Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on Breached.Company →

A comprehensive analysis of the data breaches, ransomware campaigns, and privacy failures that exposed billions of records and reshaped the cybersecurity landscape

The Year Privacy Became a Luxury

Another year has ended, and with it, thousands of data breaches affecting hundreds of millions of people. The question in 2025 was never “Is my information in a data breach?” but rather “How many data breaches exposed my information this year?”

By October 2025, researchers had already counted 2,563 confirmed data breaches, putting the year on track to be one of the worst in history by sheer volume. But numbers alone don’t capture the severity. This was the year that saw the largest healthcare breach ever recorded, the largest breach of American schoolchildren’s data, and a Chinese espionage campaign that compromised America’s nuclear weapons agency.

According to IBM’s 2025 Cost of a Data Breach Report, which we analyzed in depth, there was a slight glimmer of hope: global average breach costs declined 9% to $4.44 million. But that statistic masked a darker reality. U.S. breach costs jumped 9% to a record $10.22 million, more than double the global average and the highest costs globally for the 14th consecutive year.

Let’s examine the breaches that defined 2025.

The 2025 Privacy & Compliance “Fines & Follies” Awards: A Year of Record-Breaking EnforcementWhen €3 billion in GDPR fines alone isn’t enough to teach Big Tech a lesson Introduction: The Year Regulators Stopped Playing Nice If 2024 was the year of regulatory preparation, 2025 was the year enforcement went nuclear. European data protection authorities alone imposed over €3 billion in GDPR fines inCompliance Hub WikiCompliance Hub

The Breachies: 2025’s Most Egregious Data Security Failures

🏆 The “Say Something Without Saying Anything” Award: Mixpanel

Data analytics companies have long been the unsung villains of the privacy landscape. They sit invisibly in thousands of apps, hoovering up user data without users’ knowledge or consent. In November 2025, one of the largest—Mixpanel—suffered a devastating breach through an SMS phishing attack.

What made this breach particularly galling was the opacity of Mixpanel’s announcement. The company’s vague statement left reporters with unanswered questions about:

  • How many people were affected
  • Whether hackers demanded a ransom
  • Whether employee accounts used basic security practices like MFA

We only learned critical details because OpenAI—yes, that OpenAI—dropped Mixpanel as a provider and disclosed information about the breach that Mixpanel’s own announcement conveniently omitted. The breach affected historical data from companies including PornHub, whose paying subscriber records from a 2021 integration were exposed.

The worst part? The vast majority of people affected by this breach had no direct relationship with Mixpanel. They likely didn’t even know their devices were sending data to the company. This is the fundamental problem with the surveillance advertising ecosystem—you can’t protect data you don’t know exists.

🏆 The “We Still Told You So” Award: Discord’s Age Verification Disaster

Last year, we warned that age verification mandates would inevitably lead to more data breaches. Like clockwork, they did. As we detailed in our analysis of The Global Age Verification Disaster, these systems don’t protect anyone—they create surveillance infrastructure that inevitably gets breached.

In September 2025, Discord—the messaging platform with over 200 million monthly active users—saw much of its age verification data breached. The exposed data included:

  • Users’ real names and selfies
  • Government ID documents
  • Email and physical addresses
  • Phone numbers and IP addresses
  • Customer support messages
  • Limited billing information including payment types and partial credit card numbers

Technically, it wasn’t Discord itself that was hacked but their third-party customer support provider, Zendesk. But try explaining that distinction to the millions of users whose identity documents are now floating around criminal forums. For guidance on protecting your Discord account, see our Discord Privacy & Security Guide. This breach exemplifies the growing crisis of third-party security failures we’ve documented throughout the year.

🏆 The “Tea for Two” Award: Dating App Security Catastrophe

Speaking of age verification gone wrong, the Tea dating app—designed to help women share safety information about dates—had a catastrophic year. As we covered in depth on myprivacy.blog, the app that was supposed to protect women ended up exposing their most sensitive data. In July, researchers discovered an exposed Firebase database containing:

  • 72,000 images including 13,000 photo IDs
  • 59,000 selfies
  • Private messages between users

Just one week later, a second breach exposed 1.1 million private messages spanning early 2023 to mid-2025. These messages included phone numbers, abortion planning discussions, and conversations about cheating partners.

But wait—there’s more. TeaOnHer, a completely different app with the same concept but for men, also suffered a breach in August. Researchers found user information accessible through a publicly available web address, including the admin credentials the app’s creator used.

As we’ve consistently reported on compliancehub.wiki, every company that collects identity verification data becomes a target. You can’t change your face after it’s been leaked.

🏆 The “Just Stop Using Tracking Tech” Award: Blue Shield of California

For the second consecutive year, this award goes to a healthcare company that leaked patient data through tracking tools on its website.

