The biggest corporate security blunders of 2025

Published: 29 December 2025
Last updated: 30 December 2025
Salesforce, oracle, whole sales, java logos

2025 was defined not just by unprecedented attack techniques but by familiar corporate mistakes that attackers exploited on an unprecedented scale.

While threat actors have certainly evolved, leveraging AI and deepfakes with increasing efficacy, 2025’s most damaging incidents were largely fueled by systemic failures within organizations.

Cloud misconfigurations, fragile vendor ecosystems, identity-driven intrusions, and neglected fundamentals accounted for most major breaches.

ADVERTISEMENT

Blunder 1: Cloud security misconfigurations

Despite years of warnings, experts agreed that cloud misconfigurations remained the leading and most preventable blunder of 2025. Many of this year’s cybersecurity incidents are a testament to this.

Key Incidents

  • TalentHook: An Azure Blob storage container was left publicly accessible without proper access controls, exposing approximately 26 million CVs and resumes that contained names, emails, phone numbers, and employment history.
  • WorkComposer: A backend S3 bucket was left unsecured, leaking 21 million employee screenshots, which potentially captured login screens, internal tools, and confidential documents.
  • WebWork: Similarly, a misconfigured S3 bucket exposed 13 million stored logs and screenshots.
  • An exposed MongoDB instance, discovered by Cybernews researchers, contained over 4 billion records, including emails, photos, employment histories, and other personal data

"The 2025 global breach reports make it a point to stress that many cloud security failures remain the customer's fault," notes Joshua Copeland, Director of Cybersecurity at Crescendo AI.

He added that “misconfigurations, missing access controls, and poor cloud security posture management” continue to remain the top reasons for most breaches.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Trevor Horwitz, CISO and Founder at TrustNet, attributes this to a failure in mindset.

ADVERTISEMENT

"One of the key mistakes is applying traditional network security thinking to modern cloud environments. The perimeter no longer exists in the same way."

He adds that during cloud assessments, his team frequently finds organizations launching services without basic controls like IP restrictions or encryption.

In fact, Tenable’s 2025 research found that roughly 9% of all publicly accessible cloud storage still exposes sensitive data, with nearly all of it classified as restricted or confidential.

Meanwhile, Jeffrey Martin, VP Product at Mend, points to overly permissive IAM policies as a major vector. He cites the OneLogin IAM platform flaw (CVE-2025-59363), where an overly permissive API key allowed attackers to disclose client secrets for all applications within a tenant.

"The blunder allows a minor compromise, like a single stolen credential, to be leveraged for extensive lateral movement," Martin explains.

Blunder 2: Third-party and supply chain weaknesses

The most prevalent strategic error of 2025 was the assumption that third-party vendors were secure. Attackers continued to exploit smaller, less-protected vendor ecosystems as the easiest way into large fortified enterprises.

a carton box, fragile sign, white supply chain arrows going in a circle
Image by Cybernews.

Key Incidents

ADVERTISEMENT
  • UNC6395 Campaign: This hacking group launched a widespread campaign exploiting vulnerabilities in platforms such as Salesloft and Drift, which integrate with Salesforce. Using stolen OAuth tokens, they accessed customer data across major multinationals, including Google, TransUnion, Air France/KLM, and Workday.
  • United Natural Foods Inc. (UNFI): A cyberattack on UNFI's IT systems resulted in significant logistics disruptions, demonstrating that supply chain hacks can threaten essential services, such as the food supply.
  • Qantas Airways: A breach in a third-party contact center platform exposed the data of millions of frequent flyers.
  • NPM JavaScript supply chain attack: Attackers compromised maintainer accounts for widely-used JavaScript packages via phishing, affecting millions of applications globally.
  • Oracle E-Business Suite: The Cl0p ransomware group exploited a zero-day in Oracle’s widely used E-Business Suite, leading to dozens of intrusions and data theft incidents across major clients.

Experts saw third-party risk as the most underappreciated systemic weakness of the year. Copeland noted that “trusted third-party access, or that of a vendor, was the pivot point” in many of the year’s largest breaches.

PIC

Horwitz identifies a bureaucratic failure behind these breaches, warning that vendor due diligence failures are what continue to expose organizations.

“One of the common problems is relying on a SOC 2 report that does not even cover the right legal entity,” he said, adding that “this leads to a false sense of assurance and creates blind spots in vendor management.”

Copeland highlights the Allianz Life breach in July 2025 as a prime example, which occurred due to unauthorized access through a third-party cloud-based system rather than a compromise of core systems. He describes this trend as a "collapse of the security perimeter" caused by uncontrolled access.

allianz life logo data breach safe 1.1 million customers
Image by Cybernews.

