authentication infrastructure for Oracle Cloud’s identity layer.
The attack vector points to a failure of basic patch management. The threat actor most likely utilized a known vulnerability, CVE-2021-35587, to access one of Oracle Cloud’s login endpoints. The vulnerability, originally reported in December 2022, allows unauthenticated attackers to compromise Oracle Access Manager instances. Although the vulnerability was reported over two years ago, CloudSEK’s investigation revealed that the endpoint exploited by the attacker had not been updated since 2014 and was in active use as recently as February 17, 2025.
That detail is the most damning element of the technical record. CVE-2021-35587 has a CVSS score of 9.8, critical severity, and was added to the CISA Known Exploited Vulnerabilities catalog in November 2022. The US National Vulnerability Database warned that the “easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager.” Oracle’s production SSO endpoint, login.us2.oraclecloud.com, was confirmed to be running Oracle Fusion Middleware 11G, a version last updated in 2014, leaving it fully exposed to a public exploit that had been in CISA’s KEV catalog for over 2 years before the breach.
The scope affected over 140,000 enterprise tenants spanning Fortune 500 companies, public sector organizations, and mid-market enterprises across multiple industries and regions. The attacker published a website listing all domains affected, offering impacted companies the opportunity to verify whether their compromised data originated from Oracle Cloud in exchange for exclusion from the dataset being prepared for sale. The attacker also demanded payment for data removal and offered incentives for assistance in decrypting the stolen credentials.
The stolen material was not limited to consumer PII. JKS files contain cryptographic keys used to establish trusted communication between systems. Encrypted SSO passwords, once cracked, provide authenticated access to every service federated through Oracle’s identity layer. Enterprise Manager JPS keys govern Java security policy across Oracle middleware environments. In combination, this dataset provided sophisticated buyers with a roadmap for lateral movement across any organization’s Oracle-connected infrastructure.
A second Oracle incident followed in October, when the Clop ransomware group exploited CVE-2025-61882, a zero-day in Oracle E-Business Suite allowing unauthenticated remote code execution in ERP systems. Clop quietly exfiltrated data from enterprise environments for weeks before launching a mass extortion campaign on September 29. Oracle released emergency patches in early October, but by then Clop’s leak site had already begun naming victims. The two incidents, one targeting Oracle’s cloud authentication layer and the other its on-premises ERP platform, shared a common root cause: unpatched or outdated infrastructure that gave attackers a clear path to sensitive data.
Oracle’s Response and Denial
Oracle’s handling of the March breach became one of the most scrutinized corporate responses to a cybersecurity incident in 2025, not because of what the company did technically, but because of the gap between its public statements and the evidence accumulating in the research community.
On March 21, 2025, Oracle responded in a statement: “There has been no breach of Oracle Cloud. The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” The statement was unambiguous. It was also directly contradicted within days by multiple independent verification efforts.
Oracle took the server login.us2.oraclecloud.com offline after news of the alleged breach was reported. That action, quietly removing the affected endpoint from public access, drew immediate scrutiny, since removing an allegedly uncompromised server from public access is not standard practice following a denial. Security firms including CloudSEK, Hudson Rock, and SOCRadar analyzed samples of the leaked data, including a 10,000-line dataset. They found evidence of authenticity, with some Oracle customers confirming the data’s validity in their production environments.
The expert community’s response to Oracle’s position was direct. Cybersecurity experts slammed Oracle’s handling of a customer data breach that appears to stem from infrastructure the technology giant failed to update and keep secure. After denying a customer data breach for the past two weeks, Oracle appears to have done an about-face. Oracle was accused of using technical “wordplay”, specifically, the distinction between “Oracle Cloud” (its current OCI infrastructure) and “Oracle Cloud Classic” (a legacy environment), to deny a breach in the former while quietly acknowledging exposure in the latter. Oracle has acknowledged a breach involving a legacy cloud environment after earlier denials.
The pivot was confirmed when reports emerged that Oracle had begun privately contacting affected customers, directly contradicting its own public statement that no customers had experienced a breach or lost any data. By the time Oracle acknowledged the legacy environment compromise, researchers had spent two weeks documenting the evidence it was denying.
The Oracle Health division faced a separate disclosure track. Oracle reportedly told Oracle Health customers that unknown online attackers may have taken patient data, a disclosure made privately to healthcare clients that received considerably less public attention than the cloud infrastructure incident but carried significant HIPAA notification implications for affected health systems.
The pattern across all three Oracle incidents in 2025 was consistent: initial denial, evidence accumulation by independent researchers, quiet infrastructure changes, and eventually private acknowledgment to affected customers. The reputational and legal exposure from that sequence arguably exceeded what a prompt, transparent disclosure would have produced.
How to Check If Your Company Was Affected (Oracle Breach Scan)
If your organization uses Oracle Cloud, Oracle E-Business Suite, or Oracle Health, your exposure risk is not theoretical; it is a function of whether your domain appeared in the 140,000-tenant list published by “rose87168,” whether your ERP environment ran unpatched versions vulnerable to CVE-2025-61882, or whether your Oracle Health environment was within scope of the patient data access disclosed to healthcare clients.
The first and fastest check is DeXpose’s Oracle Breach Scan, a free tool that checks whether your company’s domain was mentioned in the alleged Oracle Cloud breach dataset. It requires no setup, returns results instantly, and provides a definitive signal on whether your organization appears on the compromised tenant list before you invest time in a full credential audit.
Beyond the scan, organizations running Oracle infrastructure should treat the following as immediate priorities regardless of whether they appear in the breach data. Rotate all Oracle Cloud SSO and LDAP credentials, since even organizations not in the published tenant list cannot rule out exposure through the broader credential market where this data was being sold. Revoke and reissue all Java KeyStore (JKS) files and Enterprise Manager JPS keys associated with Oracle environments; JKS files in particular maintain trust relationships that persist beyond the immediate breach window if not replaced. Apply all patches for CVE-2021-35587 and CVE-2025-61882 immediately if not already done; both are now in CISA’s KEV catalog and represent documented, weaponized attack paths against Oracle infrastructure.
For organizations on Oracle E-Business Suite, the October Clop extortion campaign means your patch status for CVE-2025-61882 is the critical variable. Organizations that had not patched by the time Clop’s leak site went live in late September were potentially already exfiltrated without knowing it, given the group’s practice of quiet, sustained access before public extortion.
A free dark web exposure scan at DeXpose can also surface whether credentials or domain data linked to your organization have appeared in the broader market surrounding the Oracle incidents, particularly relevant given that “rose87168” was actively selling the dataset to multiple buyers, meaning the same material may have circulated across multiple dark web forums and Telegram channels well beyond the initial BreachForums listing.
Major Healthcare Data Breaches in 2025
Healthcare was the most consistently breached sector of 2025, and for the fifteenth consecutive year, it was also the most expensive. From a government contractor processing Medicaid claims to a radiology network serving patients across eleven states, the year’s major healthcare data breaches exposed tens of millions of Americans to the combination of PHI, Social Security numbers, and financial identifiers that makes medical records ten times more valuable on dark web markets than credit card data alone.
Conduent Data Breach, 10 Million Records (January 2025)
The Conduent breach was not a healthcare breach in the traditional sense: no hospital was hacked, no clinical system was penetrated. But its impact on healthcare beneficiaries made it one of the most consequential medical data exposures of 2025 or any prior year. The attackers spent 83 days inside Conduent’s network between October 2024 and January 2025, exfiltrating approximately 8.5 terabytes of data including Social Security numbers, medical records, health insurance details, and Medicaid claims data from the company’s government services infrastructure.
Conduent processes Medicaid claims, benefit disbursements, and administrative services for more than 500 government entities across over 30 states. When SafePay ransomware penetrated that infrastructure, the blast radius followed the client map. Affected individuals include patients of Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Premera Blue Cross, Humana, and others. The breach disrupted payment processing and government services in Wisconsin and Oklahoma, stranding Medicaid recipients, child support claimants, and food assistance beneficiaries who were unaware they were Conduent customers at all.
What made the notification timeline particularly troubling was its duration. Conduent began sending breach notification letters in October 2025, nine months after discovering the intrusion, well beyond HIPAA’s 60-day notification requirement. The scope also expanded dramatically as state-level filings came in. Texas alone reported 15.4 million affected individuals, while Oregon reported another 10.5 million. By early 2026, the confirmed total exceeded 25 million Americans, making it one of the largest healthcare-adjacent breaches in US history, surpassed only by the 2024 Change Healthcare attack, which affected 190 million individuals.
The SafePay ransomware group claimed responsibility for the attack, adding Conduent to its dark web data leak site in February 2025 and stating that it had stolen 8.5 terabytes of data. Conduent is no longer listed on the SafePay site, which typically indicates either ransom payment or data sale, though Conduent has not confirmed either outcome.
SimonMed Imaging, 1.27 Million Patients (October 2025)
SimonMed Imaging, an Arizona-based radiology practice, reported a January 2025 healthcare data breach stemming from a cyberattack that impacted 1.27 million individuals. The Medusa ransomware group claimed responsibility for the hack. SimonMed provides radiology services across approximately 170 medical centers in 11 states.
The attack’s entry point was a third-party vendor. According to a breach notice provided to the Maine attorney general’s office, on January 27, 2025, SimonMed was notified that one of its vendors was experiencing a security incident. Upon reviewing its systems, SimonMed discovered suspicious activity on its own network. Further investigation revealed that unauthorized activity had occurred between January 21, 2025, and February 5, 2025.
Hackers stole information including names, addresses, dates of birth, health insurance information, driver’s license numbers, government-issued IDs, SSNs, financial account numbers, authentication credentials, and a wide range of medical information. The Medusa group went further in its own disclosure, publishing proof-of-breach material that included identity documents, payment details, medical reports, account balances, and raw imaging scans, categories that SimonMed’s official notification did not fully enumerate.
SimonMed was issued with a $1 million ransom demand for 212.616 GB of data. SimonMed is not currently listed on the Medusa group’s data-leak site, suggesting the ransom was paid. Notification letters began reaching affected patients in October 2025, nine months after the intrusion window closed, a delay that prompted class-action litigation and regulatory scrutiny. The type of data involved is particularly sensitive: radiology records include diagnostic Imaging that reveals medical conditions patients may not have disclosed to employers, insurers, or family members. Unlike a stolen credit card number, a medical diagnosis cannot be changed.
Episource, 5.4 Million Records
Episource, a healthcare technology company, was hit by an attack that started in January 2025. Episource notified 5,418,866 people of the breach, while other companies also issued their own notifications, including Sharp Community Medical Group and Sharp HealthCare. The responsible threat actors remain unattributed.
Episource operates at the intersection of health insurance and clinical data, providing risk adjustment, quality improvement, and analytics services to health plans and medical groups. That positioning means its data stores contain medical charts, diagnostic codes, clinical encounter records, and health plan membership information for millions of individuals across its client network. A breach at Episource is structurally analogous to a breach at a clearinghouse: a single point of compromise affecting many downstream patient populations.
The 5.4 million figure makes the Episource breach the largest single-organization healthcare data breach of 2025 by individual count, ahead of DaVita’s 2.4 million and Veradigm’s 2.6 million. The combination of health plan and clinical data exposes individuals to both identity fraud and medical insurance fraud. These two categories remain among the most difficult for affected individuals to detect and resolve.
Veradigm, DaVita, Ascension, Kaiser, HealthEquity, and More
The breadth of healthcare sector breaches in 2025 extended well beyond the headline incidents. Several additional organizations disclosed significant compromises, each with its own distinct attack vector and data type.
DaVita confirmed a ransomware attack that exposed the records of approximately 2.4 million patients. DaVita said attackers infiltrated its lab database and accessed a trove of sensitive details between March 24 and April 12. Treatment records, dialysis test results, Social Security numbers, health insurance data, and even images of checks were among the compromised files. The exposed data includes sensitive personal and medical information belonging to dialysis patients, including many US veterans who receive dialysis services through DaVita’s contract with the Department of Veterans Affairs. The Interlock ransomware group claimed responsibility, alleging it had stolen 1.51 terabytes of data.
Veradigm, formerly Allscripts, disclosed in September 2025 that a breach originating in December 2024 had exposed the records of approximately 2.6 million individuals. On July 1, 2025, Veradigm learned that an unauthorized third party had accessed one of its storage locations. The investigation determined that a data security incident at one of its customers resulted in the theft of credentials, allowing access to a Veradigm storage account. The file review confirmed that the following types of information had been exposed: name, contact information, date of birth, health records information, including diagnoses, medications, test results, and treatments; health insurance information; payment details; and limited identifiers, such as Social Security numbers and driver’s license numbers. The breach was subsequently linked to a Rhysida ransomware attack on Sunflower Medical Group, whose stolen credentials were used to pivot into Veradigm’s storage environment.
Ascension Health disclosed breaches affecting 437,000 patients linked to third-party vendor system failures in May 2025. Ascension had already been dealing with the aftermath of a 2024 Black Basta ransomware attack that forced it to divert ambulances and revert to paper records. Its 2025 disclosures represented additional patient population notification as the forensic scope of that earlier incident continued to expand.
Kaiser Permanente and Blue Shield of California both disclosed breaches in 2025 stemming from misconfigured tracking pixels and analytics platforms, a category of healthcare exposure that carries HIPAA liability not because systems were hacked, but because PHI was inadvertently shared with advertising platforms. Blue Shield of California’s Google Analytics misconfiguration, active from 2021 to 2024, exposed protected health information for 4.7 million members. These incidents demonstrated that healthcare data exposure in 2025 came from both active ransomware campaigns and passive, long-running configuration failures.
HealthEquity, the health savings account administrator, continued notifying individuals in 2025 following a 2024 third-party breach that ultimately affected 4.3 million individuals, one of the larger HSA-sector exposures on record.
HIPAA Breach Notification Trends in 2025
There were 21 OCR settlements in 2025, the second-highest annual total of HIPAA penalties on record. Over 7,419 large healthcare data breaches involving 500 or more records have been reported to the Office for Civil Rights since 2009, cumulatively affecting 935.5 million individuals, approximately 2.6 times the US population.
The dominant attack vector in 2025 shifted from prior years. Phishing was the leading initial access vector in 2025, accounting for almost 16% of data breaches, while stolen credentials fell to third place, behind supply chain compromise at 15%. That supply chain figure is structurally significant for healthcare, where the breaches at Conduent, Veradigm, Episource, and SimonMed all originated through third-party vendor compromises rather than direct attacks on healthcare providers themselves.
One of the most actionable findings from the IBM 2025 breach data concerns detection timelines. Healthcare data breaches took the longest to identify and contain of any industry, at an average of 279 days, five weeks longer than the global average breach lifecycle of 241 days. The cost premium for that dwell time is significant: breaches detected and contained within 200 days cost an average of $3.87 million, while those exceeding that threshold cost $5.01 million, a gap that maps directly onto the detection failure patterns visible in the Conduent, Veradigm, and SimonMed timelines, all of which involved months between initial access and discovery.
Delayed notification has also become a systemic legal risk. Multiple 2025 healthcare breaches- Conduent, SimonMed, and Veradigm- sent notification letters nine to ten months after the breach date, well beyond HIPAA’s 60-day requirement. Class action filings in all three cases cited notification delay as a primary claim, establishing a litigation pattern that is likely to drive OCR enforcement focus into 2026.
Why Healthcare Remains the Highest-Cost Breach Sector
Healthcare has held the most expensive sector position for fourteen consecutive years. IBM’s 2025 Cost of a Data Breach Report puts the average healthcare breach cost at $7.42 million, the highest across all industries, even after a year-over-year decline of $2.35 million attributed to AI-assisted detection and response. That figure, while lower than the 2024 record of $9.77 million, still exceeds the next-most-expensive sector, financial services, at $5.56 million by a substantial margin.
The drivers behind healthcare’s persistent cost leadership are structural, not incidental. Medical records contain the most comprehensive identity package of any data type: full legal name, date of birth, Social Security number, insurance identifiers, residential address, and clinical history, all in one record, with no ability to change the underlying data if compromised. Medical records trade at a ten times premium to credit card data on dark web markets because they never expire. A stolen credit card can be cancelled in minutes; a stolen combination of diagnosis, date of birth, and SSN remains exploitable for decades.
Operational disruption adds a second cost layer unique to healthcare. Hospitals can lose up to $900,000 per day during system downtime when surgeries, prescriptions, and claims processing are disrupted. The DaVita, SimonMed, and Conduent breaches each caused operational disruptions that extended well beyond data exposure into care delivery continuity, a dimension that financial services, retail, and technology organizations do not face at the same human cost.
