Key takeaways
- Unsecured third-party Salesforce databases played a pivotal role in the majority of the recent data breaches in 2025
- The largest breach of 2025 involved over 16 billion leaked credentials from Google, Apple, and Facebook
- Healthcare was a highly targeted sector for data breaches in 2025
- Data breaches lead to significant financial consequences. Yale New Haven Health recently agreed to an $18 million settlement
- 570GB of data was leaked from over 28,000 repositories in the Red Hat GitLab breach
2025 was a very active year for data breaches. We found that compromises in third-party vendor Salesforce databases were catalysts for many of the breaches on the list.
In several cases, threat actors exploited over-permissioned API keys, weak OAuth tokens, and exposed sandbox environments linked to Salesforce instances to carry out the attacks. Another Salesforce-linked breach involved the Salesloft Drift chatbot integration, which was compromised by threat actors known as UNC6395 (also tracked as GRUB1) in one of the largest interconnected SaaS supply chain attacks in recent times.
These 10 most recent data breaches in 2025 spanned multiple sectors, including healthcare, software development, insurance, and aviation. Most of the stolen credentials could be found in dark web forums and cybercriminal-hosted Telegram channels, where announcements of the breach were broadcast and data dumps were shared for sale or free distribution.
No Slack account needed.
The 16 Billion Passwords Leak
Date: June 2025
Impact: 16 billion user credentials and passwords
Summary: Over 16 billion passwords and login credentials were leaked from Google, Apple, and Facebook platforms, in what was described as one of the largest credential-stuffing data dumps and breaches in history. The breach reportedly aggregated credentials from malware infostealers and multiple prior leaks, including reused passwords from third-party breaches, emphasizing the need to implement multi-factor authentication (MFA), enforce stronger password hygiene, and limit access privileges across platforms.
SK Telecom Breach
Date: April 2025
Impact: 27 million users
Summary: An unauthorized third-party successfully infiltrated SK Telecom’s internal network earlier this year, deploying a sophisticated remote access trojan (RAT) variant known as BPFDoor. This malware was discovered on 28 Linux-based servers, where it operated stealthily by leveraging Berkeley Packet Filter (BPF) hooks to intercept and manipulate network traffic, impacting the data of over 27 million users. The attackers collected SIM management data, International Mobile Subscriber Identity (IMSI) numbers, and authentication keys.
The South Korean mobile giant was subsequently fined a record US$96.9 million for the incident. The attack was believed to have been linked to state-sponsored advanced persistent threat (APT) groups operating out of China or North Korea.
Red Hat GitLab Breach
Date: October 2025
Impact: 570GB of data from over 28,000 repositories
Summary: In October 2025, a cyber threat group known as Crimson Collective claimed responsibility for exfiltrating approximately 570 GB of compressed data from over 28,000 internal repositories, including sensitive information from 800 Customer Engagement Reports (CERs), containing VPN settings, infrastructure configuration data, API keys, authentication tokens, and credentials associated with large enterprise clients, such as IBM, American Express, NSA, Cisco, and the Department of Defence.
Qantas Data Breach
Date: June 2025
Impact: 5.7 million records
Summary: Cybercriminals exfiltrated nearly 6 million customer records from the Australian airline Qantas in June 2025, after exploiting a third-party system integrated with Salesforce. The compromised dataset contained personally identifiable information (PII), including names, email addresses, phone numbers, and frequent-flyer account details. The breach was later confirmed after the ransom deadline passed without payment, with the Scattered Lapsus$ Hunters cybercrime group claiming responsibility for the attack.
Allianz Life Breach
Date: July 2025
Impact: 2.8 million records
Summary: The breach occurred on July 16, 2025, when a malicious threat actor gained access to a third-party, cloud-based CRM system belonging to the insurance giant through social engineering. The attackers were able to exfiltrate sensitive PII at scale, including policy and contract numbers, customer email addresses, phone numbers, dates of birth, and Social Security numbers (SSNs). They leveraged legitimate administrative and export functions within Salesforce instances to carry out the exfiltration.
