2025 Year in Review: The Breaches That Defined a Decade's Worst Year for Data Security
A comprehensive analysis of the data breaches, ransomware campaigns, and privacy failures that exposed billions of records and reshaped the cybersecurity landscape
The Year Privacy Became a Luxury
Another year has ended, and with it, thousands of data breaches affecting hundreds of millions of people. The question in 2025 was never "Is my information in a data breach?" but rather "How many data breaches exposed my information this year?"
By October 2025, researchers had already counted 2,563 confirmed data breaches, putting the year on track to be one of the worst in history by sheer volume. But numbers alone don't capture the severity. This was the year that saw the largest healthcare breach ever recorded, the largest breach of American schoolchildren's data, and a Chinese espionage campaign that compromised America's nuclear weapons agency.
According to IBM's 2025 Cost of a Data Breach Report, which we analyzed in depth, there was a slight glimmer of hope: global average breach costs declined 9% to $4.44 million. But that statistic masked a darker reality. U.S. breach costs jumped 9% to a record $10.22 million, more than double the global average and the highest costs globally for the 14th consecutive year.
Let's examine the breaches that defined 2025.
Compliance Hub
The Breachies: 2025's Most Egregious Data Security Failures
🏆 The "Say Something Without Saying Anything" Award: Mixpanel
Data analytics companies have long been the unsung villains of the privacy landscape. They sit invisibly in thousands of apps, hoovering up user data without users' knowledge or consent. In November 2025, one of the largest—Mixpanel—suffered a devastating breach through an SMS phishing attack.
What made this breach particularly galling was the opacity of Mixpanel's announcement. The company's vague statement left reporters with unanswered questions about:
- How many people were affected
- Whether hackers demanded a ransom
- Whether employee accounts used basic security practices like MFA
We only learned critical details because OpenAI—yes, that OpenAI—dropped Mixpanel as a provider and disclosed information about the breach that Mixpanel's own announcement conveniently omitted. The breach affected historical data from companies including PornHub, whose paying subscriber records from a 2021 integration were exposed.
The worst part? The vast majority of people affected by this breach had no direct relationship with Mixpanel. They likely didn't even know their devices were sending data to the company. This is the fundamental problem with the surveillance advertising ecosystem—you can't protect data you don't know exists.
🏆 The "We Still Told You So" Award: Discord's Age Verification Disaster
Last year, we warned that age verification mandates would inevitably lead to more data breaches. Like clockwork, they did. As we detailed in our analysis of The Global Age Verification Disaster, these systems don't protect anyone—they create surveillance infrastructure that inevitably gets breached.
In September 2025, Discord—the messaging platform with over 200 million monthly active users—saw much of its age verification data breached. The exposed data included:
- Users' real names and selfies
- Government ID documents
- Email and physical addresses
- Phone numbers and IP addresses
- Customer support messages
- Limited billing information including payment types and partial credit card numbers
Technically, it wasn't Discord itself that was hacked but their third-party customer support provider, Zendesk. But try explaining that distinction to the millions of users whose identity documents are now floating around criminal forums. For guidance on protecting your Discord account, see our Discord Privacy & Security Guide. This breach exemplifies the growing crisis of third-party security failures we've documented throughout the year.
🏆 The "Tea for Two" Award: Dating App Security Catastrophe
Speaking of age verification gone wrong, the Tea dating app—designed to help women share safety information about dates—had a catastrophic year. As we covered in depth on myprivacy.blog, the app that was supposed to protect women ended up exposing their most sensitive data. In July, researchers discovered an exposed Firebase database containing:
- 72,000 images including 13,000 photo IDs
- 59,000 selfies
- Private messages between users
Just one week later, a second breach exposed 1.1 million private messages spanning early 2023 to mid-2025. These messages included phone numbers, abortion planning discussions, and conversations about cheating partners.
But wait—there's more. TeaOnHer, a completely different app with the same concept but for men, also suffered a breach in August. Researchers found user information accessible through a publicly available web address, including the admin credentials the app's creator used.
As we've consistently reported on compliancehub.wiki, every company that collects identity verification data becomes a target. You can't change your face after it's been leaked.
🏆 The "Just Stop Using Tracking Tech" Award: Blue Shield of California
For the second consecutive year, this award goes to a healthcare company that leaked patient data through tracking tools on its website.
Blue Shield of California revealed in April that it had shared 4.7 million people's health data with Google by misconfiguring Google Analytics. The data included names, insurance plan details, medical service providers, and patient financial responsibility information. Blue Shield shared this data with Google for nearly three years before realizing its mistake.
As we noted in our coverage of healthcare's ongoing cybersecurity crisis, tracking tools remain alarmingly common on healthcare websites despite years of incidents like this one. These tools are marketed as harmless analytics but can expose sensitive data to advertisers and data brokers.
For guidance on protecting yourself from online tracking, check our privacy compliance guide.