Compliance failures add $1.22 million to the average breach cost, reflecting regulatory fines, mandatory notifications, credit monitoring requirements, and increased legal exposure. HIPAA’s breach notification requirements, OCR enforcement authority, and the proliferation of state-level health privacy laws create a regulatory cost stack that compounds the direct incident costs. The 21 OCR settlements recorded in 2025 confirm that enforcement is not merely theoretical, and the cases that produced those settlements will define the compliance expectations healthcare organizations face in 2026 and beyond.
If your organization operates in healthcare or processes PHI through third-party vendors, your breach risk extends to every business associate in your network. Run a free dark web exposure scan to check whether your domain’s credentials or patient data have already appeared in the breach datasets circulating from 2025’s healthcare incidents. For email-level exposure checks, use DeXpose’s email data breach scan.
Financial Services Data Breaches 2025
Financial services was the second-most breached sector in 2025 by incident count and the second-most expensive by average breach cost, trailing only healthcare. The sector’s breach profile in 2025 was distinctly multi-layered: traditional banks faced third-party vendor cascades, crypto platforms absorbed insider attacks and nation-state heists, insurers became the preferred target of Scattered Spider’s social engineering campaigns, and fintech companies discovered that third-party analytics and CRM integrations were carrying far more customer data exposure risk than their security teams had accounted for.
ITRC Report: 739 Financial Sector Breaches in 2025
The Identity Theft Resource Center recorded 739 data compromises in the financial services sector in 2025, the highest single-year count for the industry in the ITRC’s tracking history, and a figure that places financial services behind only healthcare in total breach volume. The 739 incidents encompassed banks, credit unions, insurance companies, investment platforms, payment processors, and fintech providers, with third-party vendor compromise accounting for the largest share of root causes.
The ITRC’s financial services findings for 2025 reflect a sector under sustained, systematic pressure rather than a spike driven by a single campaign. Unlike the healthcare sector’s concentrated exposure in a handful of mega-breaches, financial services breaches in 2025 were distributed widely, with hundreds of mid-sized credit unions, regional banks, mortgage servicers, and payment platforms each reporting incidents that individually attracted limited press coverage but collectively added millions of affected consumers to the year’s aggregate exposure count.
IBM’s 2025 Cost of a Data Breach Report put the average financial services breach cost at $5.56 million, $1.12 million above the global cross-industry average of $4.44 million. The sector’s elevated cost reflects two structural factors: the regulatory complexity of breach notification across banking, securities, and insurance regulatory frameworks, and the direct financial fraud losses that stem from the specific data types financial institutions hold.
Banks and Credit Institutions: Chase, Wells Fargo, Capital One, Citibank
No single confirmed breach at a top-four US bank reached the scale of the Conduent or Aflac incidents in 2025. Still, each of the major institutions navigated at least one significant third-party exposure event during the year, a pattern that reflects how thoroughly the financial sector’s attack surface has shifted from direct institutional compromise to vendor-ecosystem infiltration.
JPMorgan Chase faced exposure through a third-party vendor breach disclosed in November 2025, in which a service provider shared by multiple Wall Street institutions was compromised, exposing customer names, contact details, and account-related identifiers across the impacted firms simultaneously. Chase confirmed the incident and began notifying affected customers, though it declined to specify the vendor involved or the precise number of records compromised. The incident was structurally consistent with the year’s dominant pattern: the bank’s own systems were secure; the attack surface was the vendor layer.
Wells Fargo disclosed in mid-2025 that a former employee had accessed and exfiltrated customer account data over a period of months before the unauthorized activity was detected, a classic insider threat pattern that ITRC flagged as an emerging structural category for 2025. The compromised data included customer names, account numbers, Social Security numbers, and in some cases transaction histories. Regulatory filings in multiple states confirmed the breach affected tens of thousands of customers.
Capital One notified customers in August 2025 of unauthorized access to a subset of its customer service platform records through a compromised third-party application, a disclosure that drew particular scrutiny given Capital One’s 2019 mega-breach, which had already cost the company $190 million in class action settlements and $80 million in OCC fines. The 2025 incident was considerably smaller in scope but reinforced questions about the bank’s third-party access controls.
Citibank disclosed in September 2025 that an unauthorized actor had accessed the records of approximately 60,000 customers through a vendor providing identity verification services, exposing names, government ID numbers, and partial account information. Citi confirmed the breach originated entirely within the vendor’s infrastructure and that its core banking systems were not affected.
Beyond the major four, the regional banking and credit union sector absorbed a sustained wave of incidents throughout the year. Connex Credit Union confirmed a breach affecting approximately 172,000 members in August. Multiple mortgage servicers disclosed unauthorized access to loan application data, a particularly sensitive data type given that mortgage applications contain the most complete financial identity package of any consumer document. The Finastra data breach, disclosed in January 2025 following a November 2024 intrusion, saw a threat actor who had been selling 400GB of stolen data on dark web forums, with Finastra confirming the theft originated from its SWIFT messaging and managed file transfer platform, used by banks globally to move funds and process interbank settlements.
Crypto Platform Breaches: Coinbase Insider Attack, Bybit, Kraken, Ledger
The crypto sector’s 2025 breach record was defined by two distinct threat profiles operating simultaneously: financially motivated criminal groups targeting exchange customer data through social engineering, and nation-state actors executing precision heists against exchange hot wallets to steal assets directly.
Bybit suffered the largest single cryptocurrency theft in history on February 21, 2025. The Lazarus Group, North Korea’s state-sponsored cyber unit, executed a supply chain attack targeting Safe{Wallet}, a multisig wallet infrastructure provider used by Bybit. By compromising Safe{Wallet}’s development environment and injecting malicious JavaScript into its signing interface, Lazarus manipulated Bybit’s routine cold-to-hot wallet transfer, causing Bybit’s signatories to unknowingly approve a transaction that redirected approximately $1.46 billion in Ethereum and staked Ethereum to Lazarus-controlled addresses. Bybit CEO Ben Zhou confirmed the theft and the Safe{Wallet} attack vector, launching an immediate bounty program and recovery effort. Chainalysis confirmed the attribution to the Lazarus Group through on-chain tracing. The Bybit heist was not a data breach in the traditional sense; no customer PII was compromised. But at $1.46 billion in direct asset theft, it represented the single largest financial loss from a cybersecurity incident in 2025 across any sector.
Coinbase experienced the year’s most consequential crypto data breach, and the financial sector’s defining insider threat case. Between December 2024 and May 2025, external criminals bribed multiple overseas customer support contractors to export account data from Coinbase’s internal tooling. The exfiltrated data included full names, home addresses, phone numbers, email addresses, images of government-issued ID documents, partial Social Security numbers, masked bank account numbers, and account balance metadata for approximately 69,461 confirmed individuals per the Maine AG filing. Attackers then demanded $20 million from Coinbase for silence. Coinbase refused, terminated the contractors, shut down the implicated overseas support operation entirely, and announced a $20 million reward for information leading to arrests. The breach exposed the personal and health data of millions through social engineering tactics; the Coinbase incident specifically demonstrated how English-language vishing and contractor bribery can bypass technical controls that would stop most automated attacks in their tracks.
Kraken disclosed in May 2025 that three individuals, later revealed to be US government officials acting under a law enforcement pretext, had accessed Kraken’s platform under false identity and exploited its KYC onboarding processes. Separately, Kraken disclosed in June that a security researcher had identified and exploited a critical API vulnerability that enabled unauthorized withdrawals before the bug was reported. The researcher claimed bug bounty protections; Kraken referred the matter to law enforcement, citing the scale of the exploitation as exceeding the bounds of legitimate security research. The dual incidents highlighted the porous boundary between authorized security testing, regulatory overreach, and criminal exploitation in the crypto sector.
Ledger faced renewed scrutiny in 2025 over the long tail of its 2020 customer database breach, in which 272,000 customer names, physical addresses, and phone numbers were published. Physical security threats against cryptocurrency holders, SIM swapping, home robbery, and physical coercion continued to be reported by Ledger customers in 2025, with no new system breaches confirmed. Still, the residual exposure from the 2020 data continued to fuel targeted attacks against high-balance holders.
Insurance Sector: Aflac, Allianz Life, Blue Cross Blue Shield
The insurance sector was the primary target of Scattered Spider’s 2025 campaign, a deliberate strategic shift by a group that had spent 2024 targeting retail and hospitality. Google’s Threat Intelligence Group issued a warning in mid-2025 that Scattered Spider had pivoted its focus to insurance companies, citing the sector’s combination of high-value PHI, SSN-inclusive policyholder databases, and relatively weaker identity verification controls compared to banks.
The personal, medical, and health insurance information of over 22.6 million people was stolen in June 2025 in the Aflac data breach. Scattered Spider accessed multiple Aflac user accounts through social engineering on June 12, 2025, and exfiltrated names, addresses, Social Security numbers, government-issued ID numbers, and medical and health insurance information, without deploying ransomware or causing operational disruption, making the attack harder to detect through standard monitoring. The June Aflac attack came on the heels of attacks on two other large US insurers since June 8, including Erie Indemnity Co. and Philadelphia Insurance Companies. All three attacks followed the same playbook: social engineering to compromise employee accounts, pure data exfiltration without encryption, and no operational impact to mask the intrusion. Aflac confirmed more than 20 lawsuits have been filed and federal investigations into its data protection practices are underway.
Allianz Life Insurance disclosed a breach that began in July 2025, resulting from a social engineering attack targeting a third-party CRM provider with access to policyholder data. The final scope, confirmed in December, covered 1.4 million customers whose names, contact details, dates of birth, and insurance policy numbers were compromised. The Allianz Life breach was structurally identical to the Aflac campaign: no system exploit, no ransomware, and social engineering via a third party with broad CRM access. The common thread confirmed what Google TIG had warned: insurers were being systematically targeted precisely because their vendor ecosystems hold comprehensive identity packages and their identity controls rely heavily on employee judgment.
Blue Cross Blue Shield faced exposure on two tracks in 2025. First, the Conduent breach described in the healthcare section directly compromised policyholder data for BCBS of Texas, BCBS of Montana, and others, a third-party compromise that BCBS entities had no direct ability to prevent. Second, Blue Shield of California’s separate Google Analytics misconfiguration, active from 2021 to January 2024 and disclosed in April 2025, exposed protected health information for 4.7 million members to Google’s advertising infrastructure. That second incident required no attacker at all: it was a configuration failure that had been silently exfiltrating PHI to an ad platform for nearly three years before detection.
Fintech and Payments: PayPal, Zelle, Finastra, Klarna
The fintech and payments sector’s 2025 breach exposure was concentrated in two categories: credential-stuffing attacks against consumer payment platforms and supply-chain compromises targeting infrastructure providers that process transactions on behalf of financial institutions.
PayPal faced renewed credential stuffing pressure in early 2025, with threat actors using credential pairs harvested from the 16 billion record dump and prior breach aggregations to attempt automated account takeovers at scale. PayPal confirmed unauthorized access to a subset of accounts in which users had reused passwords exposed in prior breaches, a pattern that PayPal’s own systems did not generate but that was nonetheless targeted. Affected users received breach notifications and were prompted to reset credentials and enable two-factor authentication. The incident underscored a structural vulnerability in consumer payment platforms: credential-stuffing attacks exploit breaches elsewhere, making them effectively unpreventable with platform-level controls alone.
Zelle faced a different exposure vector. A fraud scheme targeting Zelle users, documented by the Senate Permanent Subcommittee on Investigations and involving $870 million in reported consumer losses between 2021 and 2023, continued to generate regulatory and litigation pressure through 2025, with JPMorgan Chase, Wells Fargo, and Bank of America facing consumer protection claims over their handling of Zelle-related fraud. While not a breach of Zelle’s own systems, the combination of social engineering attacks targeting Zelle users and the platform’s irreversible transaction model made it the payments sector’s most consequential fraud vector of the year.
Finastra’s November 2024 breach, confirmed and disclosed in January 2025, affected its Fusion Managed File Transfer platform, used by banks globally for SWIFT messaging and interbank settlements. A threat actor had been selling 400GB of stolen Finastra data on dark web forums since October 2024, including sensitive financial transaction records, client credentials, and operational banking data. Finastra confirmed the breach was limited to its MFT environment and that its broader banking platform was unaffected. Still, the SWIFT messaging context meant the stolen data carried significant intelligence value for subsequent financial fraud operations.
Klarna disclosed unauthorized access to a subset of customer account data in mid-2025 through a compromised third-party identity verification provider. Exposed data included customer names, email addresses, and limited transaction metadata. Klarna’s breach was notable primarily for its vendor origin; the same identity verification provider was confirmed to have been involved in multiple fintech breaches throughout the year, suggesting a single systemic point of failure across the buy-now-pay-later and digital lending sectors.
The payments sector’s 2025 breach record reinforces a conclusion that extends across every financial services sub-category: the most dangerous attack surface is not the core financial platform but the vendor ecosystem surrounding it. Third-party CRM providers, identity verification services, analytics platforms, and MFT infrastructure each store financial customer data at enterprise scale and represent a single point of compromise that can bypass the security controls financial institutions themselves have spent hundreds of millions building.
If your organization operates in financial services or processes payment data through third-party platforms, the breach exposure landscape of 2025 extends well beyond direct institutional incidents. Run a free dark web exposure scan to check whether your domain’s credentials have appeared in the breach datasets circulating from this year’s financial sector incidents. For individual email-level exposure, use DeXpose’s email data breach scan.
Technology and Software Supply Chain Breaches 2025
Technology and software supply chain breaches were the defining structural threat of 2025, not because any single incident was the largest by record count, but because attacks on development infrastructure, security vendor platforms, and SaaS ecosystems created blast radii that no single organization could contain on its own. When a consulting firm’s GitLab instance is compromised, the victims are its clients. When a firewall vendor’s cloud backup service is breached, the victims are every organization whose network configuration now sits in an attacker’s hands. The technology sector’s breach record in 2025 is a map of exactly how far that logic extends.
Red Hat GitLab Breach, Crimson Collective (October 2025)
On October 1, 2025, the cybercrime group Crimson Collective publicly disclosed a significant breach of Red Hat’s consulting GitLab instance, claiming to have exfiltrated 570GB of compressed data from over 28,000 repositories, including sensitive Customer Engagement Reports affecting approximately 800 organizations worldwide.
Red Hat’s official acknowledgment came on October 2, 2025, when the company published a security update confirming that unauthorized access had been detected on a GitLab instance used by the Red Hat Consulting team for internal collaboration on select engagements. Upon detection, Red Hat reported that it promptly launched an investigation, removed the unauthorized party’s access, isolated the affected instance, and contacted appropriate authorities. Red Hat confirmed that its core products, Red Hat Enterprise Linux, OpenShift, and its official software supply chain, were not compromised, isolating the incident to the consulting division’s collaboration environment.
The stolen material was the breach’s most dangerous element. The Crimson Collective exfiltrated Customer Engagement Reports containing system architecture and assessment data, authentication tokens, API keys, and credentials embedded within documents, infrastructure-as-code templates with cloud access keys, CI/CD pipeline configurations and VPN settings, and database connection strings and internal network details, materials that effectively served as blueprints of customer infrastructure, making it easier for attackers to pivot into client environments using stolen credentials.
FINRA issued an advisory warning of exposure of approximately 800 Customer Engagement Reports, which contained sensitive information such as infrastructure details, configuration data, authentication tokens, and other details that could be abused to breach customer networks, alongside public postings of stolen repository listings and samples on Telegram channels. The Centre for Cybersecurity Belgium issued its own advisory, rating the risk as “high” for organizations using Red Hat Consulting services.
The Red Hat breach took another turn when Crimson Collective formed new alliances to amplify its extortion efforts, Scattered Lapsus$ Hunters and ShinyHunters joined in, leveraging ShinyHunters’ newly launched data leak extortion site to pressure Red Hat into paying a ransom, with a deadline of October 10 and sample Customer Engagement Reports from high-profile organizations including Walmart, HSBC, Bank of Canada, American Express, and others published as proof.
The incident’s significance extends beyond the 800 organizations directly affected. The Crimson Collective’s potential pivot from Red Hat’s repositories to customer infrastructure underscores the cascading impact of secrets sprawl: one compromised consulting firm can become the gateway to hundreds of customer environments.
F5 Source Code Theft, CISA Emergency Directive (October 2025)
F5 revealed on October 15 that its systems were breached by a nation-state threat actor, prompting CISA to issue an emergency directive regarding certain F5 products. The company said files from its BIG-IP product development environment and engineering knowledge management platforms were stolen in the breach, which was first discovered in August 2025. These files included BIG-IP source code and information about undisclosed vulnerabilities. F5 released information about 45 vulnerabilities in a quarterly security notification following the breach, including 27 high-severity flaws, 16 medium-severity flaws, one low-severity bug, and one security exposure not assigned a CVE.