Allianz Life identified and contained the breach within 24 hours. The attack has been attributed to a joint operation by the Scattered Spider and ShinyHunters cybercrime groups.
TransUnion Data Breach
Date: July 2025
Impact: 4.4 million customer records
Summary: The TransUnion breach occurred in July 2025, impacting the sensitive data of more than 4.4 million customers after attackers gained unauthorized access to a targeted Salesforce database. Attackers reportedly exploited misconfigured API permissions within a third-party integration connected to Salesforce, enabling data exfiltration without triggering standard access controls. The compromised environment contained Social Security numbers and credit-related data. The ShinyHunters threat actor group was believed to be behind the attack. TransUnion services over 100 million U.S. customers and over 1 billion global.
Farmers Insurance Data Breach
Date: August 2025
Impact: 1.1 million records
Summary: The Farmers Insurance breach impacted over 1.1 million policyholders through a compromised third-party vendor integrated with the company’s Salesforce environment. Threat actors gained unauthorized access by exploiting the vendor’s misconfigured API credentials and overprivileged Salesforce integration, allowing them to query and exfiltrate large volumes of customer data.
To make matters worse, the insurance giant reportedly delayed public disclosure for nearly three months while conducting a forensic investigation and coordinating with federal authorities. The breach was attributed to the threat actor group UNC6040 (also tracked as UNC6240), known for orchestrating a series of social engineering and credential-harvesting campaigns targeting Salesforce customers.
Yale New Haven Health System Data Breach
Date: March 2025
Impact: 5.5 million records
Summary: Yale New Haven Health (YNHHS) was the target of a massive data breach in March 2025, which impacted over 5.5 million individuals and subsequently led to a class action lawsuit filed in April. The breach was traced to a third-party file transfer service vulnerability, allowing threat actors to gain unauthorized access to protected health information (PHI) stored within the organization’s systems, exposing sensitive patient data, including medical record numbers, treatment information, Social Security numbers, and insurance details.
Yale New Haven Health recently agreed to an $18 million settlement over allegations that it failed to implement adequate cybersecurity controls to protect patient data.
Blue Shield of California Breach
Date: April 2025
Impact: 4.7 million records
Summary: The Blue Shield of California breach was the result of a Google Analytics misconfiguration that inadvertently exposed the data of approximately 4.7 million customers. The leaked information included names, email addresses, partial policy numbers, and demographic details, which had been transmitted to third-party analytics endpoints due to improper tagging and unfiltered data capture within the GA4 tracking scripts.
Although no direct compromise of Blue Shield’s internal systems, the incident demonstrates how client-side misconfigurations and excessive data collection in web tracking analytics platforms can create large-scale exposure. No threat actor was linked to the compromise.
Marks & Spencer Ransomware Attack
Date: April 2025
Impact: £300 million in losses
Summary: In April 2025, the British retail giant M&S was hit by a major ransomware incident that disrupted both digital and in‑store operations. The initial compromise is believed to have occurred via social engineering targeting a third-party vendor and M&S help desk personnel, which allowed attackers to gain administrative access to critical systems.
Once inside the network, threat actors exfiltrated Active Directory data (including NTDS.dit files) and deployed the DragonForce ransomware across VMware ESXi hosts, encrypting servers and halting key business operations. M&S reported sales losses of approximately £40 million per week and refused to disclose whether any ransom was paid. Scattered Spider was linked to the ransomware attack.
Lessons Learned from the Most Recent Data Breaches in 2025
- Small misconfigurations led to massive breaches
- Grant least privilege access across all accounts, cloud environments, and third parties
- Revoke access and permissions to non-active users, particularly in Salesforce and GitHub, primary attack vectors, where threat actors leveraged stolen credentials
- Personal data is never guaranteed during a ransom payout
Prevent Data Breaches with Guardz
Prevent data breaches and ransomware attacks with the Guardz unified cybersecurity platform. Guardz protects against unauthorized access and cloud misconfigurations that could lead to a data breach. It detects third-party apps used by employees or clients and scans cloud accounts for excessive permissions and high-risk users, enabling you to revoke access when necessary.
Don’t put your organization or clients through any of those risks.
Schedule a demo today.
