Top 10 Cybersecurity Hacks of the Year 2025
If you manage data, systems, customers, or digital operations in any capacity, 2025 probably changed how you think about risk. Cyberattacks are no longer just technical problems that happen once in a while. They can now stop businesses, break trust, and disrupt infrastructure, hitting exchanges, manufacturers, governments, and disrupt the services people rely on every day.
The cybersecurity hacks in 2025 were especially alarming as the attackers walked through trusted doors using identities, vendors, integrations, and operational platforms. These data breach incidents exposed patterns you need to understand if you want to protect sensitive data and stay operational in an increasingly hostile digital environment.
Why 2025 Was a Pivotal Year for Cybersecurity
The defining shift in the cybersecurity trends 2025 was intent and precise. Threat actors moved away from brute-force attacks and leaned into AI-assisted social engineering, authentication abuse, and supply chain compromise. Critical infrastructure and manufacturing were hit alongside cloud platforms, proving that even “offline” operations aren’t safe anymore..
These AI-driven attacks and the way everything is now interconnected showed that a single vulnerability in one place can bring down entire ecosystems. Supply chain cyber risk has become one of the most urgent challenges organizations face right now and 2025 proved it beyond doubt.
Hack #1: Bybit Crypto Heist: Billion-Dollar Loss
In February 2025, crypto exchange Bybit lost around 500,000 ETH, roughly $1.4 billion, in the Bybit hack 2025.
This wasn’t a traditional breach of internal systems where hackers crack through firewalls. Instead, they found a logic flaw in the Safe{Wallet} multi-signature integration that let them bypass authentication checks entirely. In simple terms, they abused how “trust” was coded into the system, rather than directly breaking its cryptography.
Investigators later tied the attack to North Korea’s Lazarus Group, which has a long history of going after high-value digital assets. After these 2025 cybersecurity hacks, exchanges are forced to rethink how they handle custody and third-party wallets since even if you outsource infrastructure, you never outsource accountability.
Hack #2: Salesloft/Drift OAuth Token Theft
Between August 8 and August 18, 2025, attackers launched a sweeping OAuth token theft campaign by abusing the integration between Salesloft and its AI chat product, Drift. While Salesforce itself was not breached, attackers stole OAuth and refresh tokens from the compromised Drift application and used them to access Salesforce data across hundreds of organizations.
The threat actor of the Salesforce data breach 2025, tracked as UNC6395, systematically queried Salesforce objects, including Accounts, Contacts, Opportunities, Users, and Cases. They also extracted cloud secrets and authentication tokens, which they could use to move laterally across even more systems. Victims ranged from big tech firms and security service vendors to enterprise corporations.
Companies ended up revoking tokens at scale, shutting down integrations, and tightening permissions. As a sales engagement platform breach, it highlighted how OAuth token theft can bypass perimeter defenses entirely. You can have the strongest security around your corporate network, but if a third-party app gets compromised, attackers can walk right through it.
Hack #3: Oracle Cloud Breach 2025
In March, Oracle Cloud’s identity services became the focal point. A threat actor known as “rose87168” abused weaknesses in SSO and LDAP‑related validation to get at identity records and session tokens tied to enterprise customers. This identity security breach affected over 140,000 tenants relying on Oracle as a centralized authentication layer.
Oracle acknowledged issues in “legacy” identity components privately, but publicly maintained that its core “Oracle Cloud” infrastructure was untouched. Later analysis suggested attackers had maintained access since January 2025, suggesting they may have had access for almost two months before being detected.
The Oracle Cloud Breach in 2025 drew attention to identity service infrastructure as a primary attack surface. As organizations centralize authentication across all their platforms for convenience and user experience, the trust placed in these systems makes them high-value targets. This Oracle identity security breach showed that when identity services are compromised, access controls across cloud resources, databases, and internal applications can unravel at once. This incident reinforced that identity federation and single sign-on systems must be evaluated with the same rigor as traditional network and data security controls.
Hack #4: Qantas Customer Data Exposed
In mid-2025, Qantas Airways confirmed a Qantas data breach 2025 involving approximately 6 million customer records.
The attackers didn’t target Qantas’s core systems directly. Instead, they accessed a third-party call center platform, one of those vendors that airlines contract to handle customer service. Once inside, they had access to personal data such as names, phone numbers, email addresses, home addresses, and birthdates. Financial credentials were not reported as compromised, but the scale made it one of Australia’s most significant cyber incidents of the year.
Although Qantas detected the activity quickly by flagging the intrusion on July 1, just a day after the June 30 compromise, the attackers had already secured a foothold. Security analysts linked the attack to social engineering tactics (vishing) targeting the vendor’s support staff, rather than a technical software flaw.
The story did not end with initial containment. In October 2025, after Qantas refused to pay a ransom, the stolen dataset was leaked on the dark web. This triggered a formal privacy complaint to the OAIC filed by the law firm Maurice Blackburn and bought fresh regulatory scrutiny.
The lesson to learn here is that the customer service vendors often hold expansive access to sensitive data. If companies outsource customer service without continuously assessing vendor security, they’re essentially creating silent entry points for attackers.
Hack #5: Collins Aerospace Airport Disruption
On September 19, 2025, the Collins Aerospace cyberattack showed how digital incidents can instantly ripple through global travel chaos. Hackers disrupted vMUSE (common-use passenger processing system), which connects airlines to airport infrastructure. This disruption at major hubs, including London Heathrow, Brussels, Berlin Brandenburg, and Dublin saw check-in, boarding, and baggage systems thrown offline.
