Biggest Cyber Attacks of 2025 & Their Impact on Global Cybersecurity

Date: 23 December 2025

In 2025, cyber attacks didn’t just steal data or lock networks. They disrupted healthcare, telecommunications, aviation and entire supply chains. Customer experience platforms and cloud ecosystems were hit at unprecedented scale. Every type of business, from Airports to Automakers were brought to their knees at some point at the hands of cyber criminals. With ransomware, SaaS supply-chain compromises and mega credential leaks converging, 2025 has quickly become one of the most consequential years in cyber history.

In this article, we have covered the seven biggest cyber attacks of 2025, chosen for their impact, scale, systemic risk and/or industry-wide ripple effects. The list also features the most talked about attacks for how high-profile the victims were, significantly shaping public perception of cybersecurity risk.

If you think we've missed any significant cybersecurity incident, do feel free to reach out to us at info@cm-alliance.com. This list is based on our understanding and metrics of what accounted for the biggest cyber events. 

What were the Biggest Cyber Attacks of 2025? 

1. The 16 Billion Credential “Mega Leak” – Largest Password Exposure in History

In mid-2025, researchers at Cybernews uncovered 30 exposed datasets containing more than 16 billion login credentials. These included passwords for Google, Apple, Facebook, Telegram, GitHub and even government services. While there was no single breach of those big tech firms, the dataset was a massive aggregation of credentials stolen by infostealer malware and earlier breaches. Hosted openly online for a period, it effectively turned  into a “credential buffet” for attackers.

Analysts and media quickly dubbed it a historic data leak, warning that the compilation itself was as dangerous as any one breach because it enabled industrial-scale credential stuffing and account takeover. 

Why This Attack Made It To The List

• Its global reach and scale has been unprecedented. 16 billion credentials exceeds the global population; most individuals were likely exposed multiple times.
  
  
• This wasn’t one company’s misstep. There wasn't one obvious incident to blame. It was the accumulated result of years of poor password hygiene.
  
  
• It's a manifestation of silent business risk. Any organisation whose users re-used passwords could face stealthy account takeovers on VPNs, email, CRM and cloud consoles.

2. Salesforce/Salesloft-Drift OAuth Attack - Largest Saas Supply Chain Breach in History

The Salesforce/Salesloft-Drift SaaS compromise was the largest Saas supply chain breach ever. It was linked to groups like ShinyHunters/UNC6395 who apparently compromised the integration between Drift (acquired by salesloft) and Salesforce. The threat actors gained access to oAuth tokens and refresh tokens and managed to unlock sensitive information across hundreds of global organisations.

Large tech firms, industry doyens and even cybersecurity majors were not spared.

Why This Attack Made It To The List

• Potential exposure of up to 1.5 billion CRM-related records claimed by attackers.
  
  
• This massive breach had a ripple cross-industry impact. From automotive giants, aviation players , security vendors and fintech firms to cloud providers, nobody was spared.
  
  
• It's rightly been christened a turning point in SaaS security policy discussions worldwide.
  
  

This attack is now widely regarded as the “SolarWinds moment for SaaS”. Read our detailed blog on the Salesloft-Drift Attack. You also wouldn’t want to miss our Cyber Insights Summary document that summarises how this one event shook 700+ organisations worldwide. 

3. Marks and Spencer Cyber Attack - A Retail Giant Gets Thrown Into Mayhem

The Marks & Spencer (M&S) cyber attack became one of the most significant and high-impact breaches of 2025. It was a part of the massive onslaught on UK retail businesses which we've captured in our detailed timeline documents on the UK Retail Cyber Siege. You can also download our Marks and Spencer Cyber Attack timeline to get a complete and detailed picture of what made this attack a watershed moment in cybersecurity history. 

The iconic UK retailer’s operations were hit at multiple critical levels — financially, operationally, and reputationally. Beginning over the Easter weekend in April 2025, attackers exploited social engineering and third-party access, tricking service desk personnel into resetting credentials and gaining entry into M&S’s internal systems. 

Once inside, they deployed ransomware that crippled core IT infrastructure, forcing M&S to suspend online orders, click-and-collect services, and contactless payments for weeks. Although the breached customer data did not include payment details or passwords, names, birth dates, email addresses, and order histories were taken, prompting widespread customer notifications and heightened concern over future phishing attacks. 

The ripple effects of the attack were massive. M&S's market value fell by over £700 million. The company faced estimated losses of £40 million per week due to the attack as per Reuters. For weeks, parts of the business remained offline, with only gradual restoration of digital services. 

The attack also sparked broader industry discussion about the vulnerability of large retailers to sophisticated social engineering and third-party supply chain risks. The attack underscored how even organisations with substantial security spending are not immune to threats that target human and procedural weaknesses. 

Ultimately, the M&S breach stood out in 2025 because it was not just a technical incident. It was a high-profile, board-level crisis that exposed gaps in identity and access management and vendor risk oversight. 

Why This Attack Made It To The List

• Massive operational disruption that halted key customer services (online orders, payments, click-and-collect) for weeks. 
  
  
• Significant and debilitating financial impact with hundreds of millions in lost profit and stock market value wiped out. 
  
  
• Sensitive customer data compromised, increasing regulatory and reputational risk. 
  
  
• Highlighted critical weaknesses in third-party risk and social engineering susceptibility. 
  
  
• Became a sector-wide cautionary case influencing cyber risk discussions across UK retail.

4. Jaguar Land Rover Attack - The Most Financially Damaging Attack in UK History

In late August and early September 2025, Jaguar Land Rover (JLR), one of the United Kingdom’s largest automotive manufacturers, suffered a crippling cyber attack that immediately reverberated across the UK economy. The incident began when unusual activity was detected within JLR’s IT environment. The company promptly took the drastic but necessary step of shutting down internal systems to contain potential damage. 

Operations were halted at its UK plants in Halewood and Solihull, forcing workers to stay home and bringing vehicle production to an abrupt stop as factories went offline. What began as a security containment action soon turned into an extended operational crisis that highlighted the growing vulnerability of industrial and manufacturing infrastructure to cyber threats. 

The scale of disruption was staggering. For roughly five weeks, JLR’s production lines remained suspended. This had a cascading effect across hundreds of suppliers. Estimates suggested the shutdown caused as much as £1.9 billion (US$2.5 billion) in economic losses, making it arguably the most financially damaging cyber attack in UK history. 

This impact was not limited to JLR alone; automotive output across the country fell sharply. Thousands of jobs were jeopardised as suppliers and logistics partners struggled to cope with halted operations. Beyond the operational fallout, the attack also resulted in unauthorised access to sensitive payroll and employee data, including bank details and personal information. 

The incident drew significant attention because it highlighted how deeply modern manufacturing has become entwined with digital systems. This has turned IT outages into serious business risks like never before. It also underscored that even large, well-resourced organisations are not immune to sophisticated threat actors capable of leveraging structural weaknesses to inflict widespread damage. 

For a complete breakdown of the incident, the impact and JLR’s response, don’t forget to download our Jaguar Land Rover Cyber Attack Timeline. 

Why This Attack Made It To The List

• Production halted for over a month, affecting core manufacturing output and daily operations. 
  
  
• Massive economic damage, estimated to be £1.9 billion in broader UK impact, including supplier and ecosystem losses. 
  
  
• Sensitive employee data compromised, triggering regulatory, remediation, and identity risk concerns. 
  
  
• Ripple effects across supply chains with thousands of related businesses facing financial strain and operational challenges. 

5. Change Healthcare Ransomware Breach — Largest Healthcare Data Compromise 

The Change Healthcare cyber attack, tied to UnitedHealth’s technology unit, will likely define healthcare cybersecurity discussions for years. Initially hit by a ransomware attack attributed by US healthcare associations to the ALPHV/BlackCat group, Change Healthcare suffered prolonged outages that disrupted pharmacy claims, clinical workflows and billing across the United States. The company was also slammed globally for apparently making a ransom payment, with the attack becoming a case study on why negotiating with criminals is never a good idea. 

In 2025, the full scale came into sharper focus. On 31 July 2025, Change Healthcare notified the US Office for Civil Rights that approximately 192.7 million individuals were impacted. By August, US HHS and UnitedHealth confirmed this number publicly, calling it the largest healthcare data breach to date. 

The exposed data included protected health information (PHI), claims data and other sensitive identifiers. The attack had a massive knock-on effect for providers, insurers and patients nationwide. 

For a full chronology of the attack, check out our Change Healthcare Cyber Attack Timeline. 

Why This Attack Made It To The List

• This was not “just” a data breach. It had a real impact on critical health infrastructure. It stopped payments and medication processing, forcing manual workarounds and emergency funding. 
  
  
• The numbers that were confirmed in 2025 made the breach the largest healthcare data compromise ever, affecting almost 2/3rds of the U.S. population. 
  
  
• The incident triggered investigations by HHS, state attorneys general and multi-district litigation over alleged security failures. 
  
  
• A single technology provider became a systemic risk for much of the US healthcare ecosystem.

6. SK Telecom HSS & USIM Breach - Highest Regulatory Penalty in Telecom Sector

On 18 April 2025, South Korea’s largest mobile carrier, SK Telecom (SKT), detected abnormal outbound traffic from systems tied to its Home Subscriber Server (HSS). Subsequent investigations by the Ministry of Science and ICT and a public-private task force revealed that attackers had deployed multiple variants of BPFDoor. BPFDoor is a stealth Linux backdoor that exploits the Berkeley Packet Filter to hide its traffic. 

The malware persisted in SKT’s environment for years, leaking USIM data and subscriber identifiers. Around 26.96 million IMSI records and related USIM data (adding up to around 9.82 GB) were exposed – affecting roughly half of South Korea’s population. 

The fallout was severe:

• SKT’s share price fell by up to 8.5% in a single day after the breach was disclosed. 
  
  
• Regulators later imposed a record fine of around $96–97 million for lax security and delayed notification. This was the highest penalty ever in the telecom sector by a regulator. It also surpassed massive fines levied previously on tech giants like Google. 
  
  
• The company was forced to offer free USIM replacements to all 23 million customers. It also had to give them discounts on bills and a multi-year, multi-hundred-million-dollar security investment plan. 
  
  

Why This Attack Made It To The List

• This wasn’t a fringe system. Attackers accessed HSS and USIM data, enabling potential SIM-swapping, spoofing and mass surveillance. 

• BPFDoor-based campaigns appear to have run for years before discovery. This attack highlighted the major detection gaps in telecom environments. 

7. Red Hat Consulting GitLab Breach — 570GB of Supply-Chain Blueprints Exfiltrated

In early October 2025, Red Hat confirmed a major breach of a self-managed GitLab instance used by its consulting division. The Crimson Collective threat group claimed to have exfiltrated around 570 GB of compressed data and accessed over 28,000 internal repositories. They claimed to have stolen around 800 Customer Engagement Reports (CERs) containing VPN settings, infrastructure diagrams, API keys, credentials and security configurations of more than 800 enterprise and government clients. 

Hundreds of major clients, including financial, telecom, and government bodies were compromised. Amongst the prominent names affected were the U.S. Navy, Bank of America, American Express, AT&T and T-Mobile.

Red Hat, however, did not confirm all of Crimson Collective’s claims. 

Why This Attack Made It To The List

• This major breach underscored the dangers of static credentials within third-party consulting work yet again. The stolen CERs contained ready-made blueprints for attacking hundreds of other organisations, including VPN configs and privileged credentials. 
  
  
• The depth of exposure was massive. It wasn't just user data but operational data (tokens, configs) that could facilitate further attacks.
  
  
• The exposure of major, high-profile clients made it a significant incident.
  
  
• It brought cloud-centric extortion into the limelight yet again. Crimson Collective has been observed targeting AWS environments and using stolen cloud credentials for extortion and follow-on access.

If you’re interested in a detailed, monthly breakdown of the biggest cyber attacks in 2025, don’t forget to check out our month-wise roundup of the biggest cyber attacks, data breaches and ransomware attacks in the year gone by.