If 2025 has taught us something, it’s that threat is not confined to the perimeters of your community. The normal safety perimeter has dissolved, with threat creeping into the very instruments we use to run our companies.
Organizations confronted off towards catastrophic configuration errors, the weaponization of third-party belief connections, Multi-Issue Authentication (MFA) failures, and attackers who clearly love the vacations.
With that in thoughts, we’re trying again on the ten most impactful safety occasions of 2025 to study from them for an much more safe 2026.
The highest 10 safety occasions of 2025Salesforce ecosystem assault wave (June – October 2025)
Earlier this yr, 1 billion information from organizations like Transunion, Qantas, Farmers, and Google have been compromised through a third-party OAuth app breach.
Attackers exploited the Salesloft Drift integration, stealing OAuth tokens to entry a number of Salesforce cases as a trusted software. Scattered LAPSUS$ Hunters claimed accountability.
Why it issues
The 2025 Salesforce ecosystem assault wave incident has highlighted how a mass provide chain failure enabled menace actors to bypass MFA controls and compromise SaaS-to-SaaS trusted connections.
Classes learnt
Organizations should prioritize Zero Belief for SaaS integrations, along with auditing and revoking all pointless third-party software OAuth tokens and permissions. Moreover, Safety and Operations Heart (SOC) groups ought to take away the power for traditional customers to put in new linked apps.
2. Claude code agent occasion
2025 witnessed a brand new kind of safety incident that used AI. A Claude agent (a software-driven program utilizing AI) carried out 80-90% of the assault autonomously, taking up terminals, inspecting methods, and writing exploit code that focused round 30 international entities.
Why it issues
This was the primary documented large-scale assault executed primarily by an autonomous AI Agent. The power of menace actors to jailbreak the mannequin and trick it into executing malicious duties dictates a brand new, accelerated pace of protection.
Classes learnt
Safety groups should put together for AI-orchestrated assaults, which function at an unprecedented pace and scale. The capabilities that enable AI to automate assaults should even be leveraged for cyber protection and detection.
3. Marks & Spencer retail ransomware
Attackers proceed to focus on high-impact durations, and this a lot was clear with the UK retail ransomware spree. This assault disrupted digital and in-store retail operations over the Easter weekend, leading to important monetary and reputational injury. The assault, claimed by the Scattered Spider ransomware gang, compelled retailers to close down their automated ordering and inventory methods and revert to handbook workarounds.
Why it issues
This was a transparent demonstration of vacation or seasonal RaaS focusing on. The aim was to cripple retail operations throughout peak durations. Attackers used a third-party provider, typically via social engineering, to get helpdesk credentials. They then focused corporations corresponding to H&M and Harrods.
Classes learnt
Vendor and provider downtime might be devastating: every week of disruption causes tens of millions in losses and provide chain turmoil. Intelligent social engineering drove this expensive exploit, highlighting growing human threat.
4. PowerSchool breach
This large breach compromised 62 million college students and workers throughout the U.S. Ok-12 training system, together with delicate PII (Personally Identifiable Info) and educational information. Attackers hit a centralized database, having access to an enormous quantity of knowledge associated to minors.
Why it issues
This occasion highlights the acute vulnerability of centralized training information (Ok-12). Attacking a single, extensively used vendor gives a “force multiplier” for hackers, turning one breach right into a important threat throughout a whole vertical sector. Faculties typically retain information for many years, which means that the breach impacted not solely present college students but in addition alumni.
Classes learnt
This breach highlights that safety fundamentals proceed to be the first line of defence. The attackers gained entry partly as a result of MFA was not enforced for a contractor account. This breach emphasizes the pressing want for information minimization insurance policies, which implies that organizations shouldn’t retain delicate info for many years whether it is not required for energetic operations.
5. Shai-Hulud self-replicating worm
Some of the notable assaults that occurred earlier this yr was the compromise of over 180 node package deal managers (npm) packages, which efficiently exfiltrated secrets and techniques (API keys, cloud credentials) from hundreds of developer environments (npm provide chain).
Why it issues
It was the primary main self-propagating worm to efficiently goal the open-source developer provide chain (npm). It used a novel technique of computerized inside pivoting utilizing stolen developer credentials.
Classes learnt
The assault was a safety storm focusing on identification, hitting human credentials, machine identities, and provide chain belief relationships. The compromise reiterates that SOC groups should implement MFA on all developer accounts and mandate vault credentials for secrets and techniques administration.
