As the first quarter wraps up and organizations turn their focus toward Q2, it’s worth asking whether the past year actually changed how we defend ourselves. In many ways, 2025 was unsurprising. It was yet another year full of hacker attacks and data breaches. But some aspects caught security teams off guard, as hackers found ways to bypass traditional security strategies and shift toward more devious methods. Once again in 2025, we were reminded of the exhausting fact that in this ongoing game of cat and mouse, we’re increasingly looking like the mouse and not the clever, uncatchable Jerry.
This review looks back at the biggest cyberattacks of 2025, not simply to revisit last year’s headlines, but to examine what they revealed about how attacks are really unfolding. By breaking down what happened and the lessons learned, we can better judge whether we’ve adapted and what still needs to change as we move through the rest of the year and beyond.
A Mega Leak
Attack Overview
In June 2025, 16 billion credentials were stolen, making it the largest theft of identities ever. This disastrous breach not only leaked a single organization’s database but exposed data from several online services, including technology giants like Apple, Facebook, Google, and government agencies.
The data was stored across 30 searchable databases that had been left on publicly accessible cloud servers for an unknown period before researchers discovered them. Hackers had been gathering the data from unsecured devices for several years before they caught the attention of security researchers.
Hacker Techniques
The attackers operated through a series of smaller attacks, most involving thousands of “infostealers”. An infostealer is a piece of malware that steals login details from applications and browsers on infected devices. The data was stolen from users, not directly from the tech companies.
A particularly concerning aspect of this breach is that the leaked data also contained session cookies and authentication tokens that allow persistent access to applications without requiring repeated logins. And yes, that would allow a hacker to bypass multi-factor authentication. In effect, it creates a backdoor that doesn’t generate an MFA alert and allows hackers to access applications and systems silently without the victim’s knowledge.
Lessons for 2026
The incident highlighted the reality that relying on passwords is not safe, even with multi-factor authentication. Storing passwords in browsers is especially risky because they can be exposed to advanced malware such as infostealers. And if passwords are reused, the danger multiplies. If one credential is compromised, attackers can access multiple accounts.
Passwords are becoming one of the weaker links in cybersecurity and identity protection. Organizations need to adopt advanced mechanisms such as passkeys, certificates, and tokens that can materially minimize the risk of credential-based attacks.
For sensitive applications and systems, tokens should be short-lived and must require frequent authentication. Session tokens can also be protected by tying them to a specific device, so if a token is accessed from another device, it becomes useless.
We are also reaching a point where identity needs to be protected through technologies such as the Identity Threat Detection and Response (ITDR) systems. These systems are better than traditional endpoint detection mechanisms because they leverage AI to establish baseline behavior for each user. It then acts immediately when something deviates from that baseline. Organizations should implement automation that rapidly revokes tokens as soon as suspicious activity is detected with an account. This limits the opportunity for hackers to exploit stolen tokens.
These strategies can go a long way in ensuring that even if attackers manage to steal credentials, they cannot use them to do more harm within the organization’s ecosystem. The lesson from the Mega Leak is clear: identity must be protected at every stage, from the time an account is created and through its entire lifecycle, using a layered and adaptive defense strategy that anticipates and responds to the latest attack tactics.
The Digital Siege
Attack Overview
Jaguar Land Rover (JLR), the global car maker and a multibillion-dollar company, came to a standstill in late August 2025. The automotive giant was forced to halt production across the world and shut down its entire IT network spread across global operations.
Hacker Techniques
The attackers who claimed responsibility for the attack were the “Scattered Lapsus$ Hunters” group. The attack was purportedly enabled with the help of stolen credentials obtained via infostealer malware from a third-party provider with access to JLR’s JIRA system. Attackers used voice phishing (“vishing”) to impersonate IT staff and trick employees into handing over login details. Once the attackers got inside the systems, they exploited an unpatched vulnerability in an application called SAP NetWeaver that allowed them to move from the office network to the factory floor with admin rights.
Impact
The shutdown of JLR not only affected the company’s sales but also had ripple effects on the U.K. economy. According to reports, the hack cost the U.K. economy an estimated 1.9 billion pounds (U.S. $2.55 billion) and affected over 5,000 organizations. September 2025 saw the fewest cars manufactured in a month since 1952, even fewer than during the pandemic years when most of the world was in complete lockdown.
Lessons for 2026
The attack started with a simple phone call. This shows how vulnerable organizations still are to social engineering attacks. And, now, with Artificial Intelligence already being used by attackers, organizations must contend with the devious twists that hackers can deploy in this type of attack. Using AI, attackers can learn and mimic the voices of high-risk employees by analyzing videos or recorded interactions, making vishing sound more convincing and difficult to detect.
