Blog
Top 5 Cyberattacks of 2025
In 2025, cyberattacks hit every corner of the economy, disrupting organizations, service providers, and critical infrastructure. From ransomware shutting down operations to massive breaches draining sensitive data, this year proved once again that no organization or industry is immune.
As we head into 2026, protecting sensitive data and maintaining customer trust remain fundamental responsibilities in a world where risk never slows down.
Amid these escalating attacks, cybersecurity solutions have never been more essential. But even the most advanced platform can’t make an impact if no one knows what it does or why it matters. That’s where cybersecurity marketing—especially content marketing—comes in. By creating compelling, educational content that highlights your value and addresses real cybersecurity challenges, you position your company as a trusted resource.
Top 5 Cyberattacks that Defined 2025
Let’s take a closer look at five major attacks that made headlines in 2025. While this list only scratches the surface, these incidents underscore the rising sophistication and diversity of today’s threats—and why companies need clear, accessible information about risks and solutions for defense.
1. Chinese Surveillance Network Data Breach
| Date: | June 2025 |
| Attacker Group: | Unknown The scale suggests significant resources and technical capabilities, typically associated with nation-state actors, organized threat groups, or well-resourced research organizations. |
| Method of Attack: | Misconfigured Elasticsearch database left publicly accessible without password protection |
| Records Exposed: | 631-gigabyte database containing 4 billion records pulled from WeChat, financial sources, and Alipay (mobile payment platform) The data included WeChat IDs, Alipay details, bank details, home addresses, phone numbers, vehicle registrations, employment details, pension information, insurance data, and gambling habits. |
| Intended Goal: | Surveillance and profiling The volume and diversity of data types suggests that this was likely a centralized aggregation point to build behavioral, economic, and social profiles of nearly every Chinese citizen. |
| Affected Entities: | Hundreds of millions of Chinese citizens |
| Impact: | As the largest single-source leak in China’s history, this breach has massive privacy and geopolitical implications, including espionage, large-scale phishing, blackmail, identity theft, fraud, state-sponsored intelligence gathering, and disinformation campaigns. |
2- Salesloft / Drift Supply Chain Breach
| Date: | March-June, 2025; August 8-18 systematic harvesting of credentials and sensitive data from Salesforce instances connected through Drift integrations |
| Attacker Group: | Threat actor tracked as UNC6395 |
| Method of Attack: | GitHub compromise → reconnaissance → pivot to Drift AWS environment → OAuth token theft → data exfiltration The attack hinged on compromised third-party credentials and trusted integrations that provided access to Salesforce and other SaaS applications. The threat actor systematically downloaded content from multiple repositories, added guest users, and established workflows that would later facilitate mass data exfiltration. |
| Records Exposed: | Estimated to be 1.5 billion Salesforce records from 760 companies Exfiltrated data included customer contacts, support case content, account records, and embedded secrets such as API keys and cloud credentials. |
| Intended Goal: | Data exfiltration; credential harvesting |
| Affected Entities: | Over 700 organizations worldwide, spanning multiple sectors, including cloud computing, cybersecurity, SaaS providers, and enterprise technology |
| Impact: | The Salesloft breach stands as one of the most significant supply chain attacks in SaaS history, demonstrating how threat actors can exploit trusted relationships, weak credentials, an over-permissive integration, and lack of monitoring to achieve widespread impact across hundreds of organizations simultaneously. The exfiltrated data and credentials are valuable for follow-on attacks, including phishing campaigns, credential stuffing, and secondary supply chain compromises aimed at downstream partners and customers. |
3- LVMH/Kering Brands – Gucci & Balenciaga Data Breach
| Date: | April 2025; disclosed June 2025 |
| Attacker Group: | ShinyHunters |
| Method of Attack: | Credential theft; unauthorized access to internal customer relationship management systems |
| Records Exposed: | 7.4 million records Exfiltrated data included customer names, phone numbers, email addresses, physical addresses, dates of birth, and purchase histories. |
| Intended Goal: | Extortion; ransom demand in Bitcoin (refused by Kering) |
| Affected Entities: | Gucci, Balenciaga, Alexander McQueen brands and customers worldwide |
| Impact: | The attack is part of a wider trend affecting luxury brands and retailers and is a wake-up call for the sector. The exfiltrated data leaves high-paying clients at risk for targeted phishing campaigns, SIM-swap attacks, and account takeovers. |
4. NASCAR Ransomware Attack
| Date: | March 31-April 3, 2025; Medusa listed NASCAR on its leak site on April 8, 2025 |
| Attacker Group: | Medusa ransomware gang, operating under a ransomware-as-a-service (RaaS) model |
| Method of Attack: | Unauthorized network access → data exfiltration and encryption (double extortion) |
| Records Exposed: | Medusa claims 1,038 GB (≈1 TB) of data stolen Exfiltrated data included internal documents, employee names, Social Security Numbers, sponsorship agreements, invoices, and racetrack maps. |
| Intended Goal: | $4 million ransom demand; option to extend deadline for $100,000 per day |
| Affected Entities: | NASCAR employees, business partners, sponsors, and vendors/contractors |
| Impact: | The attack highlights escalating cybersecurity risks in high-profile industries like sports entertainment. The exposure of personal and operational data leaves NASCAR open to reputational damage and individual victims at risk for identity theft. NASCAR offered free credit monitoring and identity protection to victims. |
5. Ingram Micro Ransomware Hack
| Date: | July 3–10, 2025 |
| Attacker Group: | SafePay ransomware group |
| Method of Attack: | Exploit of GlobalProtect VPN infrastructure using stolen or brute-forced credentials → lateral movement → encryption and data theft Once inside, the ransomware operators deployed ransomware that left digital ransom notes on employee systems and triggered outages. |
| Records Exposed: | 3.5TB of data |
| Intended Goal: | Double extortion; data encryption and threat to leak 3.5TB of stolen data unless ransom payment received |
| Affected Entities: | Ingram Micro global operations with downstream impact on thousands of tech resellers, MSPs, and vendors |
| Impact: | The Ingram Micro hack is one of 2025’s most disruptive supply chain ransomware events—demonstrating the operational, financial, and reputational impact these attacks now routinely inflict. The multi-day global outage halted order processing and cloud licensing, paralyzing transactions for tech resellers, MSPs and vendors globally, and resulted in an estimated $136M/day revenue loss for Ingram Micro. |
Need Help with Content Creation?
Breaches and ransomware aren’t slowing down—and neither is the pressure on security vendors to stand out in a saturated, competitive market. Organizations can’t defend themselves with solutions they’ve never heard of. Awareness is protection, and that’s where great content earns its keep.
The CyberEdge Advantage
Cybersecurity buyers want clarity, credibility, and confidence. That only happens when your content speaks their language. CyberEdge writers dig deeper, ask sharper questions, and craft messaging that resonates with the people on the front lines of defense.
If you’re ready to help your prospects understand the risks—and why your solution matters—let’s talk. Contact us today for a personalized consultation and let’s explore how we can help.
