The biggest cybersecurity and cyberattack stories of 2025

2025 was a big year for cybersecurity, with major cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day vulnerabilities exploited in incidents.

Some stories, though, were more impactful or popular with our readers than others.

Below are fifteen of what are the most impactful cybersecurity topics of 2025, with a summary of each. These stories are in no particular order.

The ShinyHunters extortion gang is extorting PornHub after stealing the company’s Premium member activity data from third-party analytics provider Mixpanel.

The attackers claim to have stolen roughly 94 GB of data containing over 200 million records of subscribers’ viewing, search, and download activity. They are threatening to release it unless an extortion demand is paid

While the breach does not involve financial credentials, the potential public release of detailed adult-content activity could have significant personal and reputational ramifications for affected users.

Similar disclosures in past incidents involving sensitive relationship data, such as the Ashley Madison breach, were linked to real-world harm.

In 2025, ClickFix attacks became widely adopted by numerous threat actors, including state-sponsored hacking groups and ransomware gangs. What started as a Windows malware campaign, quickly expanded to macOS and Linux, with attacks that installed infostealers, RATs, and other malware.

ClickFix social engineering attacks are webpages designed to display an error or issue and then offer “fixes” to resolve it. These errors could be fake error messages, security warnings, CAPTCHA challenges, or update notices that instruct visitors to run PowerShell or shell commands to resolve the issue.

Victims end up infecting their own machines by running malicious PowerShell or shell commands provided in the attacker’s instructions.

ClickFix campaigns use a wide range of lures, including fake Windows Update screens, fake software activation videos on TikTok, and fake CAPTCHA challenges with video instructions that instruct victims to copy and paste commands that download and execute malware.

ClickFix attacks continued to evolve throughout the year, with researchers and threat actors creating new variants of the social engineering attack.

This month, ClickFix attacks were further commercialized with a new paid-for ‘ErrTraffic’ platform that automates the delivery of ClickFix-powered malware attacks.

In one of the largest cryptocurrency thefts ever recorded, attackers stole approximately $1.5 billion in Ethereum from ByBit’s cold wallet in February.

An investigation linked the theft to North Korea’s Lazarus hacking group, and the FBI later confirmed the group was responsible for the attack. Researchers determined that the breach was conducted via a compromised developer machine belonging to a Safe{Wallet} developer, which was used in Bybit’s wallet operations.

Attackers used their access to the developer device to manipulate transaction approvals, which allowed them to drain the cold wallet.

In addition to Bybit, other crypto thefts targeting exchanges and wallets included an $85 million theft from Phemex, a $223 million heist from Cetus Protocol, a $27 million breach at BigONE, and a $7 million attack impacting thousands of Trust Wallet users.

In another high-profile incident, pro-Israel hackers breached Iran’s Nobitex exchange and burned roughly $90 million in cryptocurrency.

Cybercriminals are increasingly targeting developers by abusing open-source package and extension repositories, turning them into malware distribution sites.

On npm, attackers repeatedly showed how the platform could be abused to promote malicious packages.

The IndonesianFoods campaign flooded npm with hundreds of thousands of spam and malicious packages. More targeted supply-chain attacks hijacked legitimate packages with millions of weekly downloads.

Prompt injection attacks trick AI systems into treating untrusted content as instructions, causing models to leak sensitive data, generate malicious output, or perform unintended actions without exploiting flaws in the code itself.

Several high-profile incidents demonstrated these new attacks:

• Researchers uncovered zero-click data leakage in Microsoft 365 Copilot, where specially crafted emails with hidden prompt injection exposed sensitive information without user interaction.
• Google Gemini was found to be vulnerable to prompt injection via email summaries and calendar invites, enabling phishing and data exfiltration.
• AI coding assistants and IDE tools were manipulated through injected prompts to execute or suggest harmful code.
• A “CometJacking” attack abused prompt injection in Perplexity’s Comet AI browser to trick the system into accessing sensitive data from linked services such as email and calendars.

Other prompt injection attacks used hidden instructions embedded in downscaled images that humans can’t see but AI systems could.

In 2025, threat actors focused heavily on social engineering campaigns to target business process outsourcing (BPO) providers and IT help desks to breach corporate networks.

Rather than relying on software bugs or malware, attackers tricked help desks into bypassing security controls and granting employees access to their accounts.

Hackers associated with Scattered Spider reportedly posed as an employee and fooled a Cognizant help desk into granting them access to the account. This social engineering attack became the focus of a $380 million lawsuit against Cognizant.

Google reported that Scattered Spider targeted U.S. insurance companies by abusing outsourced support desks to obtain access to internal systems.

Retail companies also acknowledged that social engineering attacks against help desks directly enabled major ransomware and data theft breaches.

Marks & Spencer (M&S) confirmed that attackers used social engineering to breach its networks and conduct a ransomware attack. Co-op also disclosed data theft following a ransomware incident that abused support personnel.

In response to the attacks on M&S and Co-op retail companies, the U.K. government issued guidance on social engineering attacks against help desks and BPOs.

Coinbase disclosed a data breach affecting 69,461 customers, which later led to the arrest of a former Coinbase support agent who allegedly helped hackers access their systems.

CrowdStrike disclosed that it detected an insider feeding information to hackers, including screenshots of internal systems. The insider was reportedly paid $25,000 by a group calling itself the “Scattered Lapsus$ Hunters,” a name referring to overlapping threat actors associated with Scattered Spider, Lapsus$, and ShinyHunters.

Told the activity was detected before the insider could provide access to CrowdStrike’s network.

