A Look Back at 2025’s Cybersecurity Challenges

2025 has been a defining year in the world of cybersecurity. From headline-grabbing data breaches to sophisticated cybercrime tactics, the digital threat landscape has evolved at an unprecedented pace. Heightened regulatory scrutiny and increased law enforcement pressure have forced cybercriminals to adapt. Becoming more covert, inventive, and unpredictable in their methods.

In this year-in-review, we’ll explore the key moments that shaped cybersecurity in 2025, including the major breaches that shook industries. Whether you’re looking for insights, cautionary tales, or a snapshot of how the battle against cybercrime unfolded, this recap has you covered.

Intercede’s Password Breach Database

Intercede maintains the world’s largest collections of compromised credentials, and keeping this database updated in today’s fast-moving digital environment is no small task.

Fresh Data in 2025
This year alone, we’ve expanded the database significantly by importing:

• 1 billion newly discovered credentials, bringing the total to 11 billion
• 376 million unique passwords never seen before, pushing the overall count to 3.8 billion

These additions ensure that our breach intelligence remains comprehensive and up to date, helping organisations stay ahead of credential-based attacks.

New Data Sources

Cybercriminals are constantly evolving their methods for sharing stolen data and Intercede must adapt to track them across every channel. In 2025, four primary distribution methods dominated the landscape: Forums, Telegram, Cloud-based Combolists, and Stealer Logs.

Forums – Once the backbone of underground data trading, Forums have been around since the early 2000s and were still a major source of intelligence at the start of the year. Groups like ShinyHunters and IntelBrokers were prominent players until their arrests disrupted activity. Forums remain valuable for understanding hacker tactics, tools, and targets—even as their popularity declines.

Telegram – By mid-year, Telegram overtook Forums as the preferred platform for sharing breached data. Its end-to-end encryption, anonymity, and monetization features, such as in-app subscriptions and pay-to-view messages, make it ideal for cybercriminals. This streamlined payment process replaced cumbersome cryptocurrency transactions, accelerating the trade of stolen credentials.

Combolist Clouds – “Combolists” (collections of email/password pairs) hosted on dedicated cloud sites surged in popularity this year. Unlike Forums or Telegram, these platforms typically sell entire datasets rather than individual records, offering hackers a faster, more automated way to monetize stolen data.

Stealer Logs – Why breach companies when you can target individuals? Stealer Logs, powered by malware known as “infostealers,” extract sensitive data directly from infected devices—documents, crypto wallets, and most importantly, browser autofill files. These logs provide credentials alongside URLs, giving hackers near-perfect accuracy for account takeovers. While not new, their adoption skyrocketed in 2025 as traditional breach targets became harder to exploit.

Police Crackdowns

For years, Forums were the go-to marketplace for breached data. In 2025, that changed dramatically—thanks to an unprecedented wave of law enforcement action. While previous years saw occasional arrests and takedowns, this year marked a turning point.

The crackdown began in March with the leak of an alleged top-secret document outlining “Operation Spectral Tango”, an FBI-led initiative to infiltrate BreachForums, the largest hub for stolen data. According to the document, the FBI, DOJ, and international partners gained administrator-level access through an undisclosed vulnerability, enabling them to deanonymize users and monitor activity, a classic “honeypot” tactic. Whether the leak was genuine or not, its impact was undeniable: trust within the cybercrime community collapsed overnight, and BreachForums voluntarily shut down to investigate.

On 25 June, the situation escalated when four BreachForums administrators and notorious hacker IntelBroker—known for leaking government and corporate secrets, were arrested. These high-profile arrests sent shockwaves through the underground, removing some of its most influential figures.

Although BreachForums briefly resurfaced in July under new leadership, fears were confirmed in August when the site was taken down again, this time with a stark warning:
“The platform is currently being operated by French law enforcement agencies.”
The message claimed the Forum’s source code had been modified to capture all user activity, cementing suspicions that law enforcement had been monitoring the community for months.

While copycat forums have emerged, the once-thriving ecosystem has fractured. Many actors have migrated to Telegram and cloud-based platforms, hoping for greater anonymity, though distrust remains rampant.

Significant Vulnerabilities

Where do many breaches originate? Vulnerabilities.

While pinpointing the exact flaw behind each incident can be challenging, breach activity often spikes after major vulnerabilities are disclosed. Especially those that are easy to exploit and widely deployed.

