The Worst Hacks of 2025

It was a strange year in cyberspace, as U.S. President Donald Trump and his administration launched foreign policy initiatives and massive changes within the federal government that had significant geopolitical ramifications. Through it all, the constant drumbeat of data breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored attacks that have unfortunately become a backdrop to daily life has continued to resonate.

Here’s WIRED’s take on this year’s biggest breaches, hacks and digital attacks. Stay vigilant and stay safe out there.

Salesforce Integrations

Attackers took data from sales management giant Salesforce in at least two breaches this year, but they did not directly compromise Salesforce. Instead, the group breached third-party Salesforce contractor integrations, including those from Gainsight and Salesloft.

Google’s Threat Intelligence Group published an article on the case in August, claiming that some Google Workspace data had been compromised in the breach of sales and marketing platform Salesloft Drift. Although the incident was not a direct hack of Google Workspace, it represents a rare case in recent years where Alphabet customer data was exposed.

Other companies affected include Cloudflare, Docusign, Verizon, Workday, Cisco, LinkedIn, Bugcrowd, Proofpoint, GitLab, SonicWall, Adidas, Louis Vuitton and Chanel. Credit reporting agency TransUnion also had a breach apparently related to the situation that exposed the information of 4.4 million people, including names and Social Security numbers.

The spree was carried out by a group known as Scattered Lapsus$ Hunters, a potential amalgam of actors and tools from the hacking and data theft groups Scattered Spider, Lapsus$ and ShinyHunters. The researchers note, however, that the group is not actually an individual evolution of the three namesakes. Regardless, Scattered Lapsus$ Hunters has a data leak site where they previewed reams of data stolen during the campaign and carried out digital extortion attacks against victims.

Clop’s Oracle E-Business hacking spree

The Clop ransomware group is known for massively exploiting vulnerabilities in data breaches and extortion attacks. The rampages of recent years have claimed large numbers of victims, both in private businesses and government agencies. This year, the group did it again by exploiting a vulnerability in Oracle’s E-Business internal management platform to steal data from numerous companies and organizations.

As part of this spree, Clop was able to steal employee data from several companies, including executives’ personal information, and used it to send emails and other threatening communications to senior executives as part of demands for millions of dollars in ransom to delete the data instead of publishing it.

Oracle rushed to patch the vulnerability in early October, but Clop had already exploited it to steal data from hospitals and healthcare groups, media companies like the Washington Post, and universities like the University of Pennsylvania (see below).

University violations

The University of Pennsylvania publicly disclosed in early November a data breach that took place in late October, affecting personal data – some years or decades old – of students, alumni and donors. The data also included internal university documents and some financial information. The incident was the result of a phishing attack; the hacker sent emails to students and alumni describing Penn as “woke” and saying the school prioritizes “legacies, donors, and wholehearted affirmative action.” The Verge, however, reported that ultimately the hacker may have been motivated by financial reasons.

Harvard said in a November statement that its Office of Alumni Affairs and Development systems were hacked via a “telephone phishing attack.” The incident involved personal information about alumni, their partners, Harvard donors, parents of current and former students, certain current students, and certain faculty and staff. The data included email addresses, phone numbers, physical addresses, event attendance records, university donation information, and other fundraising details. Princeton University was hit by a similar attack the same month, although the scope of the data involved appears more limited.