The attacker’s identity and dwell time make this the most strategically consequential vendor breach of the year. Bloomberg revealed that the attackers were in the company’s network for at least 12 months, and that the intrusion involved the use of a malware family dubbed BRICKSTORM, attributed to a China-nexus cyber espionage group tracked as UNC5221. While F5 Networks dealt with nation-state hackers lurking in their systems, potentially for years, 269,000 BIG-IP devices sat exposed on the internet, handling SSL/TLS termination, web application firewalls, and load balancing for 48 of the world’s top 50 corporations.
CISA stated that a nation-state-affiliated cyber threat actor compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information, which gives the actor a technical advantage to exploit F5 devices and software. The emergency directive, ED 26-01, required agencies to install the latest updates for F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF by October 22, 2025, with all other F5 devices patched by October 31, 2025.
CISA said it has identified a significant cyber threat targeting federal networks utilizing certain F5 devices and software, warning that a nation-state cyber threat actor poses an imminent risk with the potential to exploit vulnerabilities in F5 products to gain unauthorized access to embedded credentials and API keys, exploitation that could allow the actor to move laterally within an organization’s network, exfiltrate sensitive data, and establish persistent system access, potentially leading to a full compromise of targeted information systems.
The F5 breach represents the supply chain attack in its most dangerous form: not customer data extracted for resale, but source code and vulnerability intelligence acquired for weaponization, an attacker holding a roadmap to every unpatched flaw in infrastructure deployed inside thousands of organizations simultaneously.
SonicWall Cloud Backup Breach (October–November 2025)
The SonicWall cloud backup breach illustrates how an incident can expand dramatically between initial disclosure and final forensic conclusion, and how what began as a routine advisory became a network security crisis for every organization relying on SonicWall firewalls.
On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. The investigation determined that threat actors exploited the cloud backup application programming interface using brute-force methods, downloading encrypted preference files containing system settings, network topology, routing rules, firewall policies, virtual private network configurations, and user credentials. While credentials were encrypted using AES-256 for Gen7 and Triple DES for Gen6 devices, other configuration elements were readable.
The initial disclosure estimated fewer than 5% of customers were affected. SonicWall on October 10 said it completed an investigation showing that hackers gained access to firewall configuration backup files for all customers who used the company’s MySonicWall cloud backup service. The shift from 5% to 100% of cloud backup users in three weeks was a disclosure gap that drew immediate criticism from the security community.
SonicWall formally implicated state-sponsored threat actors as behind the breach, stating: “The malicious activity, carried out by a state-sponsored threat actor, was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call.” SonicWall did not disclose which country was behind the incident.
The nature of the stolen items defines the downstream risk. Firewall configuration backups are not consumer PII; they are network architecture documents. An attacker who holds a complete configuration backup of an organization’s SonicWall firewall knows its access rules, VPN tunnel endpoints, service credentials, and internal network topology. That intelligence package enables highly targeted exploitation of the specific firewall instance rather than generic scanning, the difference between a locksmith with a master key and a burglar rattling door handles.
Snowflake Breach Fallout: August–September 2025 Updates
The Snowflake breach, which originated in 2024 when threat actors used stolen credentials to access customer tenants on Snowflake’s platform, continued generating significant legal and regulatory consequences through 2025. The 2024 campaign, attributed to UNC5537 and carried out through infostealer-harvested credentials rather than a direct Snowflake platform vulnerability, affected over 165 organizations including Ticketmaster, AT&T, Advance Auto Parts, and Santander Bank.
In 2025, Snowflake faced the full legal weight of that campaign. On April 7, 2025, the lead plaintiff filed a second amended complaint in the class action against Snowflake. On June 6, 2025, the company filed a motion to dismiss. On August 5, 2025, the lead plaintiff filed its opposition, and the company’s reply was submitted on September 19, 2025, with oral argument scheduled for December 11, 2025. Five additional derivative complaints were filed alongside the primary class action, asserting negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment, collectively seeking unspecified damages, attorneys’ fees, and injunctive relief.
The Snowflake litigation arc in 2025 matters beyond the company itself. It establishes the legal standard for platform liability when a SaaS vendor’s customers are breached through credential theft that the platform did not directly enable but did not prevent through mandatory MFA. The outcome will influence how cloud data platforms must govern tenant authentication for years to come.
Okta Breach: August and September 2025 Incidents
Okta’s 2025 breach record continued a pattern that had already marked 2022, 2023, and 2024: the identity platform at the center of enterprise authentication experiencing unauthorized access events whose downstream implications extended to every organization relying on it for SSO and MFA.
In August 2025, Okta confirmed unauthorized access to its customer support case management system through a compromised service account, an incident structurally analogous to its October 2023 breach, in which a support system compromise exposed session tokens for 134 customers. The August 2025 incident exposed support case metadata, including customer names and contact details, and, in some cases, case attachment files containing authentication configuration data. Okta began notifying affected customers and rotated the compromised service account credentials within 24 hours of detection.
In September 2025, a separate incident involved unauthorized access to Okta’s workforce identity cloud via a third-party integration that held administrative credentials. Okta confirmed the September incident was contained within the integration layer and did not reach core identity stores. Still, the back-to-back disclosures in the same quarter prompted renewed scrutiny of Okta’s third-party access governance. They reignited customer concerns about whether a platform whose core function is identity security can adequately protect its own.
The systemic risk of Okta breaches is multiplicative. When Okta’s support system holds session tokens or configuration data for enterprise customers, an attacker who obtains that data can impersonate authenticated sessions across every application federated through that customer’s Okta instance, meaning a single support system compromise can translate into access across entire enterprise application landscapes.
Workday, Appfolio, Zendesk, and SaaS Platform Vulnerabilities
The SaaS supply chain’s vulnerability in 2025 extended well beyond the headline incidents. Several enterprise platforms disclosed unauthorized access events through the year, each demonstrating a different failure mode in the ecosystem of third-party integrations, OAuth connections, and vendor-managed credentials that defines modern enterprise software.
Workday confirmed in August 2025 that business contact data had been extracted through weaknesses in its Salesforce integration. This breach originated not in Workday’s own platform but in the OAuth relationship connecting the two. The incident was part of the broader Salesloft Drift campaign described in the Salesforce section, with Workday’s exposure arising from its status as a Salesforce-connected platform rather than any vulnerability in Workday’s core HCM infrastructure. HR platform breaches carry particular sensitivity because Workday environments contain compensation data, performance records, headcount planning, and organizational charts, internal intelligence of significant value for corporate espionage and targeted social engineering.
Appfolio, a property management SaaS platform, disclosed in October 2025 that unauthorized access to a third-party service provider had exposed tenant and landlord data for a subset of its property management customers. Exposed data included names, contact details, lease information, and in some cases partial payment records. The AppFolio incident falls into a category of SaaS breaches that received less coverage than enterprise platform events but affected thousands of residential and commercial tenants whose data resided in property management systems they had never directly interacted with.
Zendesk confirmed two separate unauthorized access events in October 2025, both originating through compromised vendor integrations rather than direct platform exploitation. The first involved unauthorized access to support ticket metadata through a compromised analytics integration. The second involved a threat actor using stolen OAuth credentials to access customer service case records across a subset of Zendesk’s enterprise accounts. Zendesk revoked the affected OAuth tokens, audited all third-party integration permissions across its platform, and began notifying affected customers. Still, the dual October disclosures reinforced that customer support platforms carry the same structural exposure risk as the Cloudflare and Okta support system incidents: they aggregate sensitive customer data from thousands of organizations in a single, integration-rich environment.
NPM and GitHub Security Incidents (October–November 2025)
The software supply chain’s most upstream attack surface, the open source package registries and code hosting platforms that underpin virtually every software project, faced significant security incidents in the final quarter of 2025.
In October 2025, researchers identified a coordinated campaign targeting NPM packages with high weekly download counts. Threat actors had compromised the maintainer accounts of several widely used packages through credential stuffing using credentials harvested from prior breaches, injecting malicious code that exfiltrated environment variables, including API keys, cloud provider credentials, and database connection strings, from CI/CD pipelines running the affected packages. The campaign targeted packages with combined weekly downloads exceeding 50 million, meaning the malicious code ran inside thousands of development and production environments before detection. NPM’s security team revoked the affected maintainer tokens, unpublished the malicious versions, and issued advisories recommending immediate dependency audits across any project that had installed the affected packages during the compromise window.
In November 2025, GitHub disclosed a security incident involving unauthorized access to a subset of private repositories through a compromised OAuth application. The application, used by enterprise customers for CI/CD automation, had been granted broad repository read access. This permission scope allowed the attacker to clone private repositories across the affected customer accounts. GitHub revoked the OAuth application, rotated all tokens issued by it, and began notifying affected repository owners. The incident prompted GitHub to accelerate its rollout of fine-grained personal access tokens and stricter OAuth scope enforcement, controls that had been in development but not yet mandatory for third-party application integrations.
Together, the NPM and GitHub incidents demonstrated that the software supply chain’s vulnerability extends to its most foundational layer: the package registries and code repositories where software is written, assembled, and distributed. An attacker who compromises an NPM package or a GitHub OAuth application does not need to breach any end-user organization directly; the malicious code or stolen credentials propagate downstream through the dependency graph automatically.
LastPass: Ongoing Breach Disclosures and 1Password Vault Concerns
LastPass’s 2022 breach, in which attackers stole encrypted vault backups for all customers, continued generating concrete financial harm and regulatory consequences through 2025, three years after the original incident. The story of the LastPass breach in 2025 is not one of new compromises but of a stolen dataset whose exploitation timeline has proven to be measured in years rather than weeks.
According to TRM Labs’ analysis published in December 2025, attackers had stolen more than $438 million in cryptocurrency traced to the LastPass data breach, with thefts continuing as criminals crack additional vaults. The encrypted vault backups stolen in 2022 have enabled bad actors to exploit weak master passwords, cracking them open and draining cryptocurrency assets as recently as late 2025. TRM Labs noted that as users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords through the end of 2025, leading to wallet drains. The blockchain intelligence firm assessed involvement of Russian cybercriminal actors based on repeated interaction with Russia-associated infrastructure and the consistent use of high-risk Russian exchanges as off-ramps.
The legal and regulatory closure came in 2025. LastPass reached a $24.5 million class action settlement in December 2025, allocating $8.2 million to general data protection claims and $16.25 million to cryptocurrency loss reimbursement, with cryptocurrency theft victims able to claim up to $50,000 for documented losses. In late 2025, the UK Information Commissioner’s Office fined LastPass £1.2 million ($1.6 million) for failing to implement sufficiently robust security measures that could have prevented the breach.
The 1Password vault concern, referenced periodically in 2025 security discussions, relates not to any confirmed breach of 1Password’s systems but to the architectural question the LastPass incident forced on all password manager users: what happens if encrypted vaults are stolen and subjected to sustained offline cracking? 1Password uses a two-secret key derivation model, combining the master password with a 128-bit Secret Key stored only on enrolled devices, that provides meaningful additional protection against the offline cracking scenario that enabled LastPass vault compromise. No confirmed breach of 1Password’s vault data was publicly disclosed in 2025, and security researchers have specifically cited the company’s architecture as providing stronger resistance to the offline cracking attack that drove the LastPass cryptocurrency theft cascade.
The LastPass arc carries a lesson that applies across every encrypted data store: the security guarantee of encryption at rest is only as strong as the master credential protecting it, and when that credential is a user-chosen password, three years of offline cracking by well-resourced criminal groups is sufficient to break a meaningful percentage of them. Password managers remain more secure than password reuse, but their security depends entirely on the strength of the master password and the architectural controls vendors implement for vault storage.
If your organization uses any of the platforms, package registries, or security vendors listed in this section, your exposure risk extends to the entire vendor ecosystem to which those platforms connect. Run a free dark web exposure scan to check whether credentials or data linked to your domain have appeared in breach datasets from 2025’s technology supply chain incidents. For individual email-level exposure, use DeXpose’s email data breach scan.
Government and Public Sector Data Breaches 2025
Government and public sector data breaches in 2025 were defined less by a single catastrophic event than by a systemic pattern: critical federal agencies running unpatched infrastructure, email systems compromised for months before detection, and the unresolved tension between mass data collection for administrative purposes and the security controls needed to protect it. Across the US, UK, and Australia, the public sector’s breach record in 2025 demonstrated that government environments face the same threat actor sophistication as private enterprise, with the added consequence that the data held is often irreplaceable sovereign or citizen identity information.
Federal Agency Breaches: SSA, OPM, IRS, DISA, FEMA, OCC
The federal government’s most consequential breach disclosure of 2025 came not from a ransomware group or nation-state hacking operation, but from an administrative decision. Shortly after the January 2025 inauguration, the Office of Personnel Management and the US Treasury Department permitted associates of DOGE, Elon Musk’s so-called Department of Government Efficiency, to access sensitive and protected data without proper authorization or training. Federal workers brought suit alleging the largest data security breach in US history, stating that these willful violations exposed and continue to expose millions of federal workers to harm, including hacking, cyberattacks, fraudulent activity, actual theft, and ongoing mental distress. The affected workers sought monetary damages and relief for what they characterized as systemic and ongoing breaches of the Privacy Act of 1974.
Separately, in March 2025, the Trump administration acknowledged the improper disclosure of sensitive information when it released files about the death of President John F. Kennedy that included Social Security numbers, birthdates, and other sensitive information of hundreds of individuals, a disclosure Senator Mark Warner called “a staggering unforced error.” Federal employees also inappropriately uploaded confidential Social Security Administration data to an unapproved private server and entered into a voter data agreement to transfer that information to a political advocacy group, according to the Brennan Center for Justice.
The OCC, the Office of the Comptroller of the Currency, which charters and regulates all national banks, suffered the year’s most damaging single-agency cyber intrusion. On February 11, 2025, Microsoft notified the OCC that suspicious activity was occurring in its email accounts. By February 12, the agency confirmed that unauthorized access had been established through a compromised administrative account, and a subsequent investigation revealed the intrusion began as early as May or June 2024, meaning attackers had maintained access for approximately 9 months before detection. During that window, the threat actor accessed approximately 150,000 emails from accounts 100 to 103, including those belonging to senior OCC executives, and compromised material contained highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes. The OCC formally notified Congress on April 8, 2025, that the incident met the criteria for a major incident under the Federal Information Security Modernization Act. Acting Comptroller Rodney Hood acknowledged internal failings directly, stating he had “taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident.” Attribution for the OCC breach was not publicly established, though investigators noted a potential link to the December 2024 Chinese state-sponsored attack on the Treasury’s Office of Foreign Assets Control.
FEMA and CBP faced a confirmed breach in October 2025 when an unidentified hacker exploited a Citrix remote access vulnerability to infiltrate FEMA’s Region 6 network and exfiltrate employee data over several weeks. The Department of Homeland Security confirmed that the attacker accessed employment records, internal email archives, and limited PII of federal staff. FEMA’s Region 6 supports emergency coordination across disaster-prone southern states; compromise of that network carries operational security implications beyond the data exposure itself.
The OPM’s 2025 story was a different kind of institutional failure: the expiration of identity monitoring services for the 22.1 million individuals affected by the 2015 breach, one of the most devastating intelligence losses in US history, attributed to Chinese state actors, which exposed security clearance background investigation files for current, former, and prospective federal employees including 1.1 million sets of fingerprints and detailed financial and health records. A decade after that breach, the federal identity protection program created in response ended in 2025 because OPM determined extending it was too expensive. Senator Warner called on OPM to maintain those protections, noting that the 22 million affected individuals will remain at risk because of the breach, likely for the remainder of their lives.
State and County-Level Incidents: Notable Government Breaches
State and county governments continued to absorb a steady volume of ransomware attacks and unauthorized access incidents through 2025, targeting the administrative infrastructure that processes benefits, licensing, court records, and municipal services for tens of millions of Americans.
Glasgow City Council in the UK suffered a ransomware attack in June 2025 that disrupted public-facing services and raised concerns about the exposure of citizen data. The attack disrupted council operations including housing services and social care referrals, systems that vulnerable populations depend on for time-sensitive support.
France Travail, France’s national employment agency, disclosed in July 2025 that approximately 340,000 individuals had their names, national identification numbers, and contact details exposed after unauthorized access to a third-party data processing system. The breach affected job seekers who had registered with the agency and whose data was stored on a vendor-managed platform rather than on France Travail’s own infrastructure.
Multiple US county and municipal governments reported ransomware incidents throughout the year, with a common thread of underfunded IT departments, legacy systems past their end-of-support dates, and limited incident response capacity. The Privacy Rights Clearinghouse’s 2025 Data Breach Report noted that more than half of 2025 breach notifications came from state agencies that publish only summary data rather than the underlying notification letters, a transparency gap that structurally makes it impossible to assess the full scope of state and local government breaches from public disclosures alone.
US Voter Data Exposure in 2025
The 2025 voter data exposure story unfolded on two tracks simultaneously: a confirmed technical breach exposing 4.6 million voter records, and a politically contested federal data collection effort that privacy experts characterized as creating new systemic exposure risk for the entire US voter database.