This caused flight delays, grounded entire systems, and operational chaos, forcing airport operators to revert to manual procedures. Service continuity was the primary casualty, proving that as critical infrastructure becomes digital by necessity, defense must encompass both data protection and operational continuity planning.
As of now, no specific ransomware group has been identified to be responsible for the Collins Aerospace cyberattack, and the technical origin of the breach is under investigation. The European Union Agency for Cybersecurity (ENISA) has not released details about any ransom demands or payments. Crucially, there’s no solid evidence that passenger data was stolen, suggesting the attackers’ primary goal was operational paralysis rather than data theft.
Hack #6: St. Paul Cyberattack 2025
In July 2025, the City of St. Paul, Minnesota, was hit by a cyberattack that disrupted online payment platforms, internal networks, and public Wi-Fi at libraries and City Hall, impacting residents’ ability to access basic city services.
The situation of the St. Paul cyberattack 2025 escalated quickly as the authorities declared a state of emergency, and activated support from the Minnesota National Guard to assist in containment and recovery.
On August 10, 2025, city officials publicly confirmed that it was a ransomware attack, with the Interlock ransomware gang claiming responsibility for it. The attackers posted sample pictures of the data to prove they had stolen approximately 43GB of data from St. Paul’s private servers, including employee identification documents and internal files.
Mayor Carter stated that the city would not pay, but officials have not publicly verified the specific claims made by the Interlock gang or the exact scope of data theft. It highlighted how municipal services can be disrupted quickly and how difficult it is to balance transparency, negotiation, and public trust.
Hack #7: Fake Emergency Alerts Broadcast
In 2025, threat actors successfully hijacked the broadcast systems of multiple radio stations, including major broadcasters in Texas and Virginia, to send fake Emergency Alert System (EAS) tones followed by vulgar and illicit audio.
By using the familiar “Attention Signal,” they got listeners to focus, assuming something serious was happening. Technically, this broadcast cybersecurity breach relied on unsecured Studio-to-Transmitter Link (STL) devices (specifically Barix audio-over-IP units) that were left exposed to the internet with default passwords and minimal protection.
This incident forced the FCC to issue an urgent advisory warning broadcasters that legacy systems connected to the public information supply chain remain low‑barrier targets when left unprotected. This broadcast cybersecurity breach accelerated calls to place critical transmission gear behind firewalls and VPNs to prevent similar trust-diminishing attacks.
Hack #8: Asahi Group Ransomware Disrupts Operations
In September 2025, Japanese brewery Asahi Group Holdings was paralyzed by a high-profile ransomware attack. The manufacturing cyberattack, widely attributed to the Qilin ransomware gang forced the company to halt production at six key breweries and suspend logistics systems across 30 factories, choking distribution lines and causing immediate inventory shortages of flagship products, including Asahi Super Dry beer and Nikka Whisky.
The breach demonstrated how ransomware has moved from server compromise to being a weapon against production and logistics pipelines. The Asahi Group ransomware attack also exposed the personal information of approximately 1.9 million employees and business partners. It showed how deeply manufacturing and logistics now depend on digital systems and how ransomware can disrupt both data and physical output at the same time.
Hack #9: Jaguar Land Rover Cyberattack
In September 2025, Jaguar Land Rover (JLR) shut down global IT systems following a big cyberattack and halted production across U.K. plants for weeks, as engineers and security teams worked to contain the breach and restore safe operations. With the global production rate of around 1,000 cars per day, manufacturing cyber disruption translated into a loss of almost $100 million.
Industry analysts described the Jaguar Land Rover cyberattack 2025 as one of the most damaging cyberattacks against British industry in 2025, with total direct costs later reported at almost $26 billion. Despite this, JLR released very little technical detail, declining to confirm whether the compromise began in corporate IT systems, supplier connections, or OT networks.
The attack froze JLR’s assembly lines and rippled outward to affect 5,000 suppliers, many of whom had to pause their own operations while the automaker recovered. The manufacturing cyber disruption underscored that modern production environments are deeply digital, and OT security needs to be treated with the same seriousness as traditional IT security, or the entire operation can grind to a halt.
Hack #10: TransUnion Cyberattack: Identity Data Exposed
TransUnion cyberattack 2025 that gave attackers unauthorized access to a third-party customer support application containing sensitive consumer identity data, including names, Social Security numbers, and dates of birth. However, the attackers were not able to get access to any credit information. Instigators linked to the ShinyHunters group used credential abuse and OAuth token manipulation to access critical records for over 4.4 million individuals before containment. The response to the cyberattack involved revoking compromised third‑party tokens, reporting the incident through regulatory channels (including the Maine Attorney General), and offering 24 months of enhanced monitoring for victims.
The incident sent shockwaves across sectors that depend on TransUnion’s identity verification and credit risk services. The bigger takeaway was that even data giants with strong reputations remain prime targets for credential abuse because they aggregate deeply personal financial histories and identity data at scale.
How You Strengthen Your Defense in 2026
If these cybersecurity hacks 2025 taught us anything, it is that cybersecurity is a business survival discipline. Use strong multi-factor authentication, tighten identity and access controls, and audit your vendors, SaaS tools, and OAuth connections to reduce supply chain cyber risk.
You should also help your team recognize AI-driven attacks that bypass traditional defenses. These actions will shrink the blast radius, slow attackers down, and give you time to respond. When another major cyber attack happens, what you do decides how well you stay operational.
Responses