If 2025 has taught us something, it’s that danger is not confined to the perimeters of your community. The normal safety perimeter has dissolved, with danger creeping into the very instruments we use to run our companies.
Organizations confronted off towards catastrophic configuration errors, the weaponization of third-party belief connections, Multi-Issue Authentication (MFA) failures, and attackers who clearly love the vacations.
With that in thoughts, we’re wanting again on the ten most impactful safety occasions of 2025 to be taught from them for an much more safe 2026.
The highest 10 safety occasions of 2025Salesforce ecosystem assault wave (June – October 2025)
Earlier this yr, 1 billion data from organizations comparable to TransUnion, Qantas, Farmers, and Google have been compromised by means of a breach of a third-party OAuth app.
Attackers exploited the Salesloft Drift integration, stealing OAuth tokens to entry a number of Salesforce cases as a trusted utility. Scattered LAPSUS$ Hunters claimed accountability.
Why it issues
The 2025 Salesforce ecosystem assault wave incident has highlighted how a mass provide chain failure enabled risk actors to bypass MFA controls and compromise SaaS-to-SaaS trusted connections.
Classes learnt
Organizations should prioritize Zero Belief for SaaS integrations, along with auditing and revoking all pointless third-party utility OAuth tokens and permissions. Moreover, Safety and Operations Heart (SOC) groups ought to take away the power for normal customers to put in new related apps.
2. Claude code agent occasion
2025 witnessed a brand new sort of safety incident that used AI. A Claude agent (a software-driven program utilizing AI) carried out 80-90% of the assault autonomously, taking up terminals, inspecting programs, and writing exploit code that focused round 30 world entities.
Why it issues
This was the primary documented large-scale assault executed primarily by an autonomous AI Agent. The flexibility of risk actors to jailbreak the mannequin and trick it into executing malicious duties dictates a brand new, accelerated pace of protection.
Classes learnt
Safety groups should put together for AI-orchestrated assaults, which function at an unprecedented pace and scale. The capabilities that permit AI to automate assaults should even be leveraged for cyber protection and detection.
3. Marks & Spencer retail ransomware
Attackers proceed to focus on high-impact durations, and this a lot was clear with the UK retail ransomware spree. This assault disrupted digital and in-store retail operations over the Easter weekend, leading to important monetary and reputational injury. The assault, claimed by the Scattered Spider ransomware gang, pressured retailers to close down their automated ordering and inventory programs and revert to guide workarounds.
Why it issues
This was a transparent demonstration of vacation or seasonal RaaS focusing on. The objective was to cripple retail operations throughout peak durations. Attackers used a third-party provider, typically by means of social engineering, to get helpdesk credentials. They then focused corporations comparable to H&M and Harrods.
Classes learnt
Vendor and provider downtime may be devastating: every week of disruption causes tens of millions in losses and provide chain turmoil. Intelligent social engineering drove this expensive exploit, highlighting rising human danger.
4. PowerSchool breach
This huge breach compromised 62 million college students and employees throughout the U.S. Okay-12 training system, together with delicate PII (Personally Identifiable Info) and educational data. Attackers hit a centralized database, having access to an enormous quantity of knowledge associated to minors.
Why it issues
This occasion highlights the intense vulnerability of centralized training information (Okay-12). Attacking a single, broadly used vendor offers a “force multiplier” for hackers, turning one breach right into a important danger throughout a whole vertical sector. Faculties typically retain information for many years, that means that the breach impacted not solely present college students but in addition alumni.
Classes learnt
This breach highlights that safety fundamentals proceed to be the first line of defence. The attackers gained entry partly as a result of MFA was not enforced for a contractor account. This breach emphasizes the pressing want for information minimization insurance policies, which signifies that organizations mustn’t retain delicate data for many years whether it is not required for lively operations.
5. Shai-Hulud self-replicating worm
Probably the most notable assaults that occurred earlier this yr was the compromise of over 180 node package deal managers (npm) packages, which efficiently exfiltrated secrets and techniques (API keys, cloud credentials) from 1000’s of developer environments (npm provide chain).
Why it issues
It was the primary main self-propagating worm to efficiently goal the open-source developer provide chain (npm). It used a novel methodology of automated inside pivoting utilizing stolen developer credentials.
Classes learnt
The assault was a safety storm focusing on id, hitting human credentials, machine identities, and provide chain belief relationships. The compromise reiterates that SOC groups should implement MFA on all developer accounts and mandate vault credentials for secrets and techniques administration.