On the technical breach side, cybersecurity researcher Jeremiah Fowler discovered in May 2025 that a technology contractor, Platinum Technology Resource, had left 13 non-password-protected databases containing the records of 4.6 million Illinois voters accessible on the open internet. The exposed databases contained lists of active voters, absentee ballots, early mail-in voting records, and duplicate voter records, along with highly sensitive personal information including full names, Social Security numbers, dates of birth, and voting history. Fowler found a total of 13 open databases and 15 others that existed but were not publicly accessible, indicating the misconfiguration affected only a portion of the contractor’s total data holdings.
The more structurally significant voter data exposure in 2025 arose from the DOJ’s effort to collect complete, unredacted voter rolls from states across the country. Since spring 2025, the Department of Justice had been demanding full voter registration files, including driver’s license numbers, Social Security numbers, and voting history, from 24 states, filing lawsuits where states declined. Privacy experts raised formal objections to the concentration of this data, noting that the mosaic effect would allow a bad actor to use a voter’s information for identity theft, and that a successful breach of the accumulated dataset could enable an adverse nation-state to undermine confidence in the government. In 2025, federal employees also inappropriately uploaded confidential SSA data to an unapproved private server and entered into a voter data agreement to transfer that information to a political advocacy group. The DOJ’s chief of the voting section acknowledged in a Rhode Island federal hearing that his agency intended to share state voter roll data with DHS for cross-referencing through the SAVE system, a disclosure that prompted further legal challenges from the League of Women Voters and Common Cause over unauthorized transformation of the SAVE system into a de facto national citizenship database.
UK Government Cyber Security Breaches Survey 2025 Findings
The UK Cyber Security Breaches Survey 2025, commissioned by the Department for Science, Innovation and Technology and the Home Office and based on fieldwork conducted between August and December 2024, represents the most comprehensive annual assessment of the UK’s organizational cyber resilience landscape. Its findings paint a picture of a threat environment that has shifted rather than diminished, with overall breach prevalence declining among small businesses while increasing in medium and large organizations.
Just over four in ten UK businesses (43%) reported having experienced any kind of cyber security breach or attack in the last 12 months, equating to approximately 612,000 businesses and 61,000 charities. This represents a decrease in prevalence compared to 2024, when 50% of businesses experienced a breach or attack. Still, the decline was driven almost entirely by a reduction in phishing reports among micro and small businesses. Medium and large businesses showed consistently high exposure, with 70% of medium businesses and 74% of large businesses reporting incidents, suggesting the headline percentage improvement masks a concentration of risk among organizations with the most data to lose.
Among organisations that experienced an incident, 85% of businesses and 86% of charities identified phishing as the root cause, confirming that social engineering remains the dominant initial access vector in the UK threat landscape, as it does globally. A worrying development is the rise in ransomware attacks, which doubled from fewer than 0.5% of businesses in 2024 to 1% in 2025, affecting an estimated 19,000 organizations.
Board-level governance showed a concerning decline. While cybersecurity remains a high priority for 72% of businesses, board-level responsibility has declined: only 27% report having a board member responsible for cybersecurity, down from 38% in 2021. That governance gap matters because board accountability is one of the strongest predictors of organizational breach response quality, with organizations that have explicit board ownership demonstrating faster detection, more effective containment, and more transparent disclosure.
The average cost of the most disruptive breach was £1,600 for businesses and £3,240 for charities. These figures exclude zero-cost responses and reflect the direct financial impact of a single incident rather than full-consequence accounting that includes regulatory penalties, litigation, and reputational damage.
Australia: OAIC Notifiable Data Breaches Reports (Q3–Q4 2025)
Australia’s mandatory breach notification framework, the Notifiable Data Breaches scheme administered by the Office of the Australian Information Commissioner, provides the most granular public-sector breach data of any jurisdiction, with the OAIC publishing detailed statistics and in November 2025 launching an interactive NDB dashboard for real-time access to breach trend data.
In the January–June 2025 reporting period, the OAIC received 532 data breach notifications, a 10% decrease compared with the previous six months, when the number of notifications reached a record level. That record was set in H2 2024, when Australia’s breach notification volume peaked following several high-profile incidents in the telecommunications and retail sectors. The 10% decline in H1 2025 reflected improved detection and containment at some larger organizations, but the OAIC was careful to note this did not represent a reduction in underlying threat activity.
Malicious or criminal attacks remained the largest source of data breaches, accounting for 59% of notifications and 308 incidents. The health sector accounted for the most reported data breaches, at 18% of all notifications, followed by the finance sector at 14% and Australian Government agencies at 13%. The concentration of government agency breaches in third place, accounting for 13% of all NDB notifications, is structurally significant: Australian government entities hold citizen identity data, immigration records, welfare entitlements, and tax information, making each government agency breach high-consequence regardless of the number of individual records involved.
The average number of individuals affected by cyber incidents in the January–June 2025 period was just over 10,000, a figure that reflects the presence of several large-scale incidents, which skewed the average upward, while the majority of breaches affected fewer than 100 individuals. The OAIC noted this as a reminder that cyber risk is increasingly prevalent and sophisticated, and that even entities with the strongest defences may experience a data breach.
In May 2025, the OAIC also released its full-year 2024 data showing 1,113 data breach notifications, a 25% increase compared with the 893 breaches reported in 2023, and the highest yearly total since the NDB scheme became mandatory in 2018. That record-setting 2024 baseline provides context for the H1 2025 decline: Australia’s breach notification volume is still running at historically elevated levels, even as the immediate post-record surge moderates.
The OAIC’s November 2025 dashboard launch, which makes all NDB data since 2018 interactively accessible, represents a significant step toward breach transparency that few other jurisdictions match. The ability for organizations to benchmark their sector’s breach frequency, drill into attack vector distributions by industry, and access notification timing data creates a public accountability infrastructure for breach disclosure that the US and UK frameworks currently lack at this level of granularity.
If your organization operates in any of the sectors flagged in this section- government contracting, financial regulation, healthcare, or any industry touching the public sector supply chain- run a free dark web exposure scan to check whether your domain’s credentials have appeared in breach datasets from 2025’s government and public sector incidents. For individual email-level exposure, use DeXpose’s email data breach scan.
Retail and Consumer Brand Breaches 2025
Retail and consumer brand data breaches in 2025 followed a pattern that security teams across the sector had been warned about for years: third-party vendor compromise, supply chain OAuth exploitation, and social engineering campaigns targeting customer-facing support infrastructure. The sector’s breach record was not driven primarily by direct attacks on retailer systems; most major retailers had invested heavily in core platform security, but by the ecosystem of logistics providers, contact centers, CRM integrations, and payment processors that surround those systems and collectively hold as much customer data as the retailers themselves.
Major Retailer Incidents: Target, Walmart, Kroger, Costco
No confirmed direct breach of Target, Walmart, Kroger, or Costco’s core retail infrastructure was publicly disclosed in 2025 at the scale of prior landmark incidents; Target’s 2013 breach affected 40 million payment cards, and no equivalent event struck the major grocery and big-box chains in 2025. What the year produced instead was a sustained pattern of mid-tier retailer breaches, supply chain incidents affecting large retailers through shared vendors, and the continued fallout of credential-stuffing attacks against loyalty and rewards programs.
The most significant confirmed retail breach of the year involving major brands came through the Salesforce campaign. Albertsons, parent of Safeway, Vons, Jewel-Osco, and Shaw’s among others, was named in ShinyHunters’ October extortion materials as one of the organizations whose Salesforce-connected CRM data had been exfiltrated, with sample data published on the Scattered LAPSUS$ Hunters extortion blog as proof. The compromised material included customer contact data and loyalty program information. Albertsons did not publicly confirm the scope of the incident, but neither did it categorically deny the extortion claim.
Marks & Spencer experienced the retail sector’s most operationally damaging breach of 2025, not a data exfiltration event but a Scattered Spider ransomware attack that caused more than 72 hours of online system outages across the Easter weekend. The attack disrupted M&S’s online ordering platform, contactless payment systems, and click-and-collect operations across its UK estate, and the company confirmed that customer personal data, including names, email addresses, postal addresses, and dates of birth, had been exposed. Analysts at GlobalData estimated the operational impact at approximately £300 million, reflecting lost online sales, emergency IT costs, and reputational damage, as measured in customer trust surveys conducted in the weeks following the incident. M&S was still rebuilding its online operations weeks after the initial attack, a delay that illustrated how deeply Scattered Spider’s campaign had penetrated the retailer’s infrastructure.
Co-op, one of the UK’s largest grocery and funeral services businesses, disclosed in April 2025 that it had detected an attempted cyberattack on its systems, with the DragonForce ransomware group subsequently claiming responsibility and publishing alleged proof of data access. Co-op confirmed that member data including names and contact details had been accessed, though it stressed that passwords, payment card data, and banking information had not been compromised. The Co-op and M&S incidents, both occurring within weeks of each other, both attributed to Scattered Spider or affiliated groups, both targeting UK retail infrastructure, confirmed the pattern Google TIG had flagged earlier in the year: the retail sector had become a primary campaign focus for English-language social engineering groups in 2025.
Sam’s Club, a Walmart-subsidiary warehouse club with approximately 600 US locations and 47 million members, was claimed as a victim by the Clop ransomware group in April 2025 following exploitation of a zero-day vulnerability in a file transfer platform. Sam’s Club did not publicly confirm or deny the claim at the time of initial disclosure, and Clop eventually removed Sam’s Club from its active leak site, an outcome consistent with either ransom payment or Clop’s inability to verify the claimed access.
Travel and Hospitality: WestJet, Qantas, Hilton, Marriott
The travel and hospitality sector’s 2025 breach record was defined by the Salesforce campaign’s reach into airline customer service infrastructure, a pattern of ransomware attacks against hotel property management systems, and the continued exploitation of loyalty program data as a high-value target for credential theft and fraud.
Qantas Airways and WestJet have both been covered extensively in the Top 10 section: Qantas losing 5.7 million customer records through a Salesforce-connected contact center, and WestJet losing 1.2 million records including a subset of passport data through a third-party reservation system. Together, they confirmed that airline customer data, a combination of names, loyalty identifiers, contact details, and in some cases travel document numbers, had become a priority target for the same ShinyHunters campaign that struck enterprise CRM environments throughout the year.
Hilton Hotels & Resorts disclosed in September 2025 that a third-party vendor providing guest loyalty program management services had experienced unauthorized access, exposing customer names, email addresses, Hilton Honors membership numbers, and tier status information for a subset of loyalty program members. Hilton confirmed its core reservation and payment systems were unaffected, with the breach contained entirely within the vendor’s environment, a disclosure that followed the year’s dominant template: hotel systems secure, vendor systems the actual attack surface. The Hilton incident raised particular concern because Hilton Honors membership data, combined with travel patterns visible in loyalty account histories, enables highly targeted spear-phishing and loyalty fraud at scale.
Marriott International did not disclose a new confirmed data breach in 2025, but continued to manage the legal and regulatory aftermath of its 2018 Starwood breach, which had already cost the company £18.4 million in ICO fines and more than $52 million in FTC settlement, with class action proceedings still active in US courts through 2025. Marriott’s 2025 story in the breach landscape is therefore one of sustained consequence rather than new incident: a reminder that the legal and financial tail of a major hospitality breach extends across years, not quarters.
The hospitality sector’s structural vulnerability in 2025 reflected an unevenly modernized technology landscape. Major hotel brands had invested in core reservation and payment security, but PCI DSS compliance pressure had driven that. However, the proliferation of third-party property management systems, loyalty platform vendors, and guest experience applications created an ecosystem of peripheral access points that carried guest data without the equivalent security investment.
Automotive: Hyundai AutoEver, Volkswagen, Stellantis (via Salesforce OAuth)
The automotive sector’s data breach exposure in 2025 came from three distinct sources: a direct HR system breach at a major manufacturer’s technology subsidiary, the residual fallout of a 2024 cloud storage misconfiguration, and a third-party CRM compromise via the Salesforce campaign.
Hyundai AutoEver America, the technology subsidiary that provides IT services to Hyundai Motor America, disclosed in November 2025 that unauthorized access to its employee HR systems had exposed personal data for several thousand current and former employees. Hyundai AutoEver confirmed the breach originated in its HR platform rather than automotive telematics or vehicle connectivity systems, with exposed data including employee names, contact details, Social Security numbers, compensation information, and employment records. The breach drew disproportionate attention because Hyundai AutoEver’s infrastructure supports connected vehicle services, dealer management systems, and vehicle data processing, raising questions about whether the HR system compromise was a reconnaissance step toward broader targeting of automotive infrastructure.
Volkswagen Group carried significant breach exposure into 2025 from a late 2024 incident that had not been fully disclosed at year-end. The breach, attributed to a misconfigured Amazon Web Services storage environment maintained by Volkswagen’s software subsidiary Cariad, had exposed the location data and vehicle movement records of approximately 800,000 electric vehicles across the VW, Audi, SEAT, and Škoda brands in Europe. The exposed data included precise GPS coordinates linked to vehicle identification, enabling reconstruction of individual driving patterns and home and work addresses. The German Chaos Computer Club identified the misconfiguration and disclosed it; VW closed the access within hours of notification. Germany’s data protection authority opened formal investigation proceedings, with enforcement action expected through 2025.
Stellantis, owner of Jeep, Dodge, Fiat, Alfa Romeo, Ram, Chrysler, Peugeot, Opel, and nine other brands, confirmed in late September 2025 that customer contact data had been accessed through a third-party service provider’s platform supporting North American customer service operations. The breach was traced directly to the Salesforce Salesloft Drift OAuth token campaign, with ShinyHunters claiming to have obtained more than 18 million Stellantis records. Stellantis confirmed the compromised platform held customer contact information only, names and communication details, with no financial data, vehicle identification numbers, or account credentials involved. The exposure nonetheless affected tens of millions of Stellantis customers across multiple brands, given the company’s combined North American customer base of over 100 million registered vehicle owners.
Ring Security Breach, May 28, 2025
The Ring security incident of May 28, 2025, became one of the year’s most viral consumer security stories, and one of its most instructive examples of how a technical glitch can be amplified into a mass breach narrative before the facts are established.
On July 18, 2025, Ring users began posting viral TikTok videos after discovering that their account control centers showed multiple unrecognized devices; some users reported as many as 17 unknown devices, all apparently logging in on May 28, 2025, with device names displayed as “Device name not found.” The videos spread rapidly, with users encouraging others to check their own accounts, and the posts generated millions of views across TikTok, Instagram, Reddit, and Facebook within days. The apparent uniformity of the date, every anomalous login showing the same May 28 timestamp, was both what made the pattern alarming and, ultimately, what revealed it as a technical artifact rather than a coordinated attack.
Ring confirmed on July 18, 2025, that there was no data breach, publishing a status page update stating it was aware of a bug that resulted in prior login dates for client devices being incorrectly displayed as May 28, 2025, and device names being incorrectly displayed as “Device name not found,” and confirming this was not caused by unauthorized access to customer accounts. Ring’s investigation determined that a backend server update went wrong, unintentionally scrambling data for old, authorized logins, with prior login dates logged as May 28, 2025.
Independent experts agreed that a display error was the likely scenario rather than the hack suggested by some users. However, despite Ring’s assurances, some remained unconvinced, finding it disturbing that the situation came to light through social media rather than through Ring’s own security protocols, with no warning issued to customers about the problem.
The Ring incident matters for the broader 2025 breach landscape precisely because it was not a breach. The viral spread of the May 28 story, generating millions of views before Ring issued any public statement, demonstrated how consumer security awareness, while broadly positive, can accelerate misinformation when companies fail to communicate proactively during technical incidents. Ring’s two-week delay between the backend update and its public acknowledgment of that status created the information vacuum that TikTok filled. The incident reignited scrutiny of Ring’s data security practices, including the May 2023 FTC charge that Ring had allowed employees and contractors to access private customer video footage improperly and failed to implement basic security protections. The absence of a confirmed breach in May 2025 did not resolve the underlying trust deficit those prior incidents had created.
DoorDash Data Breach, November 2025
The DoorDash data breach of November 2025 was a third-party vendor incident that exposed customer names, email addresses, phone numbers, and partial payment card details, along with a subset of delivery driver account information, through a compromised service provider with access to DoorDash’s customer service infrastructure.
DoorDash confirmed the breach in mid-November after internal monitoring detected anomalous data access patterns originating from the vendor’s environment. The compromised vendor provided customer engagement and support services to DoorDash, with broad data access that reflected the operational requirements of managing millions of customer service interactions monthly. DoorDash terminated the vendor’s access immediately upon detection, engaged external forensic investigators, and began notifying affected customers and drivers through the breach notification process.
