CyberWire Daily - And the Breachies go to…
Episode Date: December 24, 2025In today’s episode, we dig into the Electronic Frontier Foundation’s annual Breachies, highlighting some of the year’s most avoidable, eye-opening, and sometimes head-shaking data breaches. From... companies collecting far more data than they need to third-party missteps and quiet misconfigurations, the Breachies offer a revealing look at how familiar privacy failures keep repeating—and why they matter for users. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s we have a CyberWire holiday favorite: The 12 Days of Malware — with Dave and a lineup of cybersecurity friends gleefully rewriting The 12 Days of Christmas to celebrate malware, mishaps, and life online, one verse at a time. Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with
Threat Locker, DAC, defense against configurations, you get real assurance that your environment
is free of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
We've got a light-harded look back at
2025, one heck of a year,
and warm holiday wishes from all of us to all of you.
It's December 24th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
it is Christmas Eve. We're happy to have you with us here today. Another year, another avalanche of
data breaches. At this point, the modern internet user no longer asks whether their data was exposed,
but rather how many times, and by whom? Names, emails, medical records, location histories,
selfies, IDs, and the occasional deeply personal message continue to spill out of corporate servers
with such regularity that it feels less like an emergency and more like background noise.
To cut through that noise, the Electronic Frontier Foundation once again handed out the breeches,
its annual tongue-in-cheek awards, honoring the most egregious, avoidable, and occasionally
absurd privacy failures of the year.
The unifying theme is depressingly familiar.
Companies collect far more data than they need, keep it far longer than they should,
and then acts surprised when someone breaks in and takes it.
If data minimization were fashionable, many of these breaches would amount to little more than a shrug.
Instead, stolen information is repurposed for identity theft, extortion, stalking, and spam,
while users are left assuming their personal details are just out there somewhere.
So, looking at this year's awardees from the EFF, Mix Panel earned the Say Something Without,
saying anything award for a breach that was as vague as it was troubling.
As an analytics company embedded invisibly into countless apps, Mixpanel quietly collected user data
on behalf of others, including companies like Ring and Pornhub. When hackers accessed its systems,
MixPanel's public disclosure left more questions than answers. How many users were affected? What security
controls failed? Did attackers demand a ransom?
Silence. The most telling response came from OpenAI, which promptly dropped MixPanel as a provider and revealed details MixPanel itself had skipped. The real victims, of course, were users who never knowingly consented to sharing data with MixPanel in the first place.
Discord took home the We Still Told You So Award, a sequel to last year's warning about age verification mandates. In September, Discord users,
age verification data was exposed through a breach at Zendesk, its customer support vendor.
Names, selfies, government IDs, addresses, phone numbers, IP addresses, and partial billing
information all spilled out. While Discord itself wasn't directly hacked, that distinction
offered little comfort to users whose sensitive identity data was suddenly loose. It was a textbook
example of how collecting IDs just in case creates irresistible target.
and predictable outcomes.
The T-4-2 Award went to T-Dating Advice and T-On-Hur,
two apps built around sharing dating safety information.
T, aimed at women, requires selfies or photo IDs to verify gender.
In July, more than 70,000 such images were found exposed through an unsecured database.
A week later, a second breach revealed over a million private messages discussing topics,
like abortion planning and infidelity.
Meanwhile, T-On-Hur, a similar app for men,
managed to expose emails, usernames, IDs,
and even admin credentials through a public web address.
Together, they offered a masterclass
in why collecting biometric data
should come with a very long pause.
Blue Shield of California won the Just Stop Using
Tracking Tech Award
after discovering it had been sharing
sensitive health data with Google for nearly three years.
A misconfigured Google Analytics setup, leaked names, insurance details, providers,
and financial responsibility information for 4.7 million people.
This wasn't a hack so much as a slow, accidental data giveaway, and it echoed nearly
identical incidents in health care year after year.
Tracking tools marketed as harmless analytics continue to leak medical data, proving once again
that surveillance advertising and health care make a terrible pairing.
Power School earned the Hackers Hall Pass Award after attackers accessed sensitive data on more
than 60 million students and teachers. Social Security numbers, medical records, grades,
and special education data were exposed nationwide, all because Power School failed to
implement basic security protections like multi-factor authentication. Lawsuits followed,
ransom payments were made, and the story took an extra twist when a Massachusetts student pleaded
guilty to extorting the company for millions in Bitcoin. Sometimes the faceless hacker turns out to be
a college kid with a password list. TransUnion claimed the worst customer service ever award
after attackers accessed the personal data of 4.4 million people through a third-party support
application. Names, dates of birth, and social security numbers were taken, though TransUnion
reassured customers that core credit data was untouched. The breach underscored how third-party
vendors function as side doors into sensitive systems. Door's customers never agreed to leave
unlocked. Microsoft received its annual honorary mention, this time for a SharePoint Zero Day that
compromised over 400 organizations, including the National Nuclear Security Administration.
While zero days happened to everyone, Microsoft's long history of them raises uncomfortable
questions about monocultures and centralization. When one company's software becomes infrastructure,
its failures scale accordingly. The Silver Globe Award went to the Flat Earth, Sun, Moon,
and Zodiac app, which leaked personal details and precise location data, the irony of flat-earth
believers unknowingly sharing latitude and longitude, was, as the EFF noted, hard to ignore.
Gravy Analytics won the I didn't even know you had my information award after hackers claimed
to steal location data tied to advertising IDs from millions of phones. The breach revealed how
location data harvested through ad tech can expose military personnel, LGBTQ individuals, and others
to serious risk. The real scandal, however, was not the breach itself, but a business model that
tracks a billion phones a day without most users ever knowing the company exists.
Tesla mate earned the Keeping Up with My Cyber Truck Award, when thousands of exposed dashboards
revealed Tesla owner's locations,
travel habits, and driving data.