Take motion: Discover our strategic information on the Shai-Hulud Lesson for CISOs to discover ways to safeguard your group from related provide chain threats.
6. Blue Protect of California migration
The publicity of knowledge for 4.7 million Blue Protect of California clients resulted from an unintentional leak of PHI (Protected Well being Info) through a misconfigured Google Analytics account. The breach was attributable to an unintentional configuration error in a generally used internet software, demonstrating that human error might be simply as harmful as a complicated hack.
Why it issues
It is a prime instance of API and third-party script leakage. Particularly, the widespread use of monitoring pixels and analytics scripts has develop into a serious authorized legal responsibility below HIPAA (Well being Insurance coverage Portability and Accountability Act), as these scripts can inadvertently transmit delicate affected person info to third-party tech platforms.
Classes learnt
Organizations should audit and safe all third-party scripts and integrations on their public-facing web sites. A easy misconfiguration can lead to the large publicity of Protected Well being Info (PHI).
7. SK Telecom breach
Affected almost half of South Korea’s inhabitants (roughly 27 million customers), compromising USIM information (Common Subscriber Id Module, used for cell community authentication), together with subscriber telephone numbers and authentication keys.
Why it issues
The breach risked compromising the integrity of the nation’s cellular phone authentication methods, in actual fact, a important threat as a result of cell numbers in South Korea are sometimes tied to nationwide identification methods used for banking and authorities providers. This highlights a threat that prolonged far past simply PII (Personally Identifiable Info) theft.
Classes learnt
Cybersecurity have to be handled as a strategic enterprise threat, not only a “IT problem”. Fast detection and disclosure are important, as delayed reporting contributed to regulatory penalties and reputational hurt on this occasion.
8. Conduent linked breach
A Conduent publicity of as much as 10.5 million affected person information occurred due to an enormous focus of affected person information held by a central healthcare interchange, proving as soon as once more that healthcare stays a first-rate goal for attackers.
Why it issues
The incident highlights the failure of a third-party enterprise affiliate, highlighting the authorized dangers and monetary fallout related to excessive information focus. In contrast to software-based provide chain assaults, this was an assault on a important service companion.
Classes learnt
Organizations have to implement information minimization insurance policies to cut back threat publicity. SOC groups should additionally conduct common information stock and classification to determine the place extremely delicate PII/PHI resides.
9. Pink Hat Consulting GitLab breach
The exfiltration of 570 GB of Pink Hat information from 28,000 inside GitLab repositories, together with delicate consumer infrastructure and authentication tokens.
Why it issues
It was a direct assault on the DevOps/GitOps provide chain. By stealing consumer code and infrastructure particulars from a serious vendor, menace actors created an enormous secondary provide chain threat. Consulting corporations are inclined to act as credential aggregation factors, and the theft of hardcoded credentials (API keys and tokens) gives attackers with a roadmap to the sufferer’s cloud environments.
Classes learnt
Consulting environments have to be remoted from important manufacturing networks to forestall information breaches. Organizations ought to implement steady scanning throughout all code repositories and use short-lived, least-privilege credentials for consulting initiatives.
10. Bouygues Telecom ransomware
A compromise affecting 6.4 million clients, exposing information together with names, bodily addresses, telephone numbers, and IBANs (Worldwide Financial institution Account Numbers used for cross-border funds).
Why it issues
This illustrates the persistent and profitable focusing on of main nationwide telecommunications corporations by RaaS (Ransomware-as-a-Service) teams, the place criminals lease malware to others. The entry vector exploited social engineering to achieve preliminary entry to Id and Entry Administration (IAM).
Classes learnt2026: Flip insights into motion
To fortify safety postures in 2026, organizations should:
Make stock as the brand new frontline: Groups have to do extra than simply the fundamental upkeep. With fixed information classification so you recognize precisely the place your most delicate PII and PHI reside.Change into operationally resilient: Transition from the idea “It won’t happen to us” to a mannequin of excessive visibility, in order that when an incident happens, the impression is instantly contained and restoration is quick.Scrutinize trusted connections: Scrutinize the third-party authentication apps and SaaS-to-SaaS connections that tie platforms collectively to forestall mass provide chain failures.Reinforce the human perimeter: Safe the identification layer by implementing MFA on all developer accounts and deploying rigorous social engineering defenses to guard preliminary entry to IAM methods.
One factor is for sure, organizations should shift from “swivel-chair” safety strategies and reactive patching to proactive threat evaluation and remediation. Cybersecurity gives the real-time visibility and provide chain oversight required to show these insights into motion.