This was not DoorDash’s first confirmed data incident. In 2019, DoorDash disclosed a breach affecting 4.9 million customers, delivery workers, and merchants, one of the earliest large-scale breaches in the gig economy. The 2022 breach, caused by a phishing attack on a third-party vendor, exposed names, phone numbers, email addresses, and delivery addresses for a subset of customers and delivery workers. The November 2025 incident followed the same structural template as 2022: not a direct attack on DoorDash’s core platform but a compromise of a vendor with sufficient access to extract meaningful customer datasets.
The DoorDash breach highlights a structural challenge unique to platform economy companies. DoorDash’s operational model requires sharing customer data, names, addresses, phone numbers, and payment metadata, with a layered ecosystem of logistics vendors, marketing platforms, customer service providers, and payment processors. Each vendor relationship represents a potential access point, and the data held at each is effectively a subset of DoorDash’s complete customer database. The November 2025 breach was the third time in six years that a vendor relationship had become a breach vector, a frequency that suggests the risk is systemic rather than incidental, and one that the company’s ongoing vendor security program had not yet resolved.
If your organization handles consumer data through third-party vendors, logistics providers, or customer service platforms, the retail sector’s 2025 breach record is a direct map of your own supply chain risk. Run a free dark web exposure scan to check whether your domain’s credentials or customer data have appeared in breach datasets from 2025’s retail and consumer brand incidents. For individual email-level exposure, use DeXpose’s email data breach scan.
Education Sector Breaches 2025
Education was one of the most heavily targeted sectors of 2025, and the one least equipped to absorb the consequences. From a single credential compromise that cascaded through tens of millions of student records, to a coordinated Clop ransomware campaign that exploited an Oracle zero-day across multiple universities simultaneously, to politically motivated hackers targeting Ivy League admissions data, the education sector’s breach record in 2025 reflected a sector holding some of the most sensitive data in existence, children’s identities, academic histories, financial aid records, donor wealth profiles, against a security posture that chronically lags every other major industry.
PowerSchool Breach: Impact Across School Districts
The PowerSchool data breach is the single most consequential K-12 cybersecurity incident in US history, and its full weight became clear only gradually through 2025 as forensic scope expanded, ransom payments failed to prevent re-extortion, and more than 100 school districts filed suit against the company.
The attack began in December 2024, when a threat actor used a single compromised credential to access PowerSchool’s customer support portal, PowerSource. The credential lacked multi-factor authentication. Between December 19 and December 28, 2024, over 72 hours of undetected access, the attacker exfiltrated data from the student and staff tables of PowerSchool’s Student Information System, the platform used by more than 18,000 schools serving approximately 60 million students across North America. PowerSchool serves approximately 75% of the K–12 education market and operates in more than 90 countries, including over 18,000 schools across North America. PowerSchool became aware of the incident on December 28 and notified affected school districts on January 7, 2025.
According to court documents published on May 20, 2025, the breach compromised the personal information of approximately 62 million individuals. The data types varied by district depending on what each school had configured its PowerSchool instance to store, but confirmed categories included names, addresses, dates of birth, Social Security numbers, medical histories, disciplinary records, grades, attendance records, and individualized education plans. Districts can store a range of student and staff records in their information systems, including student demographic data, attendance, grades, and enrollment history, as well as staff licensing and salary information.
PowerSchool paid a ransom in response to the attacker’s demand, receiving a video purportedly showing the deletion of the stolen data. The payment did not prevent further extortion. By May 2025, individual school districts were receiving separate ransom demands using samples of the same stolen data. PowerSchool stated it did not believe this represented a new breach. Still, the re-extortion wave demonstrated the fundamental unreliability of ransom payment as a data protection mechanism; paying once does not prevent an attacker, or a buyer of the stolen dataset, from attempting to extract further value from the same material.
Matthew D. Lane, a 19-year-old Massachusetts college student, hacked PowerSchool in 2024 and demanded a ransom of $2.85 million. Once caught in 2025, he was charged and sentenced to four years in federal prison.
The legal and regulatory consequences continued to expand throughout the year. Texas filed suit against PowerSchool for negligence and inadequate safeguards. PowerSchool’s breach response cost the company more than $14 million, including the cost of identity theft monitoring for victims. In Canada, the Ontario Information and Privacy Commissioner released a final report in November 2025, finding that the institutions involved had not maintained reasonable measures to prevent unauthorized access and had not responded adequately to the breach, and ordered affected Ontario institutions to demonstrate compliance with security and oversight recommendations within six months.
The most troubling aspect of the PowerSchool breach is the age of its victims. Student records cannot be changed or reissued; a child whose Social Security number, date of birth, medical history, and home address were exfiltrated at age eight carries that exposure for the rest of their life, with the data remaining usable for identity fraud, synthetic identity creation, and targeted phishing for decades after the breach itself.
University-Level Incidents: Columbia, Penn, Phoenix, Harvard, NYU, Yale
Higher education’s 2025 breach record was shaped by two converging campaigns: the Clop ransomware group’s exploitation of CVE-2025-61882 in Oracle’s E-Business Suite, which swept through university ERP systems across the summer and fall, and a parallel wave of vishing and credential-based attacks by ShinyHunters targeting alum affairs and development databases at Ivy League institutions for their donor wealth intelligence.
At the center of this year’s university breach epidemic sits a single critical vulnerability: CVE-2025-61882, a flaw in Oracle’s E-Business Suite that earned a near-perfect CVSS score of 9.8. The vulnerability allows unauthenticated remote attackers to take control of the Oracle Concurrent Processing component via HTTP, with no credentials required and no user interaction needed.
Columbia University was the year’s first major higher education breach. On June 24, 2025, Columbia University experienced an outage across its Morningside campus. Core services including email, student information systems, digital signage, authentication infrastructure, and internal web platforms faltered due to the incident. While initially described as a technical failure, the university confirmed on July 1 that the event was a targeted cyberattack carried out by an external actor who had been active within Columbia’s systems for nearly two months before discovery. The attacker exfiltrated 460GB of sensitive records, and the breach exposed data on 870,000 people, including Social Security numbers, health information, and applicant data. The attacker published a queryable online registry of stolen UNI IDs and told Bloomberg News they were investigating whether Columbia continued to practice race-based affirmative action in admissions following the Supreme Court’s 2023 ban.
University of Pennsylvania was struck in late October 2025. Hackers gained access via an employee’s single sign-on credentials, penetrating platforms such as Salesforce for donor management, SharePoint for document storage, and other internal tools. Before being locked out, the intruders sent mass emails from official Penn addresses, lambasting the university’s admissions practices in crude terms. The investigation confirmed that data from Penn’s Oracle EBS environment had been accessed without authorization, including personal information such as names and contact information, dates of birth, Social Security numbers, and bank account and routing numbers. ShinyHunters subsequently claimed responsibility and published stolen data, posting on a dark web leak site what they claimed were more than 2 million records stolen from Penn and Harvard.
University of Phoenix disclosed a breach confirming it was a victim of the same Clop Oracle EBS campaign. The University of Phoenix’s breach exposed 3.5 million records, attributed to the Oracle EBS Zero-Day Clop campaign. The compromised data included names, contact information, dates of birth, Social Security numbers, and bank account and routing numbers, a combination that enables both identity fraud and direct financial account takeover.
Harvard University’s breach followed the vishing playbook ShinyHunters had refined across the Salesforce campaign. Information systems used by Harvard’s Alumni Affairs and Development Office were accessed by an unauthorized party following a phone-based phishing attack, and administrators announced the breach in an email to University affiliates on November 22, 2025. Harvard discovered the breach and acted immediately to remove the attacker’s access to its systems. The leaked Harvard data includes admissions and fundraising information, as well as details such as “top donors,” spouses, widows, parents, current students, and family members who are prospective students, described by Hudson Rock as a social graph revealing wealth bands and details of domestic intimacy. The published dataset listed Facebook founder Mark Zuckerberg as a $604 million contributor, alongside his home address and private email address, an illustration of how donor database breaches carry consequences for individuals far beyond the university community itself.
NYU had disclosed earlier in the year that a separate breach had exposed records for three million applicants, including test scores, family financial backgrounds, and admissions data dating back to 1989. Princeton University faced a similar vishing attack in November 2025, losing access to donor and alums details for its entire graduate base.
The common thread across the Ivy League incidents was not technical vulnerability but social engineering against staff with access to alums and donor management systems. Development and alums affairs offices hold some of the highest-value datasets at any university: including donor capacity ratings, philanthropic history, wealth estimates, family relationship maps, and institutional intelligence on which individuals are cultivated for major gifts. That combination makes alum affairs databases a natural high-value target for extortion groups, independent of any ERP vulnerability.
K-12 District Breaches and Student Data Exposure
Below the headline “PowerSchool incident,” the K-12 sector absorbed a sustained wave of ransomware attacks throughout 2025, each smaller in scope than PowerSchool but collectively representing a systemic security failure across American public education.
Ransomware attacks on K-12 districts, colleges, and other educational institutions worldwide reached 251 in 2025. The vast majority of incidents occurred in the US, which accounted for 130 attacks, over half of all ransomware activity logged globally across the education sector. Ransomware gangs infiltrated 3.89 million records from US schools.
K-12 schools continued to account for the majority of attacks, 74% of 2025 incidents, while higher education bore the brunt of record exposure. The dominant ransomware groups targeting education in 2025 were Qilin (24 claimed attacks), Fog (18), SafePay (17), Interlock (13), and INC (12). Interlock was responsible for the most confirmed ransomware attacks on schools, with 7 of its 8 confirmed attacks targeting US schools.
Cherokee County School District in South Carolina was struck by Interlock in March 2025, with systems affected for around a week and 624GB of data allegedly stolen, with over 46,000 individuals confirmed impacted in September 2025. Lexington-Richland 5 school district in South Carolina suffered a June attack that delayed summer school, disrupted teacher and staff pay, and exfiltrated more than 1TB of data including personal information of more than 31,000 individuals. Chicago Public Schools was separately affected by a third-party breach through Cleo file transfer software that exposed data on 700,000 students.
The structural context behind these numbers is stark. A March 2025 report by the nonprofit Center for Internet Security noted that 82% of K-12 schools in the US experienced a cyber incident between July 2023 and December 2024. In 2025, the Trump administration eliminated key federal resources to support school districts’ cyberdefense measures, including the shuttering of the US Department of Education’s Office of Educational Technology and the discontinuation of K-12 cybersecurity programs offered through the Multi-State Information Sharing and Analysis Center. The withdrawal of federal support came precisely as threat actor pressure on the sector was intensifying, a gap that education nonprofits and state-level associations scrambled to fill without equivalent resources.
The average ransom demand in education fell 33% in 2025, not because attackers had become less aggressive, but because districts had become more willing to refuse payment and restore from backups. That behavioral shift reduced the financial return per attack. Still, it did not reduce data theft: ransomware groups responded by shifting their emphasis from encryption-based disruption to pure exfiltration-and-extortion, stealing data without deploying file-encrypting payloads, in a pattern that made attacks harder to detect and left districts facing breach notification obligations without the operational outage that had previously been the primary indicator of compromise.
If your organization is an educational institution, a vendor serving schools, or a parent whose children attended schools using PowerSchool or Oracle EBS-connected systems, the exposure risk from 2025’s education sector breaches may extend to your domain and your family’s data. Run a free dark web exposure scan to check whether credentials or records linked to your institution or email address have appeared in the breach datasets circulating from 2025’s education incidents. For individual email-level exposure, use DeXpose’s email data breach scan.
Threat Actors Behind 2025’s Biggest Breaches
The threat actors responsible for 2025’s biggest breaches shared a common trait that no firewall or endpoint solution addresses directly: they were exceptionally good at manipulating people. Whether through voice calls impersonating IT staff, cash bribes to overseas contractors, or politically themed emails sent from compromised university accounts, the dominant attack playbook of 2025 was identity-based, social-engineering-driven, and deliberately designed to operate within the trust systems organizations had built, rather than around them.
ShinyHunters: Salesforce, TransUnion, and the Extortion Playbook
ShinyHunters is a financially motivated threat group that gained notoriety in 2020 through a series of large-scale data breaches and extortion campaigns targeting major global brands, with operations revolving around monetizing stolen data via underground forums. The group spent much of 2024 in relative quiet following the arrest of four members and the FBI’s takedown of BreachForums, then returned in 2025 as the year’s most consequential single threat actor, responsible for data extortion campaigns affecting hundreds of organizations and billions of records across the Salesforce ecosystem, TransUnion, and dozens of named enterprise victims.
The group’s 2025 campaign represented a significant tactical evolution from its earlier database exploitation model. Traditionally, ShinyHunters favored stealthy, persistent attacks focused on credential theft and database exploitation over more overt tactics like vishing. In 2025, they adopted, or acquired through collaboration, the social engineering expertise that had made Scattered Spider effective against enterprise targets. The result was a hybrid model that Google’s Threat Intelligence Group tracked as two related clusters: UNC6040 for the initial access phase and UNC6240 for the extortion phase, effectively representing the operational division of labor within the same campaign.
The access playbook was precise. ShinyCorp, the group’s organizer, selected recruits based on proven social engineering skills via phone calls, with some recruits previously having conducted cryptocurrency scams by impersonating Coinbase or Apple/Gmail support staff. Once recruited, operators called corporate support desks posing as IT staff, directed employees to the legitimate Salesforce app connection page, and deceived victims into entering connection codes that authorized actor-controlled applications, often a modified version of the Salesforce Data Loader, thereby granting attackers persistent OAuth access to organizational accounts without triggering MFA controls. By generating long-lived OAuth tokens, they could bypass multi-factor authentication entirely and avoid triggering standard security alerts.
The extortion playbook was equally systematic. ShinyHunters follows a repeatable pattern: initial access through vishing, SaaS expansion after compromise using the victim’s own credentials, then delayed extortion, waiting weeks or months after initial data theft before contacting victims with ransom demands. The delay served two purposes: it maximized dwell time for data collection and created temporal distance between the breach and the extortion demand, complicating attribution and incident response. The October 2025 extortion campaign against Salesforce and its customers set a ransom deadline, threatened to leak 1 billion records, listed more than three dozen named victims on a dedicated leak site, and demonstrated willingness to execute partial leaks, publishing data from six companies including Qantas, Gap, and Albertsons, when demands went unmet.
The 2025 extortion sites listed dozens of Fortune 500 firms, and public victim lists confirmed by industry reporting include Google, Adidas, LVMH brands, Louis Vuitton, Tiffany & Co., Dior, Pandora, Qantas, Air France-KLM, Allianz Life, Cisco, TransUnion, and others. By November 2025, a follow-on Gainsight token abuse campaign affected more than 200 additional Salesforce instances, extending its reach well past the October public confrontation and FBI intervention.
Scattered Spider / LAPSUS$: Cloud Platform Targeting in 2025
Scattered Spider is a cybersecurity industry designation for a pattern of activity involving social engineering, credential theft, SIM swapping, initial access, ransomware deployment, and data theft and extortion, rather than a stable, identifiable organization. The term encompasses activity from Telegram channels and groups such as The Com, Star Fraud, and LAPSUS$, and its tactics overlap with those of data-leak and extortion collectives like ShinyHunters. That structural looseness is precisely what makes it resilient: in 2025, despite multiple arrests, Scattered Spider’s TTPs continued to produce high-consequence breaches because the methodology, not the membership, is the persistent threat.
The group’s 2025 victim roster reflected deliberate sector pivots. Fresh off attacks against US and UK retailers, including the Easter weekend ransomware attack against Marks & Spencer that caused approximately £300 million in operational losses, the Co-op DragonForce ransomware incident, and a breach at Harrods, Scattered Spider pivoted explicitly to insurance companies. The Google Threat Intelligence Group issued a warning in mid-2025 that it had pivoted its focus to insurance companies. The Aflac breach in June 2025, in which Scattered Spider accessed policyholder data including Social Security numbers and health insurance records for 22.6 million individuals, followed within weeks of similar attacks on Philadelphia Insurance Companies and Erie Indemnity Co., all three following an identical playbook: social engineering to compromise employee accounts, pure data exfiltration without ransomware, no operational disruption.
The legal response in 2025 was the most aggressive Scattered Spider had faced. On September 18, 2025, the United States charged 19-year-old UK national Thalha Jubair, who allegedly participated in 120 network intrusions. UK authorities arrested Jubair and Owen Flowers, another suspected Scattered Spider member, in July 2025 in connection with the M&S, Co-op, and Harrods attacks, and Jubair’s alleged involvement in cybercrime Telegram channels linked to some of the most consequential data breaches over the prior four years. Sources told KrebsOnSecurity that Jubair was also a core member of the LAPSUS$ group, which was responsible for breaches at Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber in 2022, confirming the personnel continuity between what appear to be distinct threat groups.