Take motion: Discover our strategic information on the Shai-Hulud Lesson for CISOs to learn to safeguard your group from related provide chain threats.
6. Blue Protect of California migration
The publicity of knowledge for 4.7 million Blue Protect of California prospects resulted from an unintentional leak of Protected Well being Info (PHI) by way of a misconfigured Google Analytics account. The breach was attributable to an unintentional configuration error in a generally used internet instrument, demonstrating that human error may be simply as harmful as a complicated hack.
Why it issues
It is a prime instance of API and third-party script leakage. Particularly, the widespread use of monitoring pixels and analytics scripts has turn into a significant authorized legal responsibility beneath HIPAA (Well being Insurance coverage Portability and Accountability Act), as these scripts can inadvertently transmit delicate affected person data to third-party tech platforms.
Classes learnt
Organizations should audit and safe all third-party scripts and integrations on their public-facing web sites. A easy misconfiguration may end up in the huge publicity of Protected Well being Info (PHI).
7. SK Telecom breach
Affected practically half of South Korea’s inhabitants (roughly 27 million customers), compromising USIM information (Common Subscriber Identification Module, used for cell community authentication), together with subscriber telephone numbers and authentication keys.
Why it issues
The breach risked compromising the integrity of the nation’s cellphone authentication programs, in reality, a important danger as a result of cell numbers in South Korea are sometimes tied to nationwide id programs used for banking and authorities providers. This highlights a danger that prolonged far past simply PII (Personally Identifiable Info) theft.
Classes learnt
Cybersecurity should be handled as a strategic enterprise danger, not simply an “IT problem”. Fast detection and disclosure are important, as delayed reporting contributed to regulatory penalties and reputational hurt on this occasion.
8. Conduent linked breach
A Conduent publicity of as much as 10.5 million affected person data occurred due to an enormous focus of affected person information held by a central healthcare interchange, proving as soon as once more that healthcare stays a primary goal for attackers.
Why it issues
The incident highlights the failure of a third-party enterprise affiliate, highlighting the authorized dangers and monetary fallout related to excessive information focus. Not like software-based provide chain assaults, this was an assault on a important service associate.
Classes learnt
Organizations must implement information minimization insurance policies to cut back danger publicity. SOC groups should additionally conduct common information stock and classification to establish the place extremely delicate PII/PHI resides.
9. Crimson Hat Consulting GitLab breach
The exfiltration of 570 GB of Crimson Hat information from 28,000 inside GitLab repositories, together with delicate shopper infrastructure and authentication tokens.
Why it issues
It was a direct assault on the DevOps/GitOps provide chain. By stealing shopper code and infrastructure particulars from a significant vendor, risk actors created an enormous secondary provide chain danger. Consulting companies are likely to act as credential aggregation factors, and the theft of hardcoded credentials (API keys and tokens) offers attackers with a roadmap to the sufferer’s cloud environments.
Classes learnt
Consulting environments should be remoted from important manufacturing networks to forestall information breaches. Organizations ought to implement steady scanning throughout all code repositories and use short-lived, least-privilege credentials for consulting tasks.
10. Bouygues Telecom ransomware
A compromise affecting 6.4 million prospects, exposing information together with names, bodily addresses, telephone numbers, and IBANs (Worldwide Financial institution Account Numbers used for cross-border funds).
Why it issues
This illustrates the persistent and profitable focusing on of main nationwide telecommunications corporations by RaaS (Ransomware-as-a-Service) teams, the place criminals lease malware to others. The entry vector exploited social engineering to achieve preliminary entry to Identification and Entry Administration (IAM).
Classes learnt2026: Flip insights into motion
To fortify safety postures in 2026, organizations should:
Make stock the brand new frontline: Groups must do extra than simply the fundamental upkeep. With fixed information classification, you realize precisely the place your most delicate PII and PHI reside.Turn out to be operationally resilient: Transition from the belief “It won’t happen to us” to a mannequin of excessive visibility, in order that when an incident happens, the influence is straight away contained and restoration is quick.Scrutinize trusted connections: Evaluate third-party authentication apps and SaaS-to-SaaS connections that hyperlink platforms to forestall mass provide chain failures.Reinforce the human perimeter: Safe the id layer by imposing MFA on all developer accounts and deploying rigorous social engineering defenses to guard preliminary entry to IAM programs.
One factor is for sure, organizations should shift from “swivel-chair” safety strategies and reactive patching to proactive danger evaluation and remediation. Cybersecurity offers the real-time visibility and provide chain oversight required to show these insights into motion.
