December 2025 Recap - The Breach Report

What happened: South Korean e-commerce leader Coupang confirmed a massive data leak in early December. Investigations revealed a former employee retained active system access long after their departure.

Impact: Personal details of nearly 34 million customers — including names, addresses, and order histories — were exfiltrated.

Lesson: Offboarding is a critical security function. Automated "Kill Switches" for access must be triggered the moment an employee’s status changes.

Source: Read More

What happened: The Clop ransomware gang exploited a zero-day vulnerability in Oracle E-Business Suite (EBS) to bypass traditional defenses at the University of Phoenix.

Impact: Sensitive data for 3.5 million students, staff, and suppliers was stolen, leading to a massive year-end extortion attempt.

Lesson: Highly integrated enterprise software (ERP/EBS) creates a massive attack surface. If you can't patch a zero-day immediately, you must have micro-segmentation to contain the blast radius.

Source: Read More

What happened: The ShinyHunters group claimed a "double-header" in mid-December, breaching SoundCloud and PornHub. The attackers accessed internal dashboards and analytics systems rather than core databases.

Impact: SoundCloud saw 28 million accounts compromised (emails/profiles), while PornHub faced extortion over analytics data for 200 million premium users.

Lesson: Ancillary dashboards (marketing, analytics, support) are often the "soft underbelly" of tech companies. They require the same MFA rigor as production databases.

Source: Read More

What happened: A third-party partner API used by 700Credit was compromised in December, allowing attackers to query internal systems used for automotive credit checks.

Impact: Extremely sensitive PII — including SSNs and credit scores — for 5.8 million individuals was exposed.

Lesson: APIs are the invisible perimeter. "Shadow APIs" or those managed by partners must be continuously discovered and secured via OAuth/Token-based authentication.

Source: Read More

What happened: Petco announced a significant security lapse on December 5 after discovering that a software application setting incorrectly allowed files to be accessible from the public internet.

Impact: Exposure of names, SSNs, driver’s license numbers, and financial account details for an undisclosed number of customers across several states.

Lesson: "Security by Default" is not a given. Regular configuration audits and automated posture management are required to catch accidental "open-to-world" settings.

Source: Read More

What happened: A massive ransomware attack on Christmas Eve disrupted over 1,000 IT systems at Romania's national water agency, disabling servers and internal communications.

Impact: While water operations remained physical, the digital backbone — including GIS and billing systems — was wiped, forcing a reliance on radio and phone for weeks.

Lesson: Critical infrastructure must have "Offline Resilience." When the network goes dark, the ability to manage essential services manually is a matter of national security.

Source: Read More

What happened: Attackers breached a Red Hat-managed GitLab server used by one of Nissan’s third-party vendors, exfiltrating source code and customer data.

Impact: Personal data for 21,000 customers was leaked, along with proprietary code from the development environment.

Lesson: Third-party developer tools are high-value targets for "Island Hopping" attacks. Secure your code repositories with hardware-backed MFA and IP whitelisting.

Source: Read More

The API Attack Surface: December showed that attackers no longer need to hack your website if they can just query your unprotected partner APIs.

Third-Party "Island Hopping": Organizations like Nissan and Freedom Mobile were breached through vendors, proving that vendor risk management (VRM) is a daily operational task, not a quarterly survey.

Holiday Ransomware Timing: Over 50% of December’s major hits occurred on weekends or during the Christmas/New Year week, explicitly targeting minimal security staff availability.

Enforce API Security: Use tools for automated API discovery to find "Zombie APIs" that haven't been patched or decommissioned.

Kill Abandoned Access: Implement an "Identity Cleanup" day. If an employee (or former employee) hasn't used a specific tool in 30 days, revoke the access automatically.

Audit Dashboard Permissions: Limit who can access marketing and analytics dashboards (like Salesforce or Drift) to the absolute minimum necessary.

AI-Automated Phishing (Water Saci Group): Researchers discovered the "Water Saci" group using LLMs to translate and adapt phishing lures in real-time, making "broken English" clues a thing of the past.

State-Backed "BRICKSTORM" Backdoors: CISA warned of new malware targeting virtualized infrastructure (VMware/Windows) that enables long-term stealthy persistence for espionage.

Authentication Bypass in Appliances: New high-severity vulnerabilities in popular email security appliances are allowing attackers to harvest admin credentials directly from the gateway.