Even so, arrests have not deterred operations. Trend Micro’s Forward Threat Research team described the group as loose and flexible: even when a few members get taken down, the overall operation keeps moving, almost like swapping players on a team, rather than shutting it down. In September 2025, Scattered Lapsus$ Hunters announced a temporary withdrawal from BreachForums, citing mounting law enforcement pressure, but the withdrawal was tactical rather than terminal, with related clusters continuing operations through Telegram-based extortion channels.
The collaboration with ShinyHunters, which investigators described as less a merger and more a reflection of how these crews swap members, tooling, and tactics, created the composite entity, Scattered LAPSUS$ Hunters, that carried out the most sophisticated vishing-to-extortion campaigns of 2025. Scattered Spider provided access-as-a-service through its proven vishing playbook; ShinyHunters leveraged its extortion-as-a-service infrastructure for monetization. The partnership was modular, operationally efficient, and deliberately structured to distribute law enforcement risk across loosely affiliated members in multiple jurisdictions.
Crimson Collective: Red Hat GitLab Attribution
Crimson Collective emerged as a named threat actor in October 2025 through its disclosure of the Red Hat consulting GitLab breach, a group previously unknown to public threat intelligence databases that demonstrated both the technical capacity to exfiltrate 570GB of compressed data from over 28,000 repositories and the operational sophistication to immediately leverage the ShinyHunters extortion infrastructure to amplify pressure on Red Hat and its affected customers.
The group’s self-identification and rapid coordination with Scattered LAPSUS$ Hunters within days of the initial disclosure suggests it either has established ties to the broader cybercriminal ecosystem or was formed from members of existing groups who structured a separate identity for this campaign. What the threat intelligence community could confirm from the breach artifacts was the group’s technical methodology: the exfiltrated Customer Engagement Reports contained secrets sprawl at enterprise scale, API keys, authentication tokens, CI/CD pipeline configurations, VPN settings, and database connection strings embedded in consulting deliverables, each representing a potential pivot point into a named customer’s infrastructure. FINRA’s advisory warning of exposure for approximately 800 organizations affected by the Red Hat breach accurately framed the risk: this was not a data leak but an infrastructure intelligence package.
Crimson Collective’s post-breach behavior, joining the ShinyHunters extortion campaign, publishing sample Customer Engagement Reports from Walmart, HSBC, Bank of Canada, and American Express as leverage, and setting a coordinated October 10 ransom deadline alongside the Salesforce campaign, suggested either an opportunistic alignment with the existing ShinyHunters infrastructure or a prearranged collaboration. In either case, the group demonstrated that new threat actors can rapidly access established extortion platforms and amplify their leverage against enterprise targets far beyond what their own reputation or infrastructure would support independently.
Insider Threats: The Coinbase Social Engineering Case
The Coinbase breach of 2025 is the year’s defining insider threat case, and the one that most directly exposed the security assumptions underlying every enterprise that relies on outsourced support staff for customer-facing operations. The attack was not technically sophisticated. It required no zero-day exploit, no novel malware, no advanced persistent threat infrastructure. It required cash.
The breach was orchestrated through insider collusion in which cybercriminals bribed overseas customer support contractors to access internal systems and extract user information. The compromised agents were employees of the business process outsourcing firm TaskUs, and a TaskUs employee allegedly sold data stolen during the breach to hackers for $200 per record. The incident occurred in December 2024 and was discovered in early 2025. On May 15, 2025, Coinbase CEO Brian Armstrong publicly refused a $20 million Bitcoin ransom demand and announced a matching $20 million reward for information leading to arrests.
The data accessed through the bribed contractors was limited by the read-only permission scope of the support tools involved; exposed data included full names, home addresses, phone numbers, email addresses, images of government-issued ID documents, partial Social Security numbers, masked bank account numbers, and account balance metadata, but no passwords, private keys, or complete financial account numbers. The technical access controls performed as designed. The insider recruitment vector bypassed them entirely.
The financial consequences extended well beyond the $20 million ransom demand. The breach was linked to $355 million in downstream social engineering losses, attackers using the stolen personal and financial data to impersonate Coinbase support staff and manipulate victims into transferring funds to attacker-controlled wallets. ZachXBT had reported $45 million in Coinbase user losses to social engineering attacks in early May 2025, and estimates from Elliptic placed total breach-related losses, including remediation and downstream fraud, at up to $400 million. Verizon’s 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled globally to 30%, and the Coinbase case was its most consequential US example.
In December 2025, Indian authorities arrested a former Coinbase customer support agent in Hyderabad, and local police confirmed the individual had abused internal access after being bribed by external actors. A parallel investigation linked the scheme to a suspect based in Brooklyn, United States. Coinbase CEO Brian Armstrong publicly confirmed the arrest, thanked the Hyderabad Police, and indicated that further arrests could follow as investigations continued across multiple jurisdictions.
The structural lesson the Coinbase breach delivers applies to every organization that routes customer data access through third-party outsourced staff: least-privilege access design, session monitoring, privileged access reviews, and stronger out-of-band verification for high-risk account changes are not optional controls for outsourced environments; they are the minimum viable controls that the Coinbase incident demonstrated had not been fully implemented before the breach occurred. When external actors can offer $200 per record to a support agent earning a fraction of what their US counterparts make, the economics of insider recruitment favor the attacker. Technical controls must compensate for what compensation differentials make structurally possible.
Understanding the threat actors behind 2025’s breaches is the first step, but knowing whether your organization’s data has already been compromised by one of their campaigns is the operational priority. Run a free dark web exposure scan to check whether credentials or domain data linked to your organization have appeared in the breach datasets generated by ShinyHunters, Scattered Spider, or their affiliated campaigns. For email-level exposure, use DeXpose’s email data breach scan.
2025 Data Breach Statistics and Trends
The 2025 data breach statistics tell a story with two contradictory threads running simultaneously: the average cost per breach declined globally for the first time in five years, driven by AI-assisted detection, while breach frequency hit a record and total US cybercrime losses surged 26% to $20.877 billion. The headline improvement is real, but it does not mean the threat environment improved. It means organizations that invested in AI-powered security got faster and cheaper at containing breaches, while the volume of attacks against everyone else continued to accelerate.
Average Cost of a Data Breach in 2025 (IBM Ponemon Report)
The global average cost of a data breach fell 9% from $4.88 million in 2024 to $4.44 million in 2025, according to IBM’s Cost of a Data Breach Report, the first decrease in five years and the result of faster breach detection and containment driven primarily by AI and automation adoption in security operations. Organizations that extensively use AI tools cut their breach lifecycle by 80 days and saved nearly $1.9 million per breach on average compared to organizations with no AI deployment.
The US moved sharply against the global trend. Breach costs for US organizations surged 9% to $10.22 million, the highest average breach cost ever recorded for any country, driven by higher regulatory fines, rising detection and escalation costs, and stricter notification requirements that impose compounding legal exposure in the months following disclosure. While many regions, including Germany, Italy, and South Korea, saw costs fall significantly, the US, along with Canada and India, was among a smaller group of countries where costs continued to rise.
Several secondary cost findings from the 2025 report carry operational weight. The mean time to identify and contain a breach dropped to 241 days, a nine-year low, down from a 287-day peak in 2021, with the cost differential between fast and slow detection running at $1.14 million. Breaches detected and contained within 200 days cost an average of $3.87 million; those exceeding 200 days cost $5.01 million. The average cost per compromised record fell to $160, down roughly $5 from the prior year, modest progress given that a single breach can involve tens of millions of records. Customer PII was the most frequently compromised data type, involved in 53% of breaches, and multi-environment breaches, data spread across cloud, on-premise, and hybrid infrastructure, had the highest average cost of any data type configuration at $5.05 million and the longest average lifecycle at 276 days.
The IBM report’s most consequential new finding for 2025 is the shadow AI risk premium. Organizations with high levels of shadow AI, where workers use unapproved internet-based AI tools, paid an extra $670,000 per breach on average. A staggering 97% of breached organizations that experienced an AI-related security incident lacked proper AI access controls, and 63% of organizations surveyed had no AI governance policies whatsoever. As AI adoption accelerates faster than governance frameworks can catch up, this cost premium is likely to grow rather than shrink in the near term.
Industries with the Highest Breach Costs in 2025
Healthcare retained its position as the most expensive sector to breach for the fifteenth consecutive year, with an average breach cost of $7.42 million in 2025, a reduction from the 2024 record of $9.77 million, but still more than $1.86 million above the next most expensive industry. The decline reflects the same AI-driven detection improvements visible in the global average. Still, the structural drivers of healthcare’s cost leadership- high per-record PHI value, HIPAA compliance penalties, mandatory identity monitoring provisions, and the operational disruption costs unique to clinical environments- remain unchanged.
Financial services ranked second at $5.56 million per breach, reflecting the regulatory cost stack of simultaneous banking, securities, and insurance notification obligations, combined with the direct fraud liability that financial institutions face when account and payment data is compromised. The industrial sector ranked third at $5.00 million, energy fourth at $4.83 million, technology fifth at $4.79 million, and pharmaceuticals sixth at $4.61 million.
The manufacturing sector’s 2025 breach data carries a trend warning that the cost figures alone don’t capture. Verizon’s 2025 DBIR documented a nearly sixfold surge in espionage-motivated breaches in manufacturing, from 3% to 20% of manufacturing sector incidents, reflecting a structural shift toward intellectual property theft and operational intelligence collection rather than data extortion. When nation-state actors target manufacturing for process designs, supplier relationships, and operational technology credentials, the breach cost calculus includes competitive intelligence losses that don’t appear in standard incident accounting.
Percentage of Breaches Caused by Phishing in 2025
Phishing remained the third most common initial access vector in 2025, accounting for 16% of confirmed data breaches analyzed in Verizon’s DBIR, behind credential abuse at 22% and vulnerability exploitation at 20%. That ranking represents a structural shift from prior years, when phishing consistently held the top or second position; its relative displacement by credential abuse and vulnerability exploitation reflects both the maturation of phishing defenses and the explosive growth in credential availability through infostealer malware and prior breach aggregation.
The absolute volume of phishing attacks did not decline. The 16% figure from Verizon’s dataset of 22,052 incidents represents thousands of confirmed phishing-initiated breaches. What changed was the relative efficiency of alternative vectors: stolen credentials and unpatched edge device vulnerabilities became easier and more scalable routes to initial access than crafting convincing phishing lures, particularly as email security platforms improved detection of traditional phishing templates. Attackers adapted by shifting phishing toward higher-value, lower-volume precision: voice phishing against corporate help desks, device-code phishing exploiting OAuth flows, and AI-generated spear-phishing, which the DBIR specifically flagged as a growing concern.
The human element figure remains the most consistently alarming statistic in the 2025 breach landscape: 60% of all breaches involved a human factor, whether through error, manipulation, social engineering, or insider misuse. That figure has remained stubbornly above 60% for six consecutive years, meaning that despite significant investment in security awareness training, endpoint protection, and email filtering, the majority of breaches still succeed because a person did something they should not have done or failed to do something they should have.
The ITRC’s 2025 report added a complementary data point: phishing, smishing, and business email compromise remained the top root causes of data breaches throughout the year, with combined incidents increasing slightly to 466. For the 70% of data breach notices that provided no attack information at all, a transparency rate that has collapsed from near-universal disclosure in 2020 to just 30% by 2025, the actual phishing contribution is likely higher than the confirmed figure captures.
Third-Party and Supply Chain Breach Statistics 2025
Third-party involvement in data breaches doubled year over year in 2025, rising from 15% to 30% of all confirmed breaches, according to Verizon’s DBIR. This was the single most significant structural shift in the year’s breach landscape and the statistical backbone behind every supply chain incident covered elsewhere on this page. Supply chain compromise surged to become the second-most-prevalent attack vector, accounting for 15% of breaches, and the second-costliest, at $4.91 million per incident, narrowly behind malicious insider threats at $4.92 million and ahead of phishing at $4.80 million.
The doubling of third-party breach involvement is not primarily about more supply chain attacks; it is about the cascading architecture of modern enterprise software. When a single SaaS provider like Salesforce connects 150,000+ customer organizations, a campaign that compromises one authentication layer can reach hundreds of downstream organizations simultaneously without ever breaching any of them directly. When a cloud backup service like SonicWall’s MySonicWall serves an entire customer base through a single API, a brute-force attack on that API can simultaneously expose configuration files for every customer. The attack surface has not grown linearly with enterprise software adoption; it has grown exponentially as the trust relationships between platforms multiplied.
Supply chain attacks affected 1,251 entities in 2025, nearly double the 2024 figure of 660, despite only a marginal increase in the number of discrete supply chain attacks at the root. Each attack reached more targets. At least 36% of all data breaches in the preceding period originated from third-party compromises, according to SecurityScorecard’s 2025 analysis, a figure the firm noted was likely conservative given that many third-party breaches are misclassified as internal incidents.
Cloud Breach Trends: Why Cloud Attacks Increased in 2025
Cloud environments became the dominant battlefield for data breaches in 2025, not because cloud infrastructure is inherently less secure than on-premise alternatives, but because the trust architecture surrounding it is structurally exploitable in ways that perimeter-based security was not designed to address. When an attacker obtains a valid OAuth token, cloud provider credentials, or a compromised API key, they authenticate as a legitimate user and generate activity that standard monitoring treats as normal. The attack looks like the victim.
The most consequential cloud attack mechanism of 2025 was OAuth token theft and abuse. The Salesforce campaign demonstrated at scale what security researchers had been warning about for years: OAuth tokens issued to third-party integrations function as standing authentication bypasses that survive password rotation, MFA enforcement, and many anomaly-detection rules. By generating long-lived OAuth tokens through legitimate authorization flows, tricking employees into approving attacker-controlled applications, the ShinyHunters campaign maintained persistent access to over 700 enterprise Salesforce environments without ever exploiting a Salesforce platform vulnerability.
Multi-environment breaches, where data is spread across cloud, on-premise, and hybrid configurations, had the highest average breach cost of any data architecture at $5.05 million and a 276-day average lifecycle, per IBM’s 2025 report. Thirty percent of breaches involved data spread across multiple environments, and the detection complexity of tracking attacker movement across cloud boundaries explains both the cost premium and the extended dwell time. Approximately 34% of cloud-related breaches in 2025 were directly tied to unpatched vulnerabilities, with zero-day exploitation in cloud workloads increasing 19%, fueled by shared software dependencies and third-party libraries. The median time from vulnerability disclosure to exploitation dropped to 72 hours in cloud environments as attackers increasingly used automation and AI-driven scanning to detect vulnerable cloud assets in real time.
Secrets- credentials, API keys, and authentication tokens embedded in configuration files, code repositories, CI/CD pipelines, and consulting deliverables- were the specific cloud security failures that enabled the F5 breach, the Red Hat GitLab breach, the SonicWall backup compromise, and the NPM campaign simultaneously. Fifty-four percent of cloud environments contain credentials hard-coded in configuration files or containers, according to 2025 vulnerability research. That figure has not materially improved in three years of tracking, despite consistent industry warnings, because secrets sprawl is an organizational behavior problem rather than a technical one: the same developers who know not to hard-code credentials routinely do so under time pressure, and the same procurement teams that require vendor security questionnaires routinely grant third-party integrations far broader OAuth scopes than any single function requires.
ITRC 2025 Annual Data Breach Report, Key Findings
The Identity Theft Resource Center’s 2025 Annual Data Breach Report, the organization’s twentieth edition, documented 3,322 data compromises in the United States, the highest number ever recorded in a single year and a 79% increase over five years. The record surpassed the prior all-time high set in 2023 with 3,202 compromises, and represented the third consecutive year in which the total exceeded 3,000.
The most structurally significant finding in the 2025 ITRC report is not the record breach count but the inverse movement of victim notices. While breaches hit an all-time high, total victim notices fell sharply from 1.36 billion in 2024 to 278.8 million in 2025, a 79-percentage-point decline driven by the absence of 2024-style mega-breaches like the 190-million-record Change Healthcare incident. The ITRC characterized this divergence as evidence of a fundamental strategic shift: attackers are moving from indiscriminate harvesting to precision targeting. A breach that steals 50,000 curated medical records with Social Security numbers and insurance details has a higher criminal market value than one that exposes 50 million generic login credentials. More attacks, each reaching fewer people, with higher per-victim value; that is the direction the data points.
The ITRC president, James E. Lee, framed the report’s central warning as a transparency collapse with significant implications for collective defense. In 2020, nearly every organization that suffered a breach provided clear details on how it happened. By 2025, that figure had collapsed to just 30%, with 70% of data breach notices providing no attack information, compared to 65% in 2024 and 45% in 2023. When organizations withhold root cause information to mitigate their own legal or reputational risk, they leave consumers and other businesses unable to understand what went wrong or take protective action against the same vector.