In the face of such threats, organizations must require employees receiving high-value requests over the phone to call back using verified internal numbers to confirm callers’ identities. This lowers the risk of employees making impulsive decisions. Employee awareness and training also need to be revamped, as employees must be trained in aspects of AI beyond traditional phishing and vishing tactics to spot malicious activity.
Beyond these measures, organizations must implement technical safeguards that limit the likelihood that a successful vishing attack will spread. For example, after gaining access through vishing, the Jaguar attacker was able to move laterally from the corporate systems to operational systems. IT and corporate technology should be housed on different islands so hackers cannot move from one to the other. This ensures that even if one system is taken down, the other can be saved from an operational shutdown.
Given how a third-party provider enabled the data breach, organization supply chains need to be managed more effectively through an ongoing vendor risk monitoring program. Organizations need to be able to quickly restrict access if a vendor is not keeping up with their security requirements or if their risk profile deteriorates.
Finally, patching remains non-negotiable, as ongoing tracking and remediating flaws within the environment are crucial to closing down vulnerabilities that attackers might target once they are inside.
Largest Healthcare Breach of 2025
Incident Overview
The Yale New Haven Health System (YNHHS) data breach became the largest healthcare data breach reported in 2025 affecting over 5.5 million people.8 Back in March 2025, YNHHS identified anomalous activity in their network. The attackers stole employee credentials, possibly using malware. Once the attackers captured working credentials, they didn’t encrypt the system like in a ransomware attack but chose instead to sit silently in the background.
Hacker Techniques
Every time an employee logged in, the malware worked like a keylogger and sent keystrokes and screen grabs to a remote server controlled by the attackers, giving them access to log-in credentials. Once the attackers got inside, they silently started copying files with patients’ identifying information such as addresses, phone numbers, and Social Security numbers (no health data was stolen). This stealth operation helped them stay under the radar for much longer. By October 2025, YNHHS reached a preliminary $18 million settlement to resolve claims stemming from the breach.9 It is often events like this that lead to steep increases in cyber insurance premiums.
Lessons for 2026
The YNHHS breach proved that basic MFA is not enough. Think of a situation where there is a keylogger on a device. Everything that is typed on the device, from passwords to multi-factor codes, can all be viewed by an attacker. Now think of a situation where the organization was using device-bound passkeys, certificate-based authentication, or similar mechanisms where there is a “handshake” happening instead of a user typing a code. The latter would have turned out very differently.
Another feature that organizations need to look closely at in 2026 is advanced endpoint protection. It uses keystroke encryption, so even if malware steals information, the attacker only receives nonsensical encrypted strings.
Organizations should also investigate implementing zero trust segmentation to keep sensitive systems on different network islands. Attackers should not be able to easily move laterally between network segments. Hackers chase return on investment. If they find that hopping across network segments is difficult, chances are they’ll leave you alone and move on to another target.
As discussed earlier, an Identity Threat Detection and Response (ITDR) system would help greatly as well because it tries to identify anomalies in employee/user behavior.
A Key Lesson: Monitor the Dark Web
Since many of the 2025 breaches involved stolen credentials being quietly circulated, another lesson is that organizations cannot wait to discover leaked data after an attack. They must actively monitor where stolen information ends up and look outward, not just inward, for signs their data has been compromised.
Dark Web monitoring is increasingly proving to be an essential proactive security measure for organizations to keep an eye out for leaked data. It involves continuously monitoring and searching hidden places on the Internet such as encrypted channels in Telegram, Tor message boards, and underground forums where hackers often trade stolen information.
Remember, if you proactively discover your sensitive information on the Dark Web, it gives you a head start not just in your technical response, but also in your regulatory and public relations responses.
A History Lesson
German philosopher Georg Wilhelm Friedrich Hegel famously said, “The only thing we learn from history is that we don’t learn from history.” Thankfully, we had American author and humorist Mark Twain to tell us that, “History doesn’t repeat itself, but it often rhymes.” 2025 is history, and while we cannot prepare for the same things, we can expect that 2026 will likely rhyme. And maybe therein lies our lesson.
About the Author
Akash Desai is a Director of Consulting for ERMProtect. For over 22 years, he has combined technical expertise with creativity and problem-solving acumen to create innovations and solutions that address challenging cybersecurity problems. His work at the prestigious CERT® Coordination Center and the innovative Carnegie Mellon CyLab tackled cybersecurity issues related to insider threats, intrusion prevention, proactive and agile cyber-defense, and security awareness training. At ERMProtect, he is the brain behind the innovative ERMProtectTM cybersecurity awareness training practice and he has led several complex cybersecurity projects and project teams.