Blue Shield of California revealed in April that it had shared 4.7 million people’s health data with Google by misconfiguring Google Analytics. The data included names, insurance plan details, medical service providers, and patient financial responsibility information. Blue Shield shared this data with Google for nearly three years before realizing its mistake.

As we noted in our coverage of healthcare’s ongoing cybersecurity crisis, tracking tools remain alarmingly common on healthcare websites despite years of incidents like this one. These tools are marketed as harmless analytics but can expose sensitive data to advertisers and data brokers.

For guidance on protecting yourself from online tracking, check our privacy compliance guide.

🏆 The “Hacker’s Hall Pass” Award: PowerSchool

In December 2024, PowerSchool—the largest provider of student information systems in the U.S.—gave hackers access to one of the most sensitive datasets imaginable: the personal information of 60 million students and 10 million teachers.

As we detailed in our comprehensive coverage of the Matthew Lane case, hackers exploited PowerSchool’s weak security—specifically, stolen credentials to their internal customer support portal. The breach compromised:

  • Social Security numbers
  • Medical records and diagnoses
  • Grades and academic performance
  • Special education data
  • Family details and emergency contacts

What made this breach particularly egregious was PowerSchool’s failure to implement basic security measures like multi-factor authentication. In Texas alone, over 880,000 individuals’ data was exposed, prompting the state’s attorney general to file a lawsuit accusing PowerSchool of misleading customers about security practices.

The kicker? The hacker was Matthew Lane, a 19-year-old college student from Massachusetts who pleaded guilty in October to hacking and extorting PowerSchool for $2.85 million in Bitcoin. He faces up to 17 years in prison. As we’ve documented in our analysis of teen hackers, not all hackers are sophisticated nation-state operatives—sometimes they’re just college kids with stolen credentials. For security professionals grappling with this reality, our colleagues at Security Careers Help have explored how to stay ahead of the next generation of threat actors.

🏆 The “Worst Customer Service Ever” Award: TransUnion

Credit reporting giant TransUnion had to notify 4.4 million people that a hack nabbed their personal information this year. The attack vector? A “third-party application serving our U.S. consumer support operations.”

The breach swept up customers’ names, dates of birth, and Social Security numbers. While TransUnion was quick to point out that attackers didn’t access credit reports or “core credit data,” this breach highlights a critical theme of 2025: third-party vendors have become the preferred attack vector for sophisticated threat actors.

Coming in through third parties is like using an unguarded side door rather than checking in at the front desk. Companies—particularly those keeping sensitive personal information—must lock down customer information at all entry points.

🏆 The Annual “Microsoft Screwed Up Again” Award: Microsoft SharePoint

In July 2025, the cybersecurity world witnessed what we called a watershed moment in our comprehensive analysis: Chinese state-sponsored attackers exploited critical, unpatched vulnerabilities in Microsoft SharePoint, compromising over 400 organizations globally.

The victims included the National Nuclear Security Administration (NNSA)—the federal agency responsible for maintaining and developing the U.S. stockpile of nuclear weapons.

Days after the vulnerability was first reported, thousands of vulnerable self-hosted SharePoint servers remained online. Zero-days happen to tech companies of all sizes, but when one company is the source of so many zero-days consistently for so many years, organizations must start questioning whether they should put all their data in baskets that company made.

🏆 The “I Didn’t Even Know You Had My Information” Award: Gravy Analytics

In January, hackers claimed they stole millions of people’s location history from Gravy Analytics—a company most people have never heard of but that had somehow collected location information from a billion phones a day.

The leaked data included timestamped location coordinates tied to advertising IDs, which researchers demonstrated could be used to:

  • Identify military personnel
  • Identify gay people in countries where homosexuality is illegal
  • Track individual movements with disturbing precision

The referenced thousands of apps including Microsoft applications, Candy Crush, Tinder, Grindr, MyFitnessPal, pregnancy trackers, and religious-focused apps. Many app developers said they had no relationship with Gravy Analytics, suggesting the data was harvested through the advertising ecosystem.

As we’ve documented in our coverage of CalPrivacy’s enforcement actions, location data brokers like Gravy Analytics threaten privacy and security whether or not they get hacked. The surveillance advertising industry is fundamentally incompatible with user privacy.

🏆 The “Keeping Up With My Cybertruck” Award: TeslaMate

TeslaMate, a third-party tool for tracking Tesla vehicle data, became a cautionary tale when a security researcher found over 1,300 self-hosted TeslaMate dashboards exposed online, leaking:

  • Vehicle locations in real-time
  • Speed and charging habits
  • Trip details and patterns

As TeslaMate describes itself: “that loyal friend who never forgets anything!” Unfortunately, their lack of proper security measures made that friend a little too chatty. This breach highlights the growing need for legislation protecting consumer location data—without stronger regulations, location details can easily be accessed by malicious actors.