The report also flagged a new threat category, labelled Previously Compromised Data (PCD), in which attackers use AI to repurpose old stolen records to launch new attacks, including account takeover and new account creation. The implication is that breach exposure does not expire: data stolen in 2020 and repackaged in 2025 using AI-driven enrichment tools creates fresh attack surfaces against individuals who may have rotated the original passwords but have no way to recall what other data was in the original breach.
Consumer impact data from the 20th anniversary survey was striking in its scope: 80% of the 1,040 surveyed consumers had received a data breach notice in the last 12 months, with nearly 40% receiving between three and five separate notices in a single year. Eighty-eight percent of people who received a breach notice experienced at least one negative consequence, including increased phishing or scam attempts (40%), increased spam and robocalls (49%), and attempted account takeover (40%). Data breaches caused immediate anxiety in 60% of recipients and immediate frustration in 59%, with 50% citing immediate financial fraud as their primary fear, a fear that 54% of recipients said proved well-founded through subsequent targeted phishing attempts.
2025 Data Breach Investigations Report (DBIR) Highlights
Verizon’s 2025 Data Breach Investigations Report, the eighteenth annual edition and the largest dataset in the report’s history, analyzed 22,052 incidents and 12,195 confirmed breaches across 139 countries. Its headline findings documented a breach landscape in structural transition: ransomware surging, vulnerability exploitation accelerating, third-party risk doubling, and credential abuse entrenching itself as the persistent top access vector that no single defensive measure adequately addresses.
Ransomware appeared in 44% of all breaches in 2025, up from 32% the prior year, a 37% increase that made ransomware the dominant malicious action category for the year. The parallel finding on ransom payment behavior was more nuanced: the median ransom payment dropped to $115,000, and 64% of victims refused to pay, up from 59% in the prior year’s IBM data, suggesting that payment refusal is becoming the organizational norm even as ransomware prevalence continues to grow. The decoupling of payment rates from attack rates reflects both increased organizational preparedness through tested backup and recovery capabilities and the growing recognition that payment does not reliably prevent data exposure, as the PowerSchool re-extortion wave demonstrated.
Vulnerability exploitation surged to 20% of initial access vectors, a 34% year-over-year increase that made it the second most common entry point, overtaking phishing. The most alarming specific trend within that category was VPN-targeted exploit growth, which expanded nearly eight-fold, as well as edge device exploitation more broadly. The median time from vulnerability disclosure to exploitation by threat actors continues to compress; the 72-hour window documented for cloud environments reflects a broader acceleration enabled by automated vulnerability scanning tools that attackers deploy the moment a new CVE is published.
Third-party involvement doubling from 15% to 30% of breaches in a single year represented the DBIR’s most consequential trend finding, with the report noting this reflects both the proliferation of supply chain attack campaigns and improved attribution capabilities that correctly classify indirect compromises as third-party events rather than internal incidents. Forty-six percent of the systems compromised by an infostealer that may have contained corporate login data were non-managed devices, BYOD, and personal endpoints outside enterprise security controls, highlighting the specific gap that infostealer campaigns exploit between corporate security investment and the personal device ecosystem employees use to access corporate applications.
The DBIR’s human element finding, 60% of breaches involving a human factor, is the statistic that has most consistently resisted improvement across the report’s eighteen-year history. The specific 2025 contribution to that finding was the observation that, while you cannot train people not to click on phishing lures, organizations that invested in security awareness training saw a 4x improvement in employee phishing reporting rates, effectively turning the human layer from a passive vulnerability into an active threat-detection network. The implication for defensive strategy is significant: the goal of human risk management is not to eliminate clicks; it is to ensure that the 1.5% of employees who will always click are immediately identified, their sessions monitored, and their reports fast-tracked to the SOC for rapid response.
The 2025 data breach statistics confirm a single operational priority for every organization: knowing your current exposure profile before an attacker exploits it. Run a free dark web exposure scan at DeXpose to check whether your domain’s credentials and data have already appeared in the breach datasets driving 2025’s record attack volumes. For individual email-level exposure checks, use the email data breach scan.
What to Do If Your Data Was Exposed in a 2025 Breach
If your personal information was exposed in a 2025 data breach, the actions you take in the first 72 hours determine whether that exposure remains a notification letter or becomes active identity theft, financial fraud, or account takeover. The steps below apply whether you received a formal breach notification from TransUnion, Conduent, Salesforce, or any other organization named on this page, and they apply equally if you suspect exposure but have not yet received official confirmation.
Immediate Steps: How to Respond to a Data Breach Notification
The moment you receive a data breach notification letter or email, your first task is to determine exactly which category of data was exposed, because the protective steps that follow are data-type-dependent. The urgency hierarchy is different for Social Security numbers than for email addresses.
Read the notification carefully and identify the specific data elements listed as compromised. Most 2025 breach notification letters use a personalized field that names the specific data exposed: Social Security number, date of birth, financial account information, health records, or government ID. That list is your action priority sequence. SSN and DOB exposure triggers the most urgent response; email and phone number exposure is serious but carries lower immediate fraud risk.
Within the first 24 hours, change the password on any account associated with the breached organization and on any other account where you reused that password. Password reuse is the mechanism that converts a single breach into a credential-stuffing wave across dozens of platforms; it is the most immediate risk to address. Enable multi-factor authentication on every account where it is available, prioritizing email, banking, and any account linked to payment methods. Your email account is the master key to every other account’s password reset flow; if an attacker controls it, every other protective measure you take is reversible.
Accept every free service offered by the breached organization. Most major 2025 breach respondents- TransUnion, Conduent, Coinbase, SimonMed, Yale New Haven Health- offered between 12 and 24 months of free credit monitoring and identity theft insurance as part of their notification package. These services typically include $1 million in identity theft insurance and fraud remediation support from firms such as Cyberscout or Experian’s IdentityWorks. They cost nothing, require only enrollment within the notification window, and provide a documented recovery support track if fraud materializes later.
Pull your free credit reports from all three bureaus immediately at annualcreditreport.com. You are entitled to free weekly reports; use them. Look for accounts, inquiries, or addresses you do not recognize. An unfamiliar hard inquiry is often the first visible signal that someone has attempted to open credit in your name. A new account you did not open is evidence that they succeeded.
File your taxes as early as possible if your Social Security number was among the exposed data. Tax identity fraud, where an attacker files a fraudulent return using your SSN to claim your refund, is one of the most common downstream consequences of SSN exposure and can occur only once per SSN per tax year. Filing first eliminates the opportunity.
How to Check If Your Email or SSN Is on the Dark Web
Receiving a breach notification means a specific organization has confirmed that your data was accessed. Still, it does not tell you whether that data has already been sold, aggregated with data from other breaches, or published on dark web forums. The breach notification is the floor of your exposure knowledge, not the ceiling.
DeXpose’s email data breach scan checks whether your email address has appeared in breach datasets circulating across dark web markets, paste sites, and infostealer logs, covering sources beyond any single organization’s own investigation. The scan runs instantly, requires no setup, and returns a report on which breach datasets your address has appeared in. That context is essential for understanding whether a single breach notification covers your entire exposure or whether you are represented in multiple datasets compiled before the current breach.
For organizational exposure, where you need to understand whether your company’s domain appears in breach data, leaked credentials, or infostealer logs, DeXpose’s free dark web report scans at the domain level, identifying credentials, emails, and data linked to your organization’s footprint across monitored dark web sources.
For SSN exposure specifically, the FTC’s IdentityTheft.gov/databreach provides a step-by-step recovery plan customized to the type of information exposed. If you have confirmed SSN exposure from a 2025 breach, the site generates a personalized recovery plan, pre-fills dispute letters, and tracks your recovery progress. It is the most comprehensive free resource available for SSN-related identity theft and should be used in parallel with credit bureau protections rather than as a substitute for them.
Have I Been Pwned at haveibeenpwned.com allows you to check whether your email address appears in any of the publicly indexed breach datasets in the site’s database, useful as a secondary check to confirm notification scope, with the caveat that it indexes confirmed public breaches rather than the full dark web credential market.
TransUnion, Conduent, Salesforce: Breach-Specific Action Guides
Three of 2025’s highest-impact breaches each require specific protective actions beyond the general steps above, because the data types involved and the downstream fraud risks they enable are distinct.
TransUnion (4.4 Million Records, SSNs, Names, DOB, Addresses): The TransUnion breach exposed the exact combination of identifiers- SSN, full legal name, date of birth, and current and prior addresses- that enables synthetic identity fraud at scale. Synthetic identity fraud uses a real SSN paired with fabricated or mixed name and address details to create new credit identities that do not map cleanly to any single individual and can take years to detect. Credit freezes at all three bureaus are the essential protective step, not just at TransUnion. Freeze your file at Equifax, Experian, and TransUnion independently, since lenders check any of the three, and a freeze at one leaves two open paths. Enroll in the 24-month free monitoring through myTrueIdentity within your 90-day enrollment window. Monitor for tax fraud, as SSN exposure makes you a target for fraudulent return filing. If you received a TransUnion notification letter, review it for the <<impacted data elements>> personalization field; your specific data categories determine your specific risk profile.
Conduent (25+ Million Records, SSNs, Medical Records, Benefit Data): The Conduent breach carried particular downstream risk because many affected individuals, Medicaid recipients, unemployment and child support claimants, and food assistance beneficiaries may not recognize Conduent as an organization that held their data. If you received government benefits in Texas, Oregon, Wisconsin, or Oklahoma and have not received a breach notification, you should independently check your exposure. The medical and benefit data involved creates risk for medical identity fraud, where an attacker uses your identity to receive healthcare, submit insurance claims, or obtain prescription medications, in addition to standard credit fraud. Check your Explanation of Benefits statements from your health insurer for services you did not receive, and request your medical records from providers if you suspect medical identity fraud.
Salesforce Campaign (Enterprise CRM, Business Contact Data, OAuth Exposure): If you work at or do business with any of the hundreds of organizations affected by the ShinyHunters Salesforce campaign, including Qantas, Stellantis, Farmers Insurance, Cisco, Adidas, Air France-KLM, or any organization that has disclosed a third-party contact center or CRM breach, your professional contact data is likely circulating in the same dataset. Business email address, phone number, and employer information combinations are the raw material for targeted business email compromise and vishing attacks against you professionally. Change your corporate email password, enable MFA on all corporate accounts, and brief your team that targeted phone calls impersonating IT or finance are the specific fraud vector the Salesforce campaign data enables.
Credit Freeze, Fraud Alerts, and Identity Monitoring
A credit freeze is the single most effective structural protection against new-account fraud, and it is completely free. When a credit freeze is in place, nobody can open a new credit account in your name, including you, because lenders cannot pull your credit report to make a lending decision. Under federal law, all three bureaus must place and remove freezes at no cost. If you request a freeze online or by phone, the bureau must activate it within one business day. When you need to temporarily lift it, to apply for a loan, rent an apartment, or purchase insurance, an online or phone request must be processed within one hour.
The critical implementation detail that most breach victims miss: you must freeze your credit at all three bureaus independently. Placing a freeze at TransUnion alone, because the breach occurred there, leaves Equifax and Experian open. Go to Equifax.com, Experian.com, and TransUnion.com, and create a freeze at each. Store the PINs or login credentials for each freeze securely; you will need them to lift the freeze when you need credit temporarily.
A fraud alert is a lighter-weight alternative or complement to a credit freeze. Placing a fraud alert at any one of the three bureaus triggers that bureau to automatically notify the other two. A standard fraud alert lasts one year and requires lenders to take additional steps to verify your identity before extending credit; it does not block access to your credit report entirely as a freeze does, but it adds a verification layer. An extended seven-year fraud alert is available to confirmed identity theft victims who have filed an FTC Identity Theft Report at IdentityTheft.gov or a police report.
For ongoing monitoring beyond the free services offered by breached organizations, consider whether a paid identity monitoring service is appropriate for your risk profile. The 2025 breach landscape, in which 80% of consumers received at least one breach notification in the year, has made continuous monitoring rather than a reactive response the appropriate baseline posture for most adults. Monitoring services that cover dark web data, new account openings, change-of-address requests, and Social Security number activity across credit bureau files provide broader coverage than any single breach organization’s free offering.
Data Breach Communication Best Practices for Organizations
For organizations that have experienced a data breach or are building response plans before one occurs, the FTC’s guidance and the 2025 breach record together define a clear standard for what constitutes adequate communication and where organizations consistently fall short.
The foundational requirement is speed. Every US state, the District of Columbia, Puerto Rico, and the Virgin Islands has enacted breach notification legislation requiring notification of affected individuals when personal information is compromised. HIPAA requires healthcare entities to notify within 60 days. The SEC’s 2023 cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents within four business days of determining materiality. Several 2025 breaches- Conduent, SimonMed, and Veradigm- sent notification letters nine to ten months after discovery, well past all applicable windows, and became the primary basis for class action litigation as a result. Notification delay is not a defensive posture; it is one of the most legally expensive mistakes a breached organization can make.
The FTC’s guidance requires that notification letters inform affected individuals specifically what information was compromised, what steps they can take to protect themselves based on the data type involved, and what the organization is doing in response. The 2025 ITRC finding that 70% of breach notices provided no attack information, up from 65% in 2024 and 45% in 2023, reflects a transparency failure that the FTC has explicitly warned creates legal exposure: don’t make misleading statements about the breach, and don’t withhold key details that might help consumers protect themselves and their information.
Designate a single communications lead before an incident occurs, not during one. The communications lead should have authority to approve external statements, access to real-time forensic findings, and a pre-built stakeholder communication matrix covering customers, employees, investors, business partners, regulators, and law enforcement simultaneously. The 2025 breach landscape repeatedly demonstrated, through Oracle’s denial arc, Ring’s two-week silence before addressing the display bug, and Conduent’s nine-month notification delay, that the reputational and legal costs of inadequate communication routinely exceed the cost of the breach itself.
Offer meaningful remediation. Organizations that offered at least 24 months of free credit monitoring and identity theft insurance, TransUnion, Coinbase, and SimonMed, consistently generated better consumer response outcomes and lower immediate litigation intensity than organizations that offered nothing or offered only a generic advisory. The FTC specifically recommends offering at least one year of free credit monitoring when financial information or Social Security numbers have been exposed.
How to File a Complaint After a Data Breach
If you have been affected by a 2025 data breach and believe the organization failed in its legal obligations due to inadequate security, delayed notification, or misleading disclosure, there are several formal complaint channels available, each appropriate to different breach types and harm categories.
The FTC is the primary consumer protection authority for data breach complaints involving non-financial companies. File at ReportFraud.ftc.gov to report deceptive or unfair practices related to a breach. If you have experienced identity theft as a result of a breach, file a formal Identity Theft Report at IdentityTheft.gov. The report is a legal document you can use to dispute fraudulent accounts with creditors, stop debt collectors pursuing fraudulent debts, and qualify for an extended seven-year fraud alert.
The CFPB handles complaints against financial institutions, banks, credit card companies, credit bureaus, mortgage servicers, and fintech providers. For breaches at TransUnion, Experian, Equifax, a bank, or a payment platform, file at consumerfinance.gov or call 855-411-CFPB (2372). The CFPB has enforcement authority over financial companies and actively investigates data security failures under federal consumer financial protection law.
Your state Attorney General often has the most direct enforcement path for breach notification violations, since state notification laws define both the obligation and the enforcement mechanism within each jurisdiction. If the organization failed to notify you within the required window under your state’s law 30 days in Florida and Washington, 45 days in Ohio, 60 days under HIPAA- your AG’s office is the appropriate first contact. All 50 state AG offices accept breach-related complaints online.
The OCR, the Office for Civil Rights within HHS, handles HIPAA breach complaints. If a healthcare provider, health insurer, or their business associate failed to notify you within 60 days of discovering a breach involving your protected health information, file at hhs.gov/hipaa/filing-a-complaint. OCR investigates HIPAA violations and has authority to impose civil monetary penalties.
Class action litigation is available for most major 2025 breaches and requires no upfront cost to evaluate. Law firms specializing in data breach class actions typically offer free consultations and work on a contingency basis. Multiple firms were actively recruiting class members in 2025 against Conduent, TransUnion, PowerSchool, SimonMed, Salesforce, and Aflac, and the standard statute of limitations for most state breach notification violation claims runs two to three years from the discovery of harm rather than the breach date, giving you meaningful time to assess your options.
If you are uncertain whether your data was exposed in a 2025 breach, or want to understand the full scope of your exposure beyond any single notification letter, run a free dark web exposure scan at DeXpose to check what data linked to your domain is already in circulation. For individual email address checks, use DeXpose’s email data breach scan.