Insider activity also impacted financial organizations, with FinWise Bank disclosing an insider-related breach affecting roughly 689,000 American First Finance customers. In another incident, a bank employee reportedly sold their credentials for just $920, which were later used in a $140 million bank heist at Brazil’s Central Bank.

4. Massive IT Outages

In 2025, a series of massive IT outages disrupted services and platforms worldwide, demonstrating how dependent global commerce has become on cloud infrastructure.

In 2025, Salesforce became a frequent target of large-scale data theft and extortion campaigns, as threat actors increasingly targeted the platform and its growing third-party services.

While Salesforce itself was not breached, attackers repeatedly gained access to customer data through compromised accounts, OAuth tokens, and third-party services, resulting in a steady stream of high-profile breaches.

These attacks were mainly linked to the ShinyHunters extortion group and impacted companies across a wide variety of industries, including technology, aviation, cybersecurity, insurance, retail, and luxury goods.

Companies impacted by the Salesforce data theft attacks include Google, Cisco, Chanel, Pandora, Allianz Life, Farmers Insurance, Workday, and others.

The ShinyHunters extortion gang eventually set up a data-leak site to extort companies affected by these attacks.

While none of these incidents were caused by cybersecurity breaches, their impact was so significant that they warrant a mention in this year’s top stories.

Some of the most significant outages of 2025 were:

• A global Heroku outage knocked hundreds of web applications offline, affecting both sites and internal tools.
• A Microsoft DNS outage disrupted Microsoft 365, Azure services, and applications for many organizations.
• Google attributed one of the largest cloud platform disruptions of the year to an API management problem, which caused wide-ranging failures across services that rely on its cloud infrastructure.
• An AWS outage took down Amazon Prime Video, Fortnite, Perplexity, and many other services that depend on Amazon’s cloud.
• Cloudflare experienced multiple incidents, including one traced to an emergency patch rollout for the actively exploited React2Shell flaw, which temporarily disrupted its global network services.

3. The Salesforce Data-theft Attacks

In 2025, Salesforce became a frequent target of large-scale data theft and extortion campaigns, as threat actors increasingly targeted the platform and its growing third-party services.

While Salesforce itself was not breached, attackers repeatedly gained access to customer data through compromised accounts, OAuth tokens, and third-party services, resulting in a steady stream of high-profile breaches.

These attacks were mainly linked to the ShinyHunters extortion group and impacted companies across a wide variety of industries, including technology, aviation, cybersecurity, insurance, retail, and luxury goods.

Companies impacted by the Salesforce data theft attacks include Google, Cisco, Chanel, Pandora, Allianz Life, Farmers Insurance, Workday, and others.

The ShinyHunters extortion gang eventually set up a data-leak site to extort companies affected by these attacks.

A significant component of these attacks involved breaching third-party SaaS platforms that interface directly with Salesforce.

Attackers breached services such as Salesloft Drift, stealing OAuth tokens and credentials that granted access to connected Salesforce instances.

These supply-chain attacks impacted many different companies, including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many more.

Salesforce also investigated customer data theft linked to a Gainsight breach, which used OAuth tokens stolen in the Salesloft Drift attacks.

2. Zero-days Attacks

In 2025, zero-day vulnerabilities remained a widely used method to gain access to corporate networks for data theft, cyber espionage, and ransomware attacks.

Network edge devices and internet-exposed services were primary targets for exploitation because they sit between the internet and an internal network.

Zero-day flaws in Cisco (ASA firewalls, IOS, AsyncOS, ISE), Fortinet (FortiWeb, FortiVoice), Citrix NetScaler, Ivanti Connect Secure, SonicWall, FreePBX, and CrushFTP were actively exploited in the wild.

Microsoft SharePoint was one of the year’s biggest zero-day targets, with the ToolShell flaw linked to Chinese threat actors, and later, ransomware gangs. These flaws were used to deploy web shells, steal sensitive data, and maintain persistence inside corporate networks.

Windows vulnerabilities were also repeatedly abused, including flaws in shortcut handling and logging services.

Consumer and enterprise software also played a role, with 7-Zip and WinRAR zero-day flaws exploited in phishing campaigns to bypass security protections and install malware.

Several incidents involved commercial spyware and law enforcement using undisclosed flaws to unlock mobile devices.

1. AI-Powered Attacks

AI became a helpful tool for attackers this year, as they relied on large language models (LLMs) during intrusions, and to write and deploy malware.

Security researchers and vendors reported a growing number of attacks that used AI for faster exploitation, adaptive malware, and higher volumes of attacks.

Google warned of new AI-powered malware families observed in the wild, some of which dynamically adapt their behavior to the victim environment.

The S1ngularity attack, which impacted thousands of GitHub accounts, highlighted how AI tools could be abused to automate reconnaissance and credential theft.

Proof-of-concept malware, such as PromptLock ransomware, used AI LLMs to aid in encryption, data theft, and attacks.

In addition to malware, AI is now being used to speed up exploitation attempts. Tools like HexStrike are used to analyze and exploit known vulnerabilities rapidly, reducing the time and skill required to exploit N-day flaws.

Threat actors also released LLMs, such as WormGPT 4 and KawaiiGPT, which allow cybercriminals to create AI-powered malware without the restrictions or safeguards.

By the end of the year, AI was no longer experimental for attackers and had become another tool for speeding up development, automating attacks, and lowering the barrier to conducting them.

NOTE:: This article is copyright by bleepingcomputer and we are using it for educational or Information purpose only

Best Cyber Security Products & Solutions