🏆 The “Disorder in the Courts” Award: PACER

In August, hackers infiltrated the Case Management/Electronic Case Files (CM/ECF) system used by federal courts, which shares a database with PACER, the public court records system.

The most concerning aspect? The possibility that the attack exposed the names of confidential informants involved in federal cases. An IT official from the federal court system told the House Judiciary Committee that both systems are “unsustainable due to cyber risks, and require replacement.”

When the system meant to protect confidential informants becomes the vector for exposing them, we have a fundamental infrastructure problem.

🏆 The “Only Stalkers Allowed” Award: Stalkerware Industry

This was a particularly difficult award to decide because not one but multiple stalkerware companies suffered devastating breaches in 2025:

Catwatchful exposed data from 26,000 victims’ devices including photos, messages, and real-time location data—plus the credentials of customers who purchased the app to install on victims’ phones.

SpyX was breached, exposing nearly 2 million individuals’ information including 17,000 iCloud usernames and passwords in plaintext.

Cocospy and Spyic also suffered similar breaches.

These incidents prove once again that stalkerware companies cannot be trusted to secure the sensitive data they harvest from victims’ devices.

🏆 The “Why We’re Still Stuck on Unique Passwords” Award: Plex

Plex experienced a data breach that included customer emails, usernames, and hashed passwords. If this sounds familiar, it’s because a similar issue happened to Plex in 2022, affecting 15 million users.

This is why using unique passwords everywhere is critical. A password manager makes this much easier—and credential stuffing illustrates why two-factor authentication matters.

🏆 The “Uh, Yes, Actually, I Have Been Pwned” Award: Troy Hunt’s Mailing List

Troy Hunt, the creator of Have I Been Pwned and perhaps the person with more experience with data breaches than anyone else, proved that anyone can be pwned. As he detailed in a blog post:

“You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.” If phishing can get the world’s foremost breach researcher, it can get anyone.

The Bigger Picture: 2025 by the Numbers

The individual breaches are devastating, but the aggregate statistics are staggering:

Ransomware Explosion

Healthcare Under Siege As we’ve documented extensively in our healthcare cybersecurity coverage:

  • Conduent breach affected 10.5 million Americans
  • Yale New Haven Health breach affected 5.6 million patients (resulting in $18 million settlement)
  • Change Healthcare breach potentially affected 190 million individuals
  • Healthcare breach costs averaged $10.93 million per incident

The Qilin Dominance Qilin ransomware emerged as the most active ransomware operation in 2025:

  • 72 data leak disclosures in April alone
  • Over $50 million in ransom payments collected in 2024
  • Expanded capabilities including spam campaigns, DDoS attacks, automated network propagation, and “in-house journalists”

The Third-Party Problem As we analyzed in our August 2025 breach coverage, attackers increasingly target third-party platforms rather than attacking primary systems directly:

The Regulatory Response: Fines and Frameworks

The regulatory landscape in 2025 showed signs of life, as documented on ComplianceHub.wiki and in our analysis of key privacy developments to watch:

GDPR Enforcement Intensified

U.S. State Privacy Laws Expand

Class Action Litigation Explodes

  • Over 1,488 data breach class actions filed in 2024, nearly tripling since 2022
  • Courts increasingly accept “risk of future harm” as sufficient injury for standing
  • Yale New Haven Health’s $18 million settlement sets precedent

Sectors Under Fire

Healthcare: Ground Zero

Healthcare remained the most targeted and most costly sector for breaches in 2025:

Education: Easy Targets

The education sector faced unprecedented attacks in 2025:

  • PowerSchool breach affected 70 million records
  • Ivy League institutions targeted (Harvard, Princeton, Penn, Columbia)
  • New Haven schools hit with phishing campaign reaching 10,000+ students
  • Ransomware incidents in education increased 23% year-over-year

Retail: Scattered Spider’s Hunting Ground

UK retail was devastated by coordinated Scattered Spider attacks:

  • Marks & Spencer: Lost £700 million in market value
  • Harrods: 430,000 customer records exposed
  • Co-op: Significant supply chain disruption
  • Adidas, Chanel, Pandora all compromised through third-party platforms

Financial Services: Banking on Insecurity

Government and Critical Infrastructure

Threat Actor Landscape: Who’s Doing the Hacking?