Martin, along with Lidia Lopez, Senior Threat Intelligence Analyst at Outpost24, both pointed to the Cl0p ransomware group’s exploitation of the zero-day in Oracle’s EBS to emphasize how a single flaw can spread across many organizations.

Lopez also points to the Collins Aerospace attack, where a single compromise in their vMUSE check-in software disrupted boarding across major European airports, showing how outages at a single vendor can also paralyze critical infrastructure.

Blunder 3: Social engineering and identity abuse

ADVERTISEMENT

Attackers in 2025 moved away from breaking in and instead focused on logging in. According to Check Point, credential theft surged by 160% this year, and identity abuse became the primary initial-access method across industries.

Key Incidents

  • Co-op UK: Hackers tricked an employee into resetting their password, eventually compromising 6.5 million loyalty program members.
  • Marks & Spencer: Similar to the Co-op attack, hackers used social engineering to trick support staff into providing credentials for a valid internal user account.
  • Kering: The luxury group suffered a credential stuffing attack where attackers used stolen login details from other breaches to access customer loyalty accounts from their brands, like Gucci and Balenciaga.

Copeland cites global incident response data to suggest that social engineering continues as one of the most scalable and effective intrusion tactics of 2025. He points to the DoorDash breach of October 2025, which reportedly stemmed from a social engineering scam against a single employee, granting access to merchant and customer data.

DoorDash breach

Lidia Lopez details the rise of the Scattered Lapsus$ Hunters, a crew that relied on phone-based social engineering to impersonate IT staff. They tricked employees into handing over credentials, gaining OAuth access to Salesforce environments of giants like Google, Chanel, and Qantas.

She also notes the "service desk attacks" targeting Marks & Spencer, Harrods, and Co-op, where attackers pressured help desk agents into resetting passwords or removing MFA. Martin framed these attacks as a strategic shift, with adversaries increasingly bypassing technical controls by using sophisticated impersonation and voice manipulation techniques.

Blunder 4: Neglected fundamentals

Despite rising sophistication elsewhere, many 2025 breaches were rooted in failures that experts considered basic.

Key Incidents

ADVERTISEMENT
  • Oracle Cloud SSO/LDAP breach: A high-risk, unpatched flaw led to the exfiltration of about 6 million identity records, keystores, and encrypted passwords.
  • McDonald’s hiring platform used weak admin username and password (123456:123456), no MFA, and exposed over 64 million job applicant records.
  • In the aftermath of the Louvre museum heist, it was found that the password for the video surveillance system was “Louvre.”
Oracle logo on cloud
By Cybernews

Copeland noted that many incidents “arise not from advanced zero-day exploits, but from failing to exercise basic hygiene.”

He argued that the spike in these least-effort attacks suggests that weak baseline security gives attackers "low-hanging fruit rather than forcing sophisticated intrusions."

Horwitz confirms this is a pattern he sees regularly in audits: "We often find missing patch processes, overly broad user permissions, and weak access controls. These are the same issues year after year, and they remain high-risk areas."

Beyond the big four

When asked to identify other critical failure modes outside these four categories, our experts pointed to several emerging weaknesses that shaped real incidents this year, which also hint at where next year’s incidents may come from.

artificial intelligence, cybersecurity, threats
Image by Cybernews.

1. Ungoverned AI adoption

A major theme for 2025 was the ungoverned adoption of AI. Martin calls this the "Lack of AI Governance," describing it as a modern failure in neglected fundamentals. He says employees are increasingly uploading sensitive data into unvetted "Shadow AI" tools, leading to massive leakage. Horwitz echoes this, noting that "Employees are using AI platforms without approvals…This is the modern version of shadow IT."

ADVERTISEMENT

2. Blind trust in security automation

Horwitz warns against blind trust in security automation. He cites cases where security alerts were missed because AI models were trained on outdated or incomplete data, allowing slow data exfiltration to go undetected. Copeland adds that corporate strategies are often "designed for last decade's threats," failing to account for adversaries who are themselves using AI to gain stealth and speed.

3. Sophisticated insider threats

Lopez highlighted a chilling trend in insider threats: state-sponsored infiltration. She points to the KnowBe4 incident, where a North Korean operative used a stolen identity and AI-enhanced video to pass interviews, get hired as an IT worker, and immediately attempt to load malware onto a corporate laptop.

4. Inadequate response and recovery

Copeland lastly notes that the skyrocketing cost of breaches, averaging $10.22 million in the US, reflects a failure in resilience. He said 2025 breaches were worsened by “poor containment, slow detection, and weak recovery readiness,” adding that even in successful breaches where the damage could be contained, it wasn’t, due to “immature IR playbooks.”

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT