Secretus logoSecretus

The biggest hacks and breaches of 2025–2026

·9 min read

If one theme defined 2025 and the first half of 2026, it's that attackers stopped kicking down doors and started walking through them — with stolen tokens, a convincing phone call to a help desk, or a poisoned software update. The biggest incidents of the period weren't clever exploits so much as failures of trust: in a vendor, an identity, a support process, a dependency. Here are the ones worth knowing, grouped by how they happened.

A note on sourcing: every incident below was widely reported by reputable outlets, vendors, or government bodies. Where attribution or scale was contested, we say so rather than pretend to certainty.

Nation-state espionage went mainstream

Salt Typhoon was the defining espionage story of the era. A China state-linked group breached at least nine major US telecom carriers, reaching the lawful-intercept (wiretap) systems and call metadata that carriers are required to maintain; the FBI later described 200+ targets across 80+ countries. The US Treasury sanctioned a linked firm in January 2025. It's widely called one of the worst telecom compromises in US history — and a reminder that the surveillance infrastructure built for law enforcement is itself a target.

SharePoint "ToolShell" (CVE-2025-53770) saw an unauthenticated remote-code-execution chain in on-premises Microsoft SharePoint mass-exploited worldwide from July 2025, compromising 150+ organizations across four continents, with some intrusions escalating to ransomware. Microsoft attributed activity to China-linked groups (Linen Typhoon, Violet Typhoon) alongside a ransomware actor.

The edge kept bleeding, too. Ivanti Connect Secure (CVE-2025-0282) and a pair of Cisco ASA/FTD zero-days (CVE-2025-20333 and CVE-2025-20362) were exploited in the wild to plant espionage malware and persistence that survived reboots. The pattern is now familiar: VPNs, firewalls, and other internet-facing appliances are prime real estate for suspected nation-state actors, because they sit at the perimeter and are hard to inspect.

The supply chain was the real target

The Salesloft Drift breach (UNC6395) was the landmark identity/SaaS supply-chain attack. In August 2025, attackers stole OAuth refresh tokens from the Salesloft "Drift" chatbot integration and used them to bulk-export Salesforce data from 700+ organizations — including Cloudflare, Google, Palo Alto Networks, and Zscaler — then mined the stolen records for cloud keys and other secrets. No password was cracked; a trusted integration's tokens were simply reused. It's the clearest case yet that in a connected SaaS world, an OAuth token is a skeleton key.

The npm "Shai-Hulud" worm hit open source. After a maintainer was phished via a fake 2FA-reset domain, attackers hijacked widely used packages (including debug and chalk, with billions of weekly downloads combined) and planted a self-replicating worm that steals cloud and CI tokens and spreads to other maintainer accounts. A later wave reached tens of thousands of GitHub repositories. One phished developer, and the blast radius was the entire JavaScript ecosystem.

Extortion hit record scale

The Oracle E-Business Suite zero-day (CVE-2025-61882) was the marquee CVE-driven event. The Cl0p extortion group exploited an unauthenticated RCE (CVSS 9.8) to steal data from dozens of enterprises, then ran a mass executive-email extortion campaign before Oracle patched it in October 2025 — a textbook example of a single flaw turned into an assembly line of extortion.

The Marks & Spencer attack brought it to the high street. In April–May 2025, social engineering of an IT help desk led to DragonForce ransomware and data theft across major UK retailers (M&S, Co-op, Harrods), disrupting M&S online operations for weeks with an estimated combined impact in the hundreds of millions of pounds. It was attributed to the English-speaking crew "Scattered Spider"; several suspects were arrested by the UK's National Crime Agency in July 2025. The entry point wasn't a zero-day — it was a persuasive phone call.

When the data itself is the crown jewel

A run of breaches showed how much sensitive data sits with third parties and back-office providers:

  • Conduent — a ransomware intrusion at the business-process giant reportedly stole around 8.5 TB of data; the affected population grew across disclosures into the tens of millions, placing it among the largest US breaches on record. Claimed by the SafePay group.
  • DaVita — a ransomware attack on the kidney-dialysis provider exposed protected health information of roughly 2.7 million people (April 2025), attributed to the Interlock group, which also forced a state-of-emergency declaration after hitting the City of St. Paul, Minnesota.
  • Qantas — attackers compromised a third-party customer-servicing platform via a call center (June 2025), exposing data of up to ~5.7 million customers, amid an FBI warning that Scattered Spider was targeting aviation.
  • Carnival — a 2026 social-engineering intrusion exposed data of roughly 6 million individuals, including passport and driver's-license numbers; claimed by the ShinyHunters extortion brand, per reporting.

Destruction, not just theft

Two incidents were about damage rather than data. Jaguar Land Rover was forced to halt global production for roughly five weeks from late August 2025, paralysing its supply chain with an estimated impact near £1.9B — described as possibly the most economically damaging cyberattack in UK history, prompting a government-backed loan guarantee. (Attribution was claimed by actors linked to the Scattered Spider/Lapsus$ scene but remains debated.) And in March 2026, destructive malware wiped tens of thousands of devices at the US medical-device maker Stryker — reportedly with staff watching machines wiped in real time — in a rare destructive attack on a Western manufacturer, reported as the work of an Iran-aligned hacktivist group.

The common thread

Look across the list and the same few root causes keep appearing: stolen tokens and credentials (Salesloft, npm, Salt Typhoon's harvested access), social engineering of a human (M&S, Qantas, Carnival), and trust placed in a third party that got compromised (Conduent, Drift, the supply-chain worms). Very little of it required breaking encryption. It required finding a secret that was lying around — an OAuth token, a saved password, an API key in a support ticket — and using it.

That's the uncomfortable lesson for everyone, not just the Fortune 500: secrets are dangerous in proportion to how long they sit somewhere reusable. The defensive moves that actually move the needle are unglamorous — phishing- resistant MFA, short-lived tokens, least privilege, and not leaving credentials in inboxes, chat logs, and ticketing systems where a single compromise turns into an archive. If you're going to hand someone a credential, hand them something that expires and can't be replayed, not a message that lives forever. Most of the year's biggest headlines started with a secret that outlived its usefulness.

Share a secret the safe way

End-to-end encrypted, one-time links — free, no account needed.

Try Secretus