Qilin (Agenda)

The dominant ransomware operation of 2025, Qilin evolved from a standard RaaS operation into a full-service criminal enterprise with:

  • Automated ransom negotiation
  • In-house “journalists” for pressure campaigns
  • DDoS capabilities
  • Data storage services for affiliates

Scattered Spider / ShinyHunters

The merger of Scattered Spider, ShinyHunters, and Lapsus$ created a cybercriminal supergroup responsible for:

  • Qantas (5.7 million customers)
  • Google Salesforce breach (2.5 billion affected)
  • UK retail attacks (M&S, Harrods, Co-op)
  • Claims of 39 companies and 1 billion+ records via Salesforce attacks

Medusa

Medusa’s healthcare focus made it one of the most dangerous ransomware operations:

  • SimonMed Imaging: $1 million ransom demand
  • HCRG Care Group (UK): $2 million demand
  • Multiple imaging and diagnostic facilities targeted

Nation-State Actors

Chinese APT groups dominated state-sponsored attacks:

  • SharePoint “ToolShell” campaign: 400+ organizations including NNSA
  • Salt Typhoon: Five-year campaign with “full reign access” to U.S. telecommunications
  • APT36 (Transparent Tribe): Pakistan-India cyber warfare escalation

(Dis)honorable Mentions

We couldn’t give awards to every breach, but these deserve recognition:

Major Corporate Breaches: Salesforce, F5, Oracle, WorkComposer, Stiizy, Coinbase, Hertz, Louis Vuitton, Google, Home Depot, Petco

Healthcare: Ohio Medical Alliance, Hello Cake, Lovense, Kettering Health, LexisNexis, DaVita

Tech and Platforms: WhatsApp, Nexar, McDonald’s, DoorDash, Workday, Aflac

Aviation: Qantas, Air France-KLM, Iberia, Collins Aerospace

Automotive: Jaguar Land Rover, Volvo, Stellantis, Tesla (via TeslaMate)

Protecting Yourself: Practical Steps

Data breaches are so common that it’s easy to feel helpless. But privacy isn’t dead, and there are concrete steps you can take:

Immediately

  • Use unique passwords everywhere. A password manager generates and stores them for you. When one site is breached, it won’t cascade to others.
  • Enable two-factor authentication on every account that offers it, prioritizing email, banking, and social media.
  • Freeze your credit with all three major bureaus. This prevents new accounts from being opened in your name.

Ongoing

  • Delete old accounts. You can’t have data stolen from accounts that don’t exist.
  • Monitor for healthcare fraud. Watch for strange bills, letters from insurers for services you didn’t receive, and debt collection notices.
  • Use privacy-focused tools. Browser extensions can block trackers, but the fundamental problem requires legislative solutions. For platform-specific guidance, see our Complete Guide to Social Media Privacy.

For Organizations

  • Audit third-party vendors. The August 2025 attacks demonstrate that third-party risk is existential risk. For guidance on building comprehensive security programs, see the CISO’s Evolving Playbook.
  • Implement Zero Trust Architecture. Assume breach and segment networks accordingly.
  • Train against social engineering. The ShinyHunters Salesforce campaign used voice phishing—technical controls alone aren’t enough. For organizations building security teams, understanding insider threat risks and hiring the right CISO is critical.

What Needs to Change

The breach epidemic won’t end through individual action alone. We need:

Strong Federal Privacy Legislation The U.S. needs comprehensive privacy protections with a private right of action. When companies suffer breaches, affected individuals should be able to sue—and receive more than $5.21 settlement checks.

Data Minimization Requirements Companies that practice privacy-first approaches and only collect what they absolutely need would have far less data to lose. Instead, companies gobble up everything they can, store it indefinitely, and inevitably lose it to attackers.

End Surveillance Advertising As the Gravy Analytics breach demonstrated, the advertising ecosystem has created a surveillance infrastructure that threatens everyone. Online behavioral advertising must end.

Third-Party Security Standards When your data is stolen because a vendor’s vendor was breached, you deserve protection. Supply chain security must become a regulatory requirement.

Looking Ahead to 2026

As we close out 2025, the ransomware ecosystem has undergone a dramatic transformation. Attacks surged 34% year-over-year while ransom payments dropped to historic lows. Threat actors are evolving their business models, consolidating operations, and developing new techniques.

The 2026 regulatory landscape will bring new requirements including CIRCIA reporting rules, NYDFS cybersecurity amendments, and California’s Delete Request and Opt-out Platform (DROP) for data brokers.

But regulations alone won’t solve the problem. Until organizations internalize that data they don’t collect can’t be stolen, that third parties are extensions of their attack surface, and that users deserve privacy by default—not just by policy—the breaches will continue.

Another year will bring another crop of Breachies. The only question is whether we’ll learn from this one.

Stay informed about data breaches and privacy developments at breached.company and compliancehub.wiki.

Healthcare Breaches:

Education Sector:

Corporate and Retail:

Nation-State Attacks:

Ransomware Analysis:

Privacy Guides and Resources:

Security Career Resources:

Compliance and Regulation: