December 2025 closed the year with a stark reminder that cyber risk is now systemic, relentless, and indiscriminate. From global retailers and telecom providers to universities, government bodies, and healthcare supply chains, attackers continued to exploit identity weaknesses and third-party dependencies.
High-profile incidents involving Coupang, University of Phoenix, University of Pennsylvania, the French Interior Ministry, and the NHS’s technology provider DXC Technology once again demonstrated that cyber attacks are no longer confined to a single sector or geography. They ripple across ecosystems, services, and public trust.
What made December’s attacks particularly sobering was not just their scale but their real-world consequences. Breaches at organisations such as Freedom Mobile, 700Credit, University of Sydney, Leroy Merlin, and SoundCloud disrupted operations, exposed sensitive data, and triggered regulatory and reputational fallout. Across these incidents, a familiar pattern emerged: attackers moved faster than internal decision-making and organisations were forced to respond under intense public and regulatory scrutiny.
This December 2025 cyber attacks compilation brings together the most significant incidents of the month. The goal is not just to document what happened but to extract the lessons that matter for 2026.
At Cyber Management Alliance, we work with organisations globally to help them prepare for exactly these moments. Our work spans incident response planning, ransomware readiness, cyber tabletop exercises, crisis communications and incident response playbooks creation and review amongst others. We help leadership teams rehearse decision-making before a crisis strikes. We help your incident response teams define clear command structures. Our Cyber Drills will enable you to validate your response and recovery timelines, and align legal, technical, and communications functions under pressure. Because in today’s threat environment, resilience is no longer defined by whether an organisation is attacked, but by how quickly it can contain impact, maintain trust, and recover with confidence.
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
December 01, 2025 |
Coupang |
Korea’s Coupang says data breach exposed nearly 34M customers’ personal information |
Former Employee |
A massive data breach at South Korean e-commerce giant Coupang exposed personal details of nearly 34 million customers including names, email addresses, phone numbers and addresses. Investigators say it was likely carried out by a former employee who retained system access, though no formal threat actor group has been publicly named. |
|
|
December 01, 2025 |
University of Pennsylvania |
University of Pennsylvania confirms new data breach after Oracle hack |
Clop Ransomware |
A breach of the University of Pennsylvania’s Oracle E-Business Suite systems exposed personal information of roughly 1,488 individuals and likely affected many more as part of a wider Clop ransomware gang Oracle EBS data-theft campaign |
Source: Bleeping Computer |
|
December 03, 2025 |
The University of Phoenix |
University of Phoenix discloses data breach after Oracle hack |
Clop Ransomware |
Nearly 3.5 million University of Phoenix students, staff, and suppliers had sensitive personal and financial data stolen in a breach attributed to the Clop ransomware gang exploiting an Oracle E-Business Suite vulnerability. |
Source: Bleeping Computer |
|
December 03, 2025 |
Freedom Mobile |
Personal Information Compromised in Freedom Mobile Data Breach |
Unknown |
Freedom Mobile’s data breach exposed customers’ personal information including names, addresses, phone numbers, dates of birth and account numbers after attackers accessed a subcontractor’s credentials, though no specific threat actor has been publicly named. |
|
|
December 03, 2025 |
Leroy Merlin France |
Leroy Merlin France Loyalty Programme Data Breach |
Unknown |
A cyberattack on Leroy Merlin France exposed full names, phone numbers, email addresses, postal addresses, dates of birth and loyalty-programme data of hundreds of thousands of customers, with no specific threat actor publicly identified. |
|
|
December 15, 2025 |
SoundCloud |
SoundCloud confirms breach after member data stolen, VPN access disrupted |
ShinyHunters (Allegedly) |
SoundCloud confirmed a data breach that exposed email addresses and public profile information of around 20 percent of users (about 28 million accounts) and caused service outages and VPN access disruption, with unverified reports suggesting the ShinyHunters extortion group may be involved. |
Source: Bleeping Computer |
|
December 15, 2025 |
PornHub |
PornHub extorted after hackers steal Premium member activity data |
ShinyHunters extortion group |
Hackers linked to the ShinyHunters extortion group stole and are trying to extort PornHub over analytics data tied to more than 200 million premium user records including email addresses, viewing and search history, and other activity details. |
Source: Bleeping Computer |
|
December 15, 2025 |
700Credit |
700Credit data breach impacts 5.8 Million Individuals |
Unknown |
The 700Credit data breach exposed highly sensitive personal data including names, addresses, dates of birth and Social Security numbers of about 5.8 million individuals after attackers accessed a third-party partner API. |
Source: Security Week |
|
December 18, 2025 |
University of Sydney |
University of Sydney suffers data breach exposing student and staff info |
Unknown |
Hackers accessed an online coding repository at the University of Sydney, stealing personal information of more than 27,000 staff, students, alumni and affiliates (names, dates of birth, phone numbers, addresses and job details) in a data breach attack. |
Source: Bleeping Computer |
|
December 23, 2025 |
Nissan |
21K Nissan customers' data stolen in Red Hat raid |
Crimson Collective |
Approximately 21,000 Nissan customers had personal data including names, addresses, phone numbers, partial emails and related sales information stolen after attackers breached a Red Hat-managed GitLab server used by Nissan’s third-party vendor. The intrusion was initially claimed by the Crimson Collective threat actor (with possible involvement of ShinyHunters affiliates). |
|
|
December 23, 2025 |
Baker University |
Baker University says 2024 data breach impacted 53,000 people |
Unknown |
A data breach at Baker University exposed the personal, financial, and health information of over 53,000 individuals after attackers accessed its network between December 2–19, 2024, potentially putting affected persons at risk of identity theft and fraud. |
Source: Bleeping Computer |
|
December 28, 2025 |
WIRED, a news platform |
Hacker claims to leak WIRED database with 2.3 million records |
Lovely- Internet name of the threat actor |
A threat actor known as “Lovely” allegedly leaked 2.3 million WIRED subscriber records from Condé Nast’s database, exposing personal user data and warning of up to 40 million more records at risk, significantly impacting subscriber privacy and security. |
Source: Bleeping Computer |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
December 13, 2025 |
Pierce County Library System |
More than 340,000 impacted by cyber attack on library in large Washington county |
INC Ransomware Gang |
A cyber attack on the Pierce County Library System exposed personal data of more than 340,000 people, including names, birthdates and sensitive employee information. The attack was claimed by the INC ransomware gang. |
|
|
December 15, 2025 |
Askul |
Askul confirms theft of 740k customer records in ransomware attack |
RansomHouse Group |
A ransomware attack by the RansomHouse group on Japanese e-commerce firm Askul led to the theft of around 740,000 customer records including business and individual customer details, partner and employee information, and disrupted order and shipping operations. |
|
|
December 22, 2025 |
Romania Waters |
Romanian national water agency hit by BitLocker ransomware attack |
BitLocker |
A ransomware attack disrupted around 1000 IT systems at Romania national water agency disabling workstations servers email and GIS systems and forcing staff to rely on phone and radio communications while water operations remained unaffected and no threat actor was publicly named. |
Source: The Record |
|
December 24, 2025 |
Aflac |
More than 22 million Aflac customers impacted by June data breach |
Scattered Spider |
Nearly 22.7 million Aflac customers had sensitive personal and health information including Social Security numbers, claims and medical data stolen in a June cyber attack tied to the insurance-sector-targeting Scattered Spider cybercrime group. |
Source: The Record |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
December 02, 2025 |
NPM Packages |
Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets |
Unknown |
The Shai-Hulud 2.0 npm malware attack infected hundreds of npm packages and exposed up to 400,000 developer secrets such as tokens and credentials in tens of thousands of public GitHub repositories, putting developer accounts, CI/CD systems and cloud environments at risk. |
|
|
December 02, 2025 |
Random IoT devices and Routers |
Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack |
Aisuru botnet |
The Aisuru botnet unleashed a record-breaking 29.7 Tbps distributed denial-of-service (DDoS) attack using millions of compromised IoT and router devices, setting a new high for attack volume and highlighting the growing scale of botnet-driven internet disruption. |
Source: Bleeping Computer |
|
December 10, 2025 |
Aeroflot |
Russia’s flagship airline hacked through little-known tech vendor, according to new report |
Silent Crow and Belarusian Cyber-Partisans |
A major cyber attack on Russia’s flagship airline Aeroflot knocked out internal systems, forced cancellation of more than a hundred flights and stranded tens of thousands of passengers. |
Source: The Record |
|
December 11, 2025 |
Mikord, a Russian software development company |
Hackers reportedly breach developer involved with Russia’s military draft database |
Unknown |
A reportedly anonymous hacker group breached the servers of a Russian tech firm tied to the country’s unified military draft database, potentially exposing sensitive backend data, though no specific threat actor has been publicly named. |
Source: The Record |
|
December 16, 2025 |
Venezuela’s state-run oil company PDVSA |
Oil tanker loading resumes in Venezuela, but most exports on hold |
Unknown |
A cyber attack on Venezuela’s state-run oil company PDVSA disrupted its central systems and temporarily halted oil cargo deliveries, leaving millions of barrels stranded and complicating exports before operations slowly resumed, with no publicly confirmed threat actor identified. |
Source: Reuters |
|
December 16, 2025 |
French Interior Ministry |
French Interior Minister says hackers breached its email servers |
Unknown |
Hackers breached the French Interior Ministry’s email servers, gaining access to dozens of confidential files including police and judicial records, but authorities have not publicly confirmed a specific threat actor as responsible. |
|
|
December 19, 2025 |
Tureby Alkestrup Waterworks |
Denmark blames Russia for cyber attacks on water utility and election websites |
Pro-Russian group Z-Pentest |
A destructive cyber attack on a Danish water utility caused pipes to burst and temporarily left households without water. Danish intelligence publicly attributed the operation to pro-Russian group Z-Pentest linked to the Russian state as part of broader hybrid warfare activities. |
Source: Euro News |
|
December 18, 2025 |
NHS UK’s tech provider DXS International |
Hackers breach internal servers of tech provider for Britain’s health service |
Unknown |
A cyber attack on UK NHS tech provider DXS International breached its internal servers and led to potential data theft affecting systems used by thousands of GP practices. There is no confirmed threat actor publicly named yet. |
Source: The Record |
|
December 22, 2025 |
Russian military and defence organisations |
Cyber spies use fake New Year concert invites to target Russian military |
A cyberespionage group known as Goffee |
A cyberespionage group used fake New Year concert invitation phishing lures to deliver a backdoor called EchoGather targeting Russian military and defence organisations to harvest system data. The success and specific data stolen remain unclear. |
Source: The Record |
|
December 23, 2025 |
La Poste |
DDoS incident disrupts France’s postal and banking services ahead of Christmas |
A pro-Russian hacker group known as Noname057(16) |
France’s La Poste national postal service and its banking arm La Banque Postale suffered a DDoS cyber attack days before Christmas 2025, knocking key online services offline, delaying parcel deliveries and hindering online banking access during the peak holiday rush. |
Source: The Record |
|
December 28, 2025 |
Ubisoft |
Massive Rainbow Six Siege breach gives players billions of credits |
Unknown |
Unknown threat actors exploited Ubisoft’s systems to manipulate game mechanics and grant players billions of R6 Credits and items, forcing Ubisoft to take servers offline and roll back transactions due to massive in-game economy disruption. |
Source: Bleeping Computer |
|
New Ransomware |
Summary |
|
Glassworm malware |
Glassworm malware has resurfaced in a third wave by distributing 24 new malicious Visual Studio Code extension packages on the Microsoft and OpenVSX marketplaces that can steal developer credentials and install malicious payloads when installed. |
|
ShadyPanda malware |
Hackers ran a massive malicious campaign using ShadyPanda browser extensions that racked up more than 43 million installs, letting them steal data and track users across the web. |
|
SantaStealer malware |
New SantaStealer malware has appeared that steals sensitive data from web browsers, crypto wallets and desktop files, spreading through phishing and malicious downloads to harvest credentials and digital assets. |
|
A new zero-click infection method called Aladdin |
Predator spyware from surveillance firm Intellexa now uses a new zero-click infection method called Aladdin that lets it silently install on target devices just by serving a malicious advertisement. |
|
A new SpiderMan phishing-as-a-service operation. |
A new SpiderMan phishing-as-a-service operation is targeting dozens of European banks with highly convincing credential-harvesting pages to steal online banking logins and drain accounts. |
|
A new MacSync malware dropper |
The new MacSync malware dropper for macOS uses a digitally signed and notarized Swift installer to bypass Apple’s Gatekeeper protections and stealthily deliver the MacSync infostealer as it is capable of stealing passwords, iCloud data and other sensitive information without requiring manual terminal actions. |
Source: Bleeping Computer, Recorded Future News
|
Date |
New Flaws/Fixes |
Summary |
|
December 02, 2025 |
CVE-2025-48633 and CVE-2025-48572 |
Google’s December 2025 Android security update fixed 107 vulnerabilities, including two zero-day flaws CVE-2025-48633 and CVE-2025-48572 that were being actively exploited in limited, targeted attacks against Android devices. |
|
December 03, 2025 |
CVE-2025-8489 |
Attackers are actively exploiting a critical privilege-escalation flaw in the King Addons for Elementor WordPress plugin to register unauthorized administrator accounts on vulnerable sites. |
|
December 04, 2025 |
CVE-2025-66644 |
Hackers are actively exploiting a critical ArrayOS AG VPN command-injection vulnerability in older Array Networks devices to plant webshells and create unauthorized access on compromised systems. |
|
December 06, 2025 |
CVE-2025-55182 |
Multiple China-linked hacking groups like Earth Lamia and Jackpot Panda have allegedly exploited the critical React2Shell remote code execution flaw to compromise more than 30 organizations, while over 77,000 internet-exposed IP addresses remain vulnerable to the issue. |
|
December 09, 2025 |
CVE-2025-42880, CVE-2025-55754, CVE-2025-42928 |
SAP’s December 2025 security update fixed three critical vulnerabilities including a high-severity code injection flaw in SAP Solution Manager as a remote-code execution issue in SAP Commerce Cloud and a deserialization bug in SAP jConnect that could allow attackers to execute malicious code or gain unauthorized access across affected enterprise systems. |
|
December 10, 2025 |
CVE-2025-14174 |
Google released an emergency update to fix its eighth Chrome zero-day vulnerability exploited in attacks in 2025 that had been used in the wild to compromise browsers before the patch was issued. |
|
December 11, 2025 |
CVE-2025-8110 |
Attackers have been exploiting an unpatched zero-day remote code execution flaw in Gogs to compromise hundreds of publicly exposed self-hosted Git servers by gaining full control over vulnerable instances. |
|
December 11, 2025 |
CVE-2025-9998 |
Notepad Plus Plus fixed a security flaw that allowed attackers to push malicious update files to users by abusing the application’s auto-update mechanism. |
|
December 12, 2025 |
CVE-2025-30406 |
Hackers are exploiting a hardcoded cryptographic key vulnerability in Gladinet CentreStack and Triofox that enables remote code execution to compromise servers and run malicious code on affected systems. |
|
December 12, 2025 |
CVE-2025-58360 |
CISA ordered U.S. federal agencies to urgently patch an actively exploited critical GeoServer XML External Entity flaw added to its Known Exploited Vulnerabilities catalog, as threat actors are abusing it in the wild to access files, perform SSRF or denial-of-service attacks on exposed GeoServer instances. |
|
December 14, 2025 |
CVE-2025-59230 |
A newly discovered Windows Remote Access Connection Manager (RasMan) zero-day vulnerability allows unprivileged attackers to crash the service and potentially enable privilege escalation, and while Microsoft has not yet released an official patch, free unofficial micropatches are available to mitigate the issue. |
|
December 16, 2025 |
CVE-2025-43529 and CVE-2025-14174 |
Apple released emergency updates to patch two zero-day WebKit vulnerabilities that had been exploited in highly sophisticated targeted attacks against specific users. |
|
December 22, 2025 |
CVE-2025-59374 |
The ASUS Live Update vulnerability documents a historic supply-chain compromise also known as ShadowHammer where maliciously modified update binaries were distributed to targeted systems, a long-resolved issue now retroactively added to CISA’s Known Exploited Vulnerabilities catalog rather than indicating a new breach. |
Source for the above table: Bleeping Computer, Recorded Future
|
News Type |
Summary |
|
Report |
Police dismantled the CryptoMixer cryptocurrency mixing service, seizing servers and domains after investigators linked it to laundering more than 200 million dollars in criminal proceeds. |
|
Report |
Hackers sent fake Calendly invites impersonating major brands such as LVMH, Lego, Mastercard, Uber, Unilever and Disney to trick users into clicking links that steal Google Workspace or Facebook Business credentials and allow ad manager account takeovers. |
|
Report |
North Korean operatives ran a fake IT worker recruitment scheme to trick engineers into renting out their identities and credentials for use in cyber espionage and other illicit activities. |
|
Report |
ChatGPT suffered a global outage that left users worldwide unable to access the service or see their past conversations for around 45 minutes, disrupting workflows and causing widespread errors before service was restored. |
|
Report |
The FTC ordered education technology provider Illuminate Education to delete unnecessary student data and improve its security practices after a 2021 breach exposed the personal information of about 10 million students including email addresses, physical addresses, dates of birth and health details. |
|
Report |
DragonForce ransomware, linked to the Scattered Spider threat group, has evolved into a “ransomware cartel” that enables affiliates to deploy advanced ransomware, encrypt systems and exfiltrate data in high-impact attacks against global organisations. |
|
Report |
Chinese state-sponsored hackers deployed BrickStorm malware to backdoor VMware vSphere and Windows systems for long-term stealth access, stealing credentials and enabling deep network compromise. |
|
Report |
Russia’s internet regulator Roskomnadzor blocked access to Apple’s FaceTime and Snapchat nationwide, claiming the apps were being used to organise terrorist acts, recruit perpetrators and commit fraud, though the action is widely seen as part of broader online censorship rather than a traditional cyberattack. |
|
Warning |
The UK’s NCSC Proactive Notifications program has warned organisations about exposed devices and critical vulnerabilities so they can fix flaws before they are exploited by attackers. |
|
Report |
Cloudflare experienced a widespread outage that left many websites offline and showed 500 internal server errors, disrupting access for users around the world. |
|
Warning |
The FBI warned that scammers are using altered social media photos and AI-generated content to conduct virtual kidnapping ransom scams, tricking victims into believing loved ones are in danger to extort money. |
|
Report |
Portugal updated its cybercrime law to protect security researchers from prosecution when they responsibly find and disclose vulnerabilities, aiming to boost ethical hacking and cyber defense. |
|
Report |
The U.S. Treasury’s FinCEN reported that ransomware gangs extorted more than 21 billion dollars from victims worldwide between 2022 and 2024, highlighting the massive financial scale of ransomware crime. |
|
Report |
Microsoft investigated and resolved a Copilot outage in Europe that had previously left users unable to access or use the AI assistant, disrupting services before the issue was fixed. |
|
Report |
The UK’s Information Commissioner’s Office fined LastPass for lapses tied to its 2022 data breach, ruling that failures in security practices exposed personal data of about 16 million users. |
|
Report |
MITRE published its 2025 Top 25 Most Dangerous Software Weaknesses list, highlighting the most common and high-impact coding and design flaws that contribute to real-world cyberattacks and should be prioritised for remediation by developers and security teams. |
|
Report |
Scammers are abusing PayPal subscription emails to send fake purchase notifications that trick users into clicking malicious links and potentially compromising their accounts. |
|
Report |
The U.S. Department of Justice seized the web3adspanels.org domain and database used by a criminal fraud operation that harvested thousands of bank login credentials via fake ads and phishing sites, enabling bank account takeovers that resulted in roughly $14.6 million in confirmed losses and attempted losses of about $28 million from U.S. victims. |
|
Report |
The U.S. SEC sued several crypto firms including Morocoin Tech, Berge Blockchain Technology, and Cirkor, alleging they used fake WhatsApp “investment clubs” and bogus trading platforms to defraud retail investors of over $14 million. |
Sources: Bleeping Computer, Recorded Future News