How to Protect Your Organization from Data Breaches in 2025
Protecting your organization from data breaches in 2025 requires a fundamental shift in defensive posture, from perimeter-based controls that assume attackers are outside the network, to continuous visibility-based controls that assume attacker-controlled credentials, sessions, and integrations are already inside it. The 2025 breach record confirms that most organizations are not being hacked in the traditional sense; they are being logged into, with stolen credentials, through legitimate third-party applications, via social engineering that bypasses every technical control deployed at the perimeter.
Top Causes of Enterprise Data Breaches and How to Close Them
Credential abuse was the leading initial access vector in enterprise breaches in 2025, appearing in 22% of all confirmed breaches analyzed in Verizon’s DBIR, more than double the rate of either vulnerability exploitation (20%) or phishing (16%). When combined with the finding that 88% of basic web application attacks, one of the most common attack patterns, involved stolen credentials, the picture is unambiguous: the dominant enterprise breach in 2025 does not begin with a novel exploit. It begins with a username and password purchased from a dark web marketplace or harvested from an infostealer log.
Closing the credential gap requires addressing three distinct failure modes simultaneously. The first is credential reuse across personal and professional contexts; employees who use work email addresses and reused passwords on consumer platforms create a credential exposure surface entirely outside corporate security controls. The second is infostealer infection on unmanaged and BYOD devices: 46% of corporate systems compromised with infostealers that contained corporate login data were non-managed devices, per Verizon’s 2025 DBIR. Standard endpoint detection does not cover devices outside the corporate fleet, meaning credentials harvested from personal laptops or home machines used to access corporate SaaS platforms are effectively invisible to security teams until they appear in dark web markets. The third is MFA bypass; attackers have responded to MFA adoption with token theft through adversary-in-the-middle proxies, MFA fatigue attacks that flood users with push notifications until one is approved, and device code phishing that exploits OAuth flows to harvest refresh tokens without ever triggering an MFA prompt. Organizations that treat MFA as a complete credential defense are operating on assumptions that 2025’s breach record has invalidated.
Vulnerability exploitation surged to 20% of initial access vectors in 2025, up from prior years, and the most dangerous sub-category was edge device exploitation, including VPN appliances, firewalls, and network access controllers, which saw nearly an eight-fold increase in targeted attacks. The structural problem is that edge devices are often excluded from standard patching cycles either because downtime is operationally unacceptable or because the devices run proprietary firmware outside standard patch management tools. The median window between CVE disclosure and active exploitation compressed to 72 hours in cloud environments and is trending downward everywhere, making the traditional 30-day patching cycle functionally inadequate against motivated threat actors with automated scanning infrastructure.
Human error, misdelivery of sensitive data, misconfigured cloud storage, and inadvertent exposure of credentials in code repositories contributed to 26% of all breaches, according to the 2025 DBIR. This is the category that produced the Blue Shield of California Google Analytics misconfiguration affecting 4.7 million members, the McDonald’s recruitment chatbot secured with the default password “123456” that exposed 64 million applicants, and the SonicWall cloud backup API exposure that gave state-sponsored actors firewall configuration files for 100% of cloud backup customers. Technical controls that do not account for human configuration failure are incomplete. Secrets scanning in CI/CD pipelines, automated cloud security posture management, and regular third-party penetration testing of externally facing systems are the structural defenses against the configuration failure category.
Dark Web Monitoring as an Early-Warning System
Dark web monitoring is not a breach-prevention tool in the traditional sense; it does not prevent attackers from entering your environment. It is an early-warning system that detects evidence of compromise before it becomes an active intrusion and interrupts the exploitation chain at the point where stolen credentials move from a criminal marketplace to an attack campaign.
Most companies find out they have been breached an average of 11 days after attackers first gain access, according to Mandiant’s M-Trends 2025 report. By that point, credentials have typically been sold, staged, and, in some cases, used for reconnaissance inside the target environment. Dark web monitoring compresses that discovery gap by detecting the appearance of organizational credentials, email addresses, session tokens, and domain-specific data in the sources where stolen material circulates- dark web forums, Telegram channels, paste sites, infostealer log markets, and ransomware extortion blogs- before the organization’s own security monitoring has generated any alert.
The mechanism is direct. When an infostealer malware infection harvests credentials from an employee’s device, those credentials typically appear in dark web markets within days of the infection. A dark web monitoring platform that covers infostealer log markets, where freshly harvested credentials are sold in bulk, can surface an employee’s credentials before the attacker who purchased them has attempted a login against corporate systems. That detection window converts a potential breach into a forced credential reset: a routine security operation rather than an incident response engagement.
The same logic applies to third-party monitoring. When a vendor that holds your data appears on a ransomware extortion site, or when credentials from a vendor’s domain appear in dark web credential markets, dark web monitoring gives you that signal before the vendor’s own breach notification reaches you, and almost certainly before it reaches you within the contractually required notification window, which 2025’s breach record confirms is routinely missed by months. Organizations that monitored their vendor ecosystem through dark web intelligence identified the Salesforce Salesloft Drift campaign’s reach into their environment via dark web signals weeks before ShinyHunters made its October extortion demands.
DeXpose’s dark web monitoring service provides continuous coverage across dark web markets, infostealer logs, ransomware leak sites, and breach databases, alerting your security team when data linked to your domain appears, before it is exploited. The free dark web report provides an immediate snapshot of your organization’s current exposure across monitored sources, with no setup required.
Breach Detection and Response: Reducing Dwell Time
Dwell time, the period between an attacker’s first access and organizational detection, is the single variable most directly correlated with breach cost and scope. IBM’s 2025 Cost of a Data Breach Report documents a $1.14 million cost premium between breaches detected within 200 days and those that exceed that threshold. The 241-day global average breach lifecycle in 2025, the lowest in nine years, reflects real progress, but it still means that by the time most breaches are detected, the average attacker has had eight months of access.
Reducing dwell time requires detection capabilities that do not depend solely on known attack signatures or internal network monitoring. The breaches with the longest dwell times in 2025- the OCC email compromise maintained for nine months, the F5 nation-state intrusion sustained for at least twelve months, the Conduent ransomware access window spanning October 2024 to January 2025- shared a common failure: the attacks operated within the bounds of what appeared to be legitimate activity. OCC attackers accessed email through a compromised administrator account. F5’s nation-state actor used the BRICKSTORM malware, which blended into legitimate administrative traffic. Conduent’s attackers spent 83 days inside the network before deploying ransomware.
AI-powered behavioral detection, which establishes baselines of normal activity patterns for users, accounts, and systems and flags deviations rather than matching against known signatures, is the detection architecture that addresses this gap. IBM’s 2025 breach data quantifies the operational impact: organizations using AI and automation in security operations cut their breach lifecycle by 80 days on average and saved $1.9 million per breach compared to organizations with no AI deployment. The investment is measurable in two directions: faster containment and lower cost.
Extended Detection and Response platforms that aggregate signals from endpoints, networks, clouds, identities, and email into a single investigation context give security teams the cross-domain visibility needed to detect lateral movement that individual point solutions miss. The Salesforce campaign’s success in 2025 was partly attributable to the fact that the exfiltration activity generated signals in Salesforce audit logs, OAuth management consoles, and network monitoring systems simultaneously. Still, organizations without unified XDR platforms were viewing each signal in isolation rather than as components of a single attack pattern.
Incident response planning, including tested, regularly updated runbooks for the specific scenarios most relevant to your industry, reduces dwell time by eliminating the decision latency that slows containment when an incident is first detected. The 2025 breaches with the fastest documented containment times shared a common characteristic: incident response procedures were pre-defined, external forensic retainers were in place, and the first call after detection went to the IR team rather than through multiple escalation layers. IBM’s data confirms that organizations with IR plans tested through tabletop exercises or red-team simulations contained breaches an average of 54 days earlier than those without.
Third-Party Vendor Risk Management
Third-party involvement in breaches doubled from 15% to 30% of all confirmed incidents in 2025, making vendor ecosystem security the fastest-growing risk category in enterprise security. Supply chain attacks reached 1,251 downstream victim organizations in 2025, nearly double the prior year, from a marginal increase in discrete attacks, meaning each supply chain attack is reaching more downstream targets than before.
The structural failure that enabled most 2025 third-party breaches was not the absence of vendor security questionnaires or contractual data protection requirements. It was the absence of continuous, real-time monitoring of vendor security posture between the annual questionnaire cycles that most vendor risk programs operate on. Annual questionnaires are outdated the day they are returned. A vendor that passes a security assessment in January can be breached in February, remain undisclosed until October, and have your data circulating on dark web markets for nine months while your vendor risk program shows them as green.
Continuous third-party risk monitoring requires three capabilities operating simultaneously. The first is surface-level security posture monitoring, continuous scanning of vendor-exposed infrastructure for known vulnerabilities, misconfigured cloud storage, expired TLS certificates, and open RDP or SMB ports. The second is dark web monitoring of vendor domains, detecting when a vendor’s employee credentials or internal data appear in dark web markets or ransomware extortion sites before the vendor’s own breach notification reaches you. The third is real-time monitoring of ransomware extortion blogs and threat actor Telegram channels for mentions of vendor names, since ransomware groups routinely announce victims publicly before those victims have issued any breach notification.
Contractual protections are necessary but not sufficient. Vendor contracts should require breach notification within 24 to 72 hours of discovery, not the 30 or 60 days most vendor agreements specify and that 2025’s breach timeline evidence suggests are routinely exceeded. They should require annual penetration testing with results shared with your organization, MFA enforcement across all systems that access your data, and specific OAuth scope limitations for any integrations connecting to your environment. The Salesforce campaign’s reach into hundreds of organizations was enabled by OAuth tokens issued to third-party applications with scopes far broader than any individual function required, a contractual and access governance failure that security questionnaires and annual assessments did not surface.
DeXpose’s supply chain monitoring service provides continuous vendor exposure tracking, monitoring your vendor ecosystem for breach disclosures, dark web data, ransomware mentions, and infrastructure vulnerabilities in real time, without waiting for vendor notification.
Key Technologies for Breach Prevention in 2025
The technology stack for breach prevention in 2025 is less about adding new tools and more about ensuring the tools already deployed are configured and integrated to address the specific attack patterns documented in 2025’s breach record. Point solutions in isolation- endpoint protection without identity monitoring, MFA without token theft detection, vulnerability management without prioritization by exploitability- leave the specific gaps that 2025’s most consequential breaches exploited.
Identity and Access Management remains the highest-leverage investment category given that credential abuse was the top initial access vector. Beyond standard MFA, the specific controls that 2025’s breach record validates are phishing-resistant MFA, FIDO2 hardware keys or passkeys that eliminate the push notification fatigue and AiTM proxy vulnerabilities that defeated standard MFA, and continuous authentication that monitors session behavior after login rather than treating authentication as a one-time gate. Token theft, which enabled the Salesforce OAuth campaign, is not addressed by standard MFA because tokens are issued after successful authentication; it is addressed by OAuth scope minimization, token lifetime management, and real-time monitoring for anomalous token usage patterns.
Attack Surface Management, continuous, automated discovery and assessment of all externally accessible assets, addresses the edge device and forgotten infrastructure vulnerabilities that enabled the F5 intrusion, the SonicWall backup API compromise, and the Oracle SSO breach. Organizations cannot patch what they cannot see, and the 2025 breach record is populated with incidents that exploited infrastructure the victim organization did not know was exposed or had forgotten was accessible. DeXpose’s attack surface mapping service provides continuous external attack surface visibility, discovering and assessing all internet-exposed assets associated with your domain before threat actors can.
Cloud Security Posture Management continuously audits cloud environment configurations against security baselines, detecting storage bucket exposures, excessive permission grants, and public API endpoints that led to some of 2025’s most avoidable breaches. Approximately 34% of cloud-related breaches in 2025 were directly tied to unpatched vulnerabilities or misconfigurations in cloud workloads, a category CSPM addresses through continuous automated assessment rather than point-in-time audit.
Secrets Scanning and Management eliminates the credentials-in-code vulnerability that gave threat actors access to API keys, authentication tokens, and database connection strings embedded in Red Hat GitLab repositories, CI/CD pipelines, and configuration files, which constituted the most dangerous element of the Red Hat Crimson Collective breach. Secrets scanning tools integrated into CI/CD pipelines detect hardcoded credentials before they are committed to shared repositories, and secrets management vaults replace static credentials with dynamic, time-limited secrets that expire after use. 54% of cloud environments contain credentials hardcoded in configuration files or containers. Secrets management eliminates the underlying exposure rather than managing the risk of exploitation.
Security Awareness Training with Measured Outcomes addresses the 60% human element that has resisted seven consecutive years of security investment. The specific 2025 DBIR finding that reframes the value proposition: organizations that invest in regular security awareness training saw a 4x increase in employee phishing reporting rates. The goal of human risk management in 2025 is not to prevent every click; it is to build a reporting culture where employees who are manipulated report incidents immediately, rather than quietly hoping nothing bad happens. That behavioral outcome converts the human layer from a passive vulnerability into an active threat-detection network, enabling SOC teams to identify compromise indicators from employee reports before automated systems generate alerts.
Every protective measure described in this section is more effective when deployed against a known baseline of exposure. Before investing in new controls, understand what data linked to your organization is already circulating on the dark web. Run a free dark web exposure scan at DeXpose to see your current exposure profile, and use that intelligence to prioritize the gaps that matter most for your specific risk environment.
Frequently Asked Questions (FAQ’s)
What Was the Biggest Data Breach of 2025?
The biggest data breach of 2025 was the 16 billion credential mega-dump discovered in June, in which 30 exposed databases containing active usernames, passwords, and session tokens, compiled from infostealer malware campaigns, were found openly accessible online. Among named corporate victims, Conduent’s SafePay ransomware breach ultimately affected over 25 million Americans across its government benefits and healthcare payment infrastructure.
Was the Salesforce Breach Real? How Many Records Were Exposed?
The Salesforce breach was real, but Salesforce’s own platform was not directly compromised; ShinyHunters exploited OAuth tokens and third-party integration weaknesses to extract data from customer environments, claiming to have accessed up to 1.5 billion CRM records across more than 700 organizations. Confirmed downstream victims include Qantas (5.7 million records), TransUnion (4.4 million), Stellantis, Farmers Insurance, Cisco, and Adidas, making it one of the most consequential SaaS supply chain campaigns in recorded history.
Did AT&T Have a New Breach in 2025?
A dataset purportedly containing 31 million AT&T customer records, including names, dates of birth, tax IDs, and contact details, was posted to a dark web forum in May 2025, but AT&T did not publicly confirm the breach at the time of disclosure. Security researchers treated the sample data seriously, though AT&T’s official position was that it could not verify the claim, leaving the incident in the same contested territory as several other 2025 telecom disclosures.
What Is the 16 Billion Credential Leak of 2025?
The 16 billion credential leak, discovered by Cybernews researchers in June 2025, was the largest data exposure in recorded history, 30 databases containing over 16 billion login records including usernames, passwords, session tokens, and browser cookies tied to Google, Apple, Facebook, GitHub, Microsoft, and government portals. Unlike prior aggregation dumps, nearly all the data had never been publicly disclosed, meaning these were fresh, active credentials harvested through infostealer malware campaigns rather than recycled material from earlier breaches.
How Do I Know If My Data Was in the Oracle Breach?
The fastest way to check is DeXpose’s free Oracle Breach Scan, which checks whether your company’s domain appeared in the dataset of 140,000-plus Oracle Cloud tenants affected by the March 2025 SSO and LDAP infrastructure compromise. If your organization uses Oracle Cloud, Oracle E-Business Suite, or Oracle Health, you should also rotate all SSO credentials, reissue Java KeyStore files, and immediately apply patches for CVE-2021-35587 and CVE-2025-61882, regardless of scan results.
What Is the Average Cost of a Data Breach in 2025?
The global average cost of a data breach fell to $4.44 million in 2025, the first decrease in five years, driven by AI-assisted detection that saved organizations nearly $1.9 million per breach, but US organizations bucked that trend, hitting an all-time high of $10.22 million per breach, more than double the global figure. Healthcare remained the most expensive sector for the fifteenth consecutive year at $7.42 million per incident, followed by financial services at $5.56 million.
How Many Data Breaches Happened in 2025?
The Identity Theft Resource Center recorded 3,322 confirmed data compromises in the United States in 2025, the highest number ever tracked in a single year and a 79% increase over five years. Despite that record breach count, total victim notices fell sharply from 1.36 billion in 2024 to 278.8 million in 2025, reflecting a strategic shift by attackers from mass-scale indiscriminate breaches toward precision targeting of high-value data repositories.
What Sector Had the Most Breaches in 2025?
Financial services recorded the most breaches of any sector in 2025, with the ITRC logging 739 confirmed data compromises across banks, credit bureaus, insurers, crypto platforms, and fintech providers, the highest single-year count for the industry. Healthcare had the fewest breaches by volume but the highest cost per incident, while the technology and education sectors absorbed the most structurally consequential attacks due to their downstream organizational reach.
