And the Breachies go to…
A lighthearted look back at 2025, a heck of a year. And warm holiday wishes from all of us to all of you.
Today is December 24th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Another year, another avalanche of data breaches. At this point, the modern internet user no longer asks whether their data was exposed, but rather how many times and by whom. Names, emails, medical records, location histories, selfies, IDs, and the occasional deeply personal message continue to spill out of corporate servers with such regularity that it feels less like an emergency and more like background noise. To cut through that noise, the Electronic Frontier Foundation once again handed out the Breachies, its annual, tongue-in-cheek awards honoring the most egregious, avoidable, and occasionally absurd privacy failures of the year.
The unifying theme is depressingly familiar. Companies collect far more data than they need, keep it far longer than they should, and then act surprised when someone breaks in and takes it. If data minimization were fashionable, many of these breaches would amount to little more than a shrug. Instead, stolen information is repurposed for identity theft, extortion, stalking, and spam, while users are left assuming their personal details are just “out there somewhere.”
Mixpanel earned the “Say Something Without Saying Anything” award for a breach that was as vague as it was troubling. As an analytics company embedded invisibly into countless apps, Mixpanel quietly collected user data on behalf of others, including companies like Ring and Pornhub. When hackers accessed its systems, Mixpanel’s public disclosure left more questions than answers. How many users were affected? What security controls failed? Did attackers demand a ransom? Silence. The most telling response came from OpenAI, which promptly dropped Mixpanel as a provider and revealed details Mixpanel itself had skipped. The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place.
Discord took home the “We Still Told You So” award, a sequel to last year’s warning about age verification mandates. In September, Discord users’ age verification data was exposed through a breach at Zendesk, its customer support vendor. Names, selfies, government IDs, addresses, phone numbers, IP addresses, and partial billing information all spilled out. While Discord itself wasn’t directly hacked, that distinction offered little comfort to users whose sensitive identity data was suddenly loose. It was a textbook example of how collecting IDs “just in case” creates irresistible targets and predictable outcomes.
The “Tea for Two” award went to Tea Dating Advice and TeaOnHer, two apps built around sharing dating safety information. Tea, aimed at women, required selfies or photo IDs to verify gender. In July, more than 70,000 such images were found exposed through an unsecured database. A week later, a second breach revealed over a million private messages discussing topics like abortion planning and infidelity. Meanwhile, TeaOnHer, a similar app for men, managed to expose emails, usernames, IDs, and even admin credentials through a public web address. Together, they offered a master class in why collecting biometric data should come with a very long pause.
Blue Shield of California won the “Just Stop Using Tracking Tech” award after discovering it had been sharing sensitive health data with Google for nearly three years. A misconfigured Google Analytics setup leaked names, insurance details, providers, and financial responsibility information for 4.7 million people. This wasn’t a hack so much as a slow, accidental data giveaway, and it echoed nearly identical incidents in healthcare year after year. Tracking tools marketed as harmless analytics continue to leak medical data, proving once again that surveillance advertising and healthcare make a terrible pairing.
PowerSchool earned the “Hacker’s Hall Pass” award after attackers accessed sensitive data on more than 60 million students and teachers. Social Security numbers, medical records, grades, and special education data were exposed nationwide, all because PowerSchool failed to implement basic security protections like multi-factor authentication. Lawsuits followed, ransom payments were made, and the story took an extra twist when a Massachusetts student pleaded guilty to extorting the company for millions in Bitcoin. Sometimes the faceless hacker turns out to be a college kid with a password list.
TransUnion claimed the “Worst. Customer. Service. Ever.” award after attackers accessed the personal data of 4.4 million people through a third-party support application. Names, dates of birth, and Social Security numbers were taken, though TransUnion reassured customers that “core credit data” was untouched. The breach underscored how third-party vendors function as side doors into sensitive systems, doors customers never agreed to leave unlocked.
Microsoft received its annual honorary mention, this time for a SharePoint zero-day that compromised over 400 organizations, including the National Nuclear Security Administration. While zero-days happen to everyone, Microsoft’s long history of them raises uncomfortable questions about monocultures and centralization. When one company’s software becomes infrastructure, its failures scale accordingly.
The “Silver Globe” award went to the Flat Earth Sun, Moon & Zodiac app, which leaked personal details and precise location data. The irony of flat earth believers unknowingly sharing latitude and longitude was, as the EFF noted, hard to ignore.
Gravy Analytics won the “I Didn’t Even Know You Had My Information” award after hackers claimed to steal location data tied to advertising IDs from millions of phones. The breach revealed how location data harvested through ad tech can expose military personnel, LGBTQ individuals, and others to serious risk. The real scandal, however, was not the breach itself, but a business model that tracks a billion phones a day without most users ever knowing the company exists.
TeslaMate earned the “Keeping Up With My Cybertruck” award when thousands of exposed dashboards revealed Tesla owners’ locations, travel habits, and driving data. Self-hosted tools turned cars into reality shows, minus the consent or the ratings.
PACER took home “Disorder in the Courts” after hackers accessed federal court filing systems, potentially exposing confidential informants. The breach followed years of warnings that the system was outdated and unsafe, proving once again that critical infrastructure often limps along until it breaks.
Catwatchful won “Only Stalkers Allowed” for a breach that exposed not only stalkers’ accounts but also data from 26,000 victims’ phones. It was one of several stalkerware breaches this year, reinforcing calls to shut the industry down entirely.
Plex received the “Why We’re Still Stuck on Unique Passwords” award after leaking emails, usernames, and hashed passwords. It was déjà vu from a similar 2022 breach and a reminder that password reuse remains one of the internet’s most reliable self-inflicted wounds.
Finally, Troy Hunt’s mailing list earned the “Uh, Yes, Actually, I Have Been Pwned” award after he fell for a phishing attack. If it can happen to the world’s most famous breach tracker, it can happen to anyone.
The takeaway is bleak but actionable. Use unique passwords, enable two-factor authentication, delete old accounts, freeze credit, and watch medical bills closely. More importantly, companies must collect less data and secure what they keep, and lawmakers must pass meaningful privacy protections. Until then, the Breachies will remain tragically easy to award.
As the year draws to a close, we want to take a moment to thank you for spending part of it with us. It’s been one heck of a year—full of highs and lows, moments of joy and moments of heartbreak. Through it all, we’re genuinely grateful that you chose to listen, read, and engage with The CyberWire. It truly means the world to us that you find value in what we do, and we’re looking forward to sharing more time together in the year ahead.
Beginning tomorrow and continuing through next week, The CyberWire will publish on our winter holiday schedule. We’ll step away from our regular daily and weekly podcasts and news briefings to bring you a selection of special coverage instead. During the break, we invite you to visit The CyberWire for thoughtful discussions of some of the cybersecurity sector’s most interesting topics. We’ll resume our regular publication schedule on January 5th.
Producing The CyberWire is very much a team effort, and we’d like to extend our sincere thanks to everyone who has a hand in making the podcast and our coverage possible. From our hosts, producers, editors, researchers, and writers, to our technical and operations teams, partners, sponsors, and contributors—this work happens because of your talent, dedication, and care. And of course, to our listeners and readers: thank you for being part of this community. We couldn’t do this without you.
In the meantime, we hope you enjoy a quiet, restful holiday season. On behalf of the entire CyberWire team, we wish you a Merry Christmas, happy holidays, and a safe and joyous New Year.
Be kind. Take care. We’ll see you next year.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
