Cybersecurity round-up 2025: What last year’s biggest incidents taught us
Every year in cybersecurity has its share of breaches, headlines, and postmortems. But 2025 stood out; not because attacks were louder, but because they were broader, faster, and more systemic.
From record-breaking credential exposure to AI-orchestrated cyber operations, this year’s incidents revealed a hard truth: security failures are no longer isolated technical issues. They ripple across ecosystems, supply chains, and even national infrastructure.
In this edition of All Things AppSec, we look back at the five most significant cybersecurity incidents of 2025 and more importantly, what they tell us about where security is failing and how teams need to adapt.
1. The 16 billion credential “mega leak”
The largest password exposure in recorded history surfaced in June 2025: 16 billion login credentials compiled from infostealer malware campaigns and historical breaches spanning several years.
What made this incident unprecedented wasn’t a single breach, but aggregation at industrial scale. Credentials linked to Google, Apple, Facebook, GitHub, Telegram, VPNs, email services, and government portals were all exposed in one dataset.
This wasn’t targeted compromise. It was universal exposure.
What we learned
Credential security is no longer about whether your platform was breached—it’s about how often reused credentials resurface elsewhere. Traditional breach-response thinking doesn’t work when attackers can launch credential-stuffing attacks across every sector simultaneously.
Key takeaway: Password-based security is fundamentally brittle at scale. Without strong MFA, credential rotation, and anomaly detection, account takeover becomes inevitable.
2. The Salesforce / Salesloft–Drift OAuth supply chain breach
In September 2025, what would later be described as the largest SaaS supply chain breach in history came to light. Approximately 1.5 billion CRM records across 760+ organizations were exposed after OAuth tokens were compromised through Salesloft’s breached GitHub repositories.
The affected list was sobering: Google, Cloudflare, Palo Alto Networks, CyberArk, Proofpoint, Chanel, Pandora, and many others. A second breach via Gainsight’s Salesforce connector expanded the impact further.
This incident became a SolarWinds moment, but for SaaS integrations.
What we learned
OAuth tokens are often treated as low-risk plumbing. In reality, they represent persistent, privileged access that bypasses traditional authentication controls.
Key takeaway: Third-party integrations expand your attack surface far beyond your own code. If OAuth permissions are over-scoped or poorly monitored, a single vendor breach can cascade across hundreds of customers.
3. The Change Healthcare ransomware attack
Disclosed in 2025 but originating earlier, the Change Healthcare ransomware incident became the largest healthcare data breach ever reported, affecting 192.7 million individuals i.e. roughly two-thirds of the U.S. population.
But data exposure was only part of the story. The operational fallout was severe: nationwide pharmacy claims processing failed, billing systems went offline, clinical workflows stalled, and manual workarounds were forced across thousands of providers. Federal agencies had to intervene.
It was critical infrastructure failure.
What we learned
When cybersecurity fails in core digital infrastructure, the impact extends far beyond IT systems. Healthcare delivery, patient care, and public trust all suffer.
Key takeaway: Ransomware resilience must include operational continuity planning. Security teams need to assume compromise and design systems that degrade safely rather than collapse entirely.
4. The Jaguar Land Rover cyber attack
Between August and September 2025, Jaguar Land Rover experienced the costliest cyberattack in UK history, with an estimated £1.9 billion economic loss.
The incident forced a five-week halt in production at key manufacturing facilities and disrupted over 5,000 downstream organizations across the automotive supply chain. Revenue dropped 24% year-on-year in Q3 2025.
The UK Cyber Monitoring Centre classified it as a systemic cyber event, highlighting national-level economic impact.
What we learned
Modern manufacturing is deeply interconnected. A single compromised node can trigger widespread operational and financial disruption.
Key takeaway: Cyber risk is supply-chain risk. Organizations need visibility not just into their own systems, but into the resilience of the vendors and platforms they depend on.
5. The GTG-1002 AI-orchestrated cyber espionage campaign
In September 2025 (disclosed publicly in November), researchers revealed the first known large-scale AI-orchestrated cyberattack. The Chinese state-sponsored GTG-1002 campaign used AI to autonomously execute 80–90% of the attack lifecycle, from reconnaissance to data exfiltration.
Human operators intervened only a handful of times per campaign. Targets included government agencies, financial institutions, technology firms, and chemical manufacturers. The disclosure prompted Congressional hearings and industry-wide reassessment.
This wasn’t about scale; it was about speed and autonomy.
What we learned
Attackers are no longer constrained by human bandwidth. Defensive strategies built around manual response timelines are increasingly outmatched.
Key takeaway: Security must evolve toward automation, behavioral detection, and continuous testing. Machine-speed attacks require machine-speed defenses.
The bigger picture: patterns across 2025
Looking across all five incidents, several themes emerge:
Identity remains the weakest link
Third-party access is a force multiplier for attackers
Operational resilience matters as much as data protection
Supply chains amplify cyber risk
AI is changing both offense and defense
These weren’t failures of individual controls. They were failures of assumptions: about trust, isolation, and human-paced security.
Looking ahead
If 2025 taught us anything, it’s that cybersecurity is no longer just about preventing breaches. It’s about limiting blast radius, maintaining continuity, and adapting faster than attackers.
The question isn’t whether incidents will happen. It’s whether organizations are prepared for the scale, speed, and complexity of the next one.
As we move into 2026, security strategies must be built for ecosystems, not silos, and for continuous change, not static defenses.