ToolShell (CVE-2025-53770) – Published in August, ToolShell quickly became a hacker favourite, targeting Microsoft SharePoint servers, a staple for countless organisations. Rated 9.8/10 in severity, this exploit was deceptively simple yet devastating, granting attackers full control of servers (RCE). Its impact was amplified by a slow patch rollout. ToolShell combined two flaws: one bypassed authentication, the other enabled arbitrary file writing, together forming a lethal attack chain. At least 400 companies were confirmed affected, though the real number is likely far higher.

NVIDIAScape (CVE-2025-23266) – This vulnerability struck NVIDIA’s Container Toolkit, earning a 9/10 severity score. The toolkit allowed multiple users to access a single computer safely, called a “container” which are critical for cloud computing platforms like AWS and Azure, making this flaw particularly concerning. Shockingly, the exploit required just three lines of code. Fortunately, it was responsibly disclosed, earning the researcher a $30,000 bounty, and patched quickly limiting real-world damage. Still, given the surge in AI workloads and GPU rentals, the potential fallout could have been catastrophic if discovered by malicious actors first.

React2Shell (CVE-2025-55182) – Announced on 3 December, React2Shell is shaping up to be one of the most severe vulnerabilities of the year, scoring a perfect 10/10 in severity. Exploitation is trivial and grants attackers unrestricted access to any web server running React—a technology powering millions of websites globally. Active exploitation was confirmed at disclosure, and the full impact will only become clear in the months ahead. Early indicators suggest millions of sites remain exposed.

Significant Breaches

Jaguar Land Rover – on 31 August, Jaguar Land Rover (JLR) experienced one of the year’s most disruptive breaches. A newly formed alliance of hacking groups—Scattered Spiders, LAPSUS$, and Shiny Hunters, operating under the name Scattered LAPSUS$ Hunters, used a single stolen employee credential from a stealer log to infiltrate JLR’s network. Once inside, attackers accessed sensitive engineering databases and code repositories, releasing portions of this data publicly, including employee details and vehicle tracking information.

The impact extended beyond data exposure. Attackers targeted production systems, forcing JLR to shut down multiple factories for over six weeks to contain and remediate the breach. The resulting productivity loss prompted the UK government to approve a £1.5 billion loan to help offset financial damage. To make matters worse, earlier in March, the HELLCAT hacking group leaked additional internal documents, source code, and engineering data, making 2025 a particularly challenging year for JLR.

Salesforce – in early October, Salesforce, the global leader in sales, marketing, and customer service platforms, fell victim to the same Scattered LAPSUS$ Hunters group. The attackers claimed to have exfiltrated 989 million records spanning 39 major enterprises, including personally identifiable information (PII), support chat logs, authentication secrets, and source code. High-profile companies affected included FedEx, Disney/Hulu, Toyota, McDonald’s, Marriott, Adidas, Cisco, IKEA, and many others.

The group demanded ransom from Salesforce, threatening to leak customer data if unpaid. While law enforcement aggressively targeted their hosting infrastructure, preventing some leaks, several organisations, such as Vietnam Airlines, still saw sensitive data published online.

Cybersecurity Improvements

As highlighted in a previous post, 2025 marked a significant shift in how attackers leverage breached data. Historically, stolen credentials were primarily used to compromise gaming and streaming accounts, lucrative targets for resale. This year, those platforms stepped up their defences, and the results have been impressive.

Enhanced security measures such as multi-factor authentication (MFA), email verification, and account PINs, combined with advanced detection techniques like IP reputation checks, geofencing, and proxy detection, have dramatically reduced account takeover success rates. For users, this is a major win.

With these barriers in place, attackers have pivoted toward email accounts (e.g. Outlook) and social media profiles, often exploiting them for cryptocurrency scams. If these platforms follow suit and strengthen their security, it could significantly reduce the demand for breached data, ultimately shrinking the supply.

The trend is promising, and while challenges remain, 2025 has shown that proactive security measures can make a real difference.

Closing Thoughts

2025 has been a year of contrasts in cybersecurity, marked by unprecedented law enforcement crackdowns, devastating breaches, and encouraging progress in security practices. From high-profile incidents impacting global brands to the rise of new attack vectors and distribution channels, the threat landscape continues to evolve at breakneck speed. Yet, the strides made in account security and detection technologies prove that proactive measures work and can shift the balance against cybercriminals.

As we move into 2026, the challenge remains clear: stay vigilant, adapt quickly, and invest in robust security strategies. The lessons of this year underscore one truth—cybersecurity is not a destination but an ongoing journey. Together, through collaboration and innovation, we can make the digital world a safer place.

Are you ready to bolster your organisation’s defences against credential-based attacks and new threats? Discover how Intercede’s expertise in identity and access management can fortify your security posture.