It was a strange year in cyberspace, as US president Donald Trump and his administration launched foreign policy initiatives and massive changes to the federal government that have had significant geopolitical ramifications. Through it all, the steady drumbeat kept pounding of data breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored attacks that have unfortunately become a backdrop of daily life.

Here's WIRED's look back on this year's most significant breaches, hacking sprees, and digital attacks. Stay alert, and stay safe out there.

Salesforce Integrations

Attackers grabbed data from the sales management giant Salesforce in at least two breaches this year—but they didn't compromise Salesforce directly. Instead, the group breached third-party Salesforce contractor integrations, including those of Gainsight and Salesloft.

Google's Threat Intelligence Group published about the spree in August, saying that some Google Workspace data had been compromised as part of the breach of the sales and marketing platform Salesloft Drift. Though the incident was not a direct hack of Google Workspace, it represented a rare instance in recent years of Alphabet customer data being exposed.

Other impacted companies include Cloudflare, Docusign, Verizon, Workday, Cisco, LinkedIn, Bugcrowd, Proofpoint, GitLab, SonicWall, Adidas, Louis Vuitton, and Chanel. The credit bureau TransUnion also had a breach apparently tied to the situation that exposed the information of 4.4 million people, including names and Social Security numbers.

The spree was perpetrated by a group known as Scattered Lapsus$ Hunters—a potential amalgam of actors and tooling from the hacking and data theft groups Scattered Spider, Lapsus$, and ShinyHunters. Researchers note, though, that the group isn't actually a one-to-one evolution of the three namesakes. Regardless, Scattered Lapsus$ Hunters have a data leak site where they've been previewing troves of stolen data from the campaign and conducting digital extortion attacks on victims.

Clop’s Oracle E-Business Hacking Spree

The ransomware group Clop is known for carrying out mass exploitation of vulnerabilities for data breaches and extortion attacks. Past rampages in recent years had huge numbers of victims at both private companies and government agencies. This year, the group did it again, exploiting a vulnerability in Oracle’s E-Business internal management platform to steal data from numerous companies and organizations.

As part of the spree, Clop was able to steal employee data from multiple companies, including the personal information of executives, and used it to send emails and other threatening communications to senior employees as part of demands for millions of dollars in ransom to delete the data instead of publishing it.

Oracle scrambled to patch the vulnerability at the beginning of October, but Clop had already been exploiting it to steal data from hospitals and health care groups, media companies like The Washington Post, and universities like the University of Pennsylvania (see below).

University Breaches

The University of Pennsylvania publicly disclosed a data breach at the beginning of November that took place at the end of October, impacting personal data—some of it years or decades old—of students, alumni, and donors. The data also included internal university documents and some financial information. The incident was the result of a phishing attack; the hacker sent email blasts to students and alumni describing Penn as “woke” and saying that the school prioritizes “legacies, donors and unqualified affirmative action admits.” The Verge reported, though, that ultimately the hacker may have been financially motivated.

Harvard said in a November statement that the systems of its Alumni Affairs and Development office had been breached via a “phone-based phishing attack.” The incident involved personal information of alumni, their partners, Harvard donors, parents of current and former students, some current students, and some faculty and staff. The data included email addresses, phone numbers, physical addresses, event attendance records, information about donations to the university and other fundraising details. Princeton University was hit with a similar attack that same month, although the scope of affected data seems more limited.

New York University suffered a breach in March, Columbia University faced one in June, and the University of Phoenix had a breach in August that may have impacted close to 3.5 million people.

Aflac

The US insurance company Aflac disclosed a data breach in June that it said impacted customer Social Security numbers and health details, but did not disclose a number of victims. On December 19, the company clarified that it is now notifying about 22.65 million people that their data was stolen in the breach. Legally required notifications under state data breach laws, including in Texas and Iowa, indicate that the stolen data includes names, contact information, dates of birth, Social Security numbers, tax ID numbers, health information, medical record numbers, dates of service with medical providers, and health insurance ID numbers.

The Iowa disclosure also states that, “The unauthorized actor may be affiliated with a known cyber-criminal organization; federal law enforcement and third-party cybersecurity experts have indicated that this group may have been targeting the insurance industry at large.” This lines up with an insurance hacking spree carried out this spring by the Scattered Spider criminal hacking group.

Mixpanel

The web app analytics company Mixpanel announced at the end of November that it had addressed a “security incident” it identified on November 8. The company said that it discovered the situation after detecting a “smishing campaign” or SMS phishing attack that apparently led to a breach. Mixpanel said at the time that it had notified all of its impacted customers, but the company did not say how many customers were affected or provide a sense of scale for the situation. “If you have not heard from us directly, you were not impacted,” CEO Jen Taylor wrote.

At least one company, OpenAI, came forward as having been impacted by the breach. The company published its own notification about the effects of the incident on some data related to application programming interface (API) users as well as a subset of ChatGPT users “who submitted help center tickets or were logged into platform.openai.com⁠.”

The notorious ShinyHunters data theft group claimed credit for a breach that Pornhub reported on December 12; the adult content site claimed that “an unauthorized party gained unauthorized access to analytics data stored with Mixpanel.” That incident appears to involve more than 200 million user records totaling 94 gigabytes of data including email addresses and users’ histories on the site linked to their account information. Following the breach, ShinyHunters reportedly began attempting to extort Pornhub, threatening to leak the stolen data.

Additional reporting from TechCrunch indicates, though, that the Pornhub breach resulted from a separate incident. Mixpanel has concluded that the impacted Pornhub data was stolen using “credentials belonging to an employee at Pornhub’s parent company,” which Taylor told TechCrunch “were compromised independently of Mixpanel.” Pornhub did not immediately return WIRED's request for comment.

Jaguar Land Rover

A cyberattack at the end of the summer against global car giant Jaguar Land Rover caused weeks of stalled production at factories across the United Kingdom that normally churn out an estimated 1,000 vehicles per day. The situation also created gridlock across JLR's massive supply chain. The UK government admitted in September that the attack had a “significant impact” on the company and on the “wider automotive supply chain.” Reports claimed that JLR may have been losing up to £50 million ($67 million) per week during the shutdown. It is unclear who perpetrated the attack.

Honorable Mention: A Bunch of US Government Breaches

Though it wasn't an all-time brutal year for US government breaches, that's not saying much. A Treasury breach at the very end of 2024 perpetrated by China led into exploitation of a Microsoft Sharepoint vulnerability in 2025 that included exploitation by alleged Chinese actors. The National Nuclear Security Administration within the Department of Energy suffered a compromise in this campaign. Meanwhile, a breach of the US Courts records system that may have been perpetrated by Russia revealed extremely sensitive information, including sealed documents. And the United States Congressional Budget Office was hacked in November. The Washington Post reported that the agency was infiltrated by a “suspected foreign actor.”