ADVERTISEMENT

The biggest corporate security blunders of 2025

2025 was defined not just by unprecedented attack techniques but by familiar corporate mistakes that attackers exploited on an unprecedented scale.

Salesforce, oracle, whole sales, java logos
Mayank Sharma
Mayank Sharma Contributor
Dec 29, 2025 Updated: 30 December 2025 6 min read

Blunder 1: Cloud security misconfigurations

  • TalentHook: An Azure Blob storage container was left publicly accessible without proper access controls, exposing approximately 26 million CVs and resumes that contained names, emails, phone numbers, and employment history.
  • WorkComposer: A backend S3 bucket was left unsecured, leaking 21 million employee screenshots, which potentially captured login screens, internal tools, and confidential documents.
  • WebWork: Similarly, a misconfigured S3 bucket exposed 13 million stored logs and screenshots.
  • An exposed MongoDB instance, discovered by Cybernews researchers, contained over 4 billion records, including emails, photos, employment histories, and other personal data
Jurgita Lapienyte justinasv Izabele Pukenaite vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.

Blunder 2: Third-party and supply chain weaknesses

a carton box, fragile sign, white supply chain arrows going in a circle
Image by Cybernews.
  • UNC6395 Campaign: This hacking group launched a widespread campaign exploiting vulnerabilities in platforms such as Salesloft and Drift, which integrate with Salesforce. Using stolen OAuth tokens, they accessed customer data across major multinationals, including Google, TransUnion, Air France/KLM, and Workday.
  • United Natural Foods Inc. (UNFI): A cyberattack on UNFI's IT systems resulted in significant logistics disruptions, demonstrating that supply chain hacks can threaten essential services, such as the food supply.
  • Qantas Airways: A breach in a third-party contact center platform exposed the data of millions of frequent flyers.
  • NPM JavaScript supply chain attack: Attackers compromised maintainer accounts for widely-used JavaScript packages via phishing, affecting millions of applications globally.
  • Oracle E-Business Suite: The Cl0p ransomware group exploited a zero-day in Oracle’s widely used E-Business Suite, leading to dozens of intrusions and data theft incidents across major clients.
allianz life logo data breach safe 1.1 million customers
Image by Cybernews.
ADVERTISEMENT

Blunder 3: Social engineering and identity abuse

  • Co-op UK: Hackers tricked an employee into resetting their password, eventually compromising 6.5 million loyalty program members.
  • Marks & Spencer: Similar to the Co-op attack, hackers used social engineering to trick support staff into providing credentials for a valid internal user account.
  • Kering: The luxury group suffered a credential stuffing attack where attackers used stolen login details from other breaches to access customer loyalty accounts from their brands, like Gucci and Balenciaga.
DoorDash breach

Blunder 4: Neglected fundamentals

  • Oracle Cloud SSO/LDAP breach: A high-risk, unpatched flaw led to the exfiltration of about 6 million identity records, keystores, and encrypted passwords.
  • McDonald’s hiring platform used weak admin username and password (123456:123456), no MFA, and exposed over 64 million job applicant records.
  • In the aftermath of the Louvre museum heist, it was found that the password for the video surveillance system was “Louvre.”
Oracle logo on cloud
By Cybernews

Beyond the big four

artificial intelligence, cybersecurity, threats
Image by Cybernews.

ADVERTISEMENT