Self-hosted tools
turned cars into reality shows
minus the consent or ratings.
Hacer took home
disorder in the courts
after hackers accessed federal court
filing systems, potentially exposing
confidential informants.
The breach followed years of warnings
that the system was outdated and unsafe,
proving once again
that critical infrastructure often limps
along until it breaks.
Cat Watchful won only stalkers
allowed for a breach that exposed
not only stalker's accounts, but also
data from 26,000 victims' phones.
It was one of several stalkerware breaches
this year, reinforcing calls
to shut the industry down entirely.
Plex received the
Why We're Still Stuck on Unique Passwords Award
after leaking emails,
usernames, and hashed password
it was deja vu from a similar 2022 breach
and a reminder that password reuse remains
one of the Internet's most reliable self-inflicted wounds.
Finally, Troy Hunt's mailing list
earned the, uh, yes, actually I have been poned award
after he fell for a fishing attack.
If it can happen to the world's most famous breach tracker,
it can happen to anyone.
The takeaway is bleak but actionable.
use unique passwords, enable two-factor authentication, delete old accounts, freeze credit, and watch
medical bills closely. More importantly, companies must collect less data and secure what they keep,
and lawmakers should pass meaningful privacy protections. Until then, the breaches will remain
tragically easy to award. We'll have a link to the Electronic Frontier Foundation's post in our show notes,
and we appreciate them for creating this year's Breachie's Awards.
A few years back, we created a special version of the 12 Days of Christmas with help from some of our friends all around the Cybersecurity,
community. Here's that production. I encourage you to go to YouTube and check out the video
where you can see who has each day of the 12 days. Enjoy. On the first day of Christmas,
my malware sent to me a key logger logging my keys. On the second day of Christmas my malware
gave to me
Two Trojan apps
And a key logger logging my keys
On the third day of Christmas
My malware gave to me
Three web shells
Two Trojan apps
And a key logger logging my keys
On the fourth day of Christmas
My malware gave to me
Four crypto scams
Three web shells
Two Trojan apps
And a key logger
logging my keys.
Now, on the fifth day of Christmas, my malware gave to me five zero days.
Four crypto stamps, three web shell, two Trojan apps, and a key logger logging my keys.
On the sixth day of Christmas, my malware gave to me six password spraying vines.
zero days.
Four cryptoscans, three web shells,
two Trojan apps,
and a key logger logging my keys.
On the seventh day of Christmas,
my malware game to me,
seven scripts of scraping,
six passwords praying
my serial days.
Four cryptos of scraping.
Scams, three web shell, two Trojan apps, and the key logger logging my keys.
On the eighth day of Christmas, my malware gave to me, eight worms on wiping, seven scripts of scraping, six passwords spraying, life, zero days.
Four crypto scams, three web shell, two Trojan apps, and the key, and the key.
logger logging my keys
on the ninth day of Christmas
my malware getting to me
mine with kids routine
eight worms are wiping seven scripts
of scraping six password spraying
five zero
days
four crypto stamps
three web shells
two trojan apps
and the key logger logging
my keys
On the 10th day of Christmas
My malware gave to me
10 darknet markets
My kids routine
8 ones are wiping
7 sprats of scraping
6 passwords spraying
5-0 days
Bum bum bum
4 crypto scams
3 web shell
2 Trojan apps
And a key longer loading my keys
On the 11th day I'll
Christmas my malver gave
to me 11
Fisher's fishing
10 dark net markets
My rickets rooting
8 worms are wiping
7 scripts of scraping
6 passwords spraying
5-0
days
4 crypto scams
3 web shells
2 trojan ads
And the T-Logger
logging my keys
On the 12 days
of Christmas my malware gave to me
12 hackers hacky
11 fishers fishing
10 dark net markets
9 rooting 8 worms are wiping
7 scripts as scraping 6 passwords spraying
5 0 0 days
4 crypto scams
3 web shell
2 trojan 5
And the key lover logging my key
Love it.
Hey, everybody, Dave here.
Hope you enjoyed our 12 days of malware.
There is a video version of that
that includes the names of all of our special friends
who helped us out with that production.
You can find that on our website.
It's also over on YouTube.
Please do check it out.
Happy holidays and Merry Christmas.
And finally, as the year draws to a close, we want to take a moment to thank you for spending part of it with us.
It's been one heck of a year, full of highs and lows, moments of joy and moments of heartbreak.
Through it all, we're genuinely grateful that you chose to listen.
read and engage with the Cyberwire.
It truly means the world to us that you find value in what we do,
and we're looking forward to sharing more time together in the year ahead.
Beginning tomorrow and continuing through next week,
the Cyberwire will publish on our winter holiday schedule.
We'll step away from our regular daily and weekly podcasts and news briefings
to bring you a selection of special coverage instead.
During the break, we invite you to visit the Cyberwire for thoughtful discussions of
some of the cybersecurity sector's most interesting topics.
We'll resume our regular publication schedule on January 5th.
Producing the Cyberwire is very much a team effort,
and we'd like to extend our sincere thanks to everyone who has a hand
in making the podcast and our coverage possible.
From our hosts, producers, editors, researchers, and writers
to our technical and operations teams, partners, sponsors, and contributors,
this work happens because of your talent, dedication, and care.
And of course, to our listeners and readers,
thank you for being part of this community.
We couldn't do this without you.
In the meantime, we hope you enjoy a quiet, restful holiday season.
On behalf of the entire Cyberwire team,
we wish you a Merry Christmas, happy holidays,
and a safe and joyous new year.
Be kind, take care, and we'll see you next year.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by
Elliot Peltzman. Our executive producer is Jennifer Ibin, Peter Kilpe as our publisher,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next year.
I'm going to be.