One weak credential. Billions exposed. The 2025–2026 breaches show the same pattern: unmanaged access, unpatched software, and data no one remembered was still there.

The two-year period from 2025 to 2026 produced the largest credential exposure in recorded history. A single support portal account with no MFA gave an attacker access to records on 60 million students and 10 million educators across 18,000 school districts. The most expensive cyberattack in British corporate history shut down factory production for weeks and cost an estimated £1.9–2.1 billion (around 2,2–2,5 billion €).

Large incidents get investigated thoroughly: root causes published, attack chains reconstructed, regulatory findings released. That makes them the clearest window into how attackers actually operate.

This article breaks down what made 2025–2026 different: the five structural shifts in attacker behavior, the specific breaches that defined the period, and a six-step framework for closing the credential gaps that made most of them possible.

Key takeaways

  • Credential reuse is a structural risk, not a user behavior problem. 16 billion credentials in one searchable corpus means any reused password is effectively public. Unique credentials per service, enforced at the vault level, is the only reliable fix.
  • Third-party access is your access surface. 48% of 2026 breaches traced to a vendor or SaaS integration. Your security posture is only as strong as the weakest OAuth grant you've forgotten about.
  • Privileged accounts outside governance are the highest-risk accounts you have. SSA and PowerSchool both failed on the same point: accounts with unrestricted access that existed outside normal IAM controls.
  • Unpatched ERP software is now a confirmed, financially quantified attack vector. CVE-2025-31324 cost JLR an estimated £1.9–2.1 billion. Patch windows for internet-facing enterprise software are measured in hours, not weeks.
  • Data you don't delete is data you're responsible for. The University of Hawaiʻi was liable for records from 1993. Data minimization is a security control, not a compliance checkbox.
  • Social engineering bypasses technical controls entirely. M&S lost £300 million not to zero-day but to a phone call to a helpdesk agent. No firewall stops that.

The 2025–2026 period marked a structural shift in how attackers operate — away from encrypting systems and toward stealing data and threatening to publish it. 

Five trends defined the period.

1. Data-theft extortion replaced ransomware as the dominant model. Cybercriminal groups like ShinyHunters industrialized the approach: exfiltrate data, set a deadline, publish if unpaid. Attackers no longer need to manage decryption keys or negotiate recovery — exfiltration and a leak site are sufficient.

2. Third-party supply chain attacks became the primary entry vector. The Verizon 2025 DBIR found third-party involvement in 30% of confirmed incidents. By 2026, that share reached 48% — meaning nearly half of all breaches now trace back to a vendor, SaaS provider, or OAuth integration rather than a direct attack on the organization itself (Verizon 2026 DBIR).

3. Education and healthcare became high-value targets. Student information systems and patient records now hold SSNs, medical histories, and insurance data — and both sectors consistently lag on basic controls like MFA and privileged access monitoring. 

4. Vulnerability exploitation overtook credential theft as the top initial access vector — 31% versus 13% in 2026, the first time in the DBIR's history. AI compressed the window between disclosure and active exploitation from months to hours. Compromised credentials still appear in 39% of all breaches when the full attack chain is considered.

5. Privileged access became an attack surface in its own right. A single account with unrestricted access and no monitoring can expose more data than a sophisticated external intrusion — no privilege escalation required.

The breaches below show how each of these patterns played out in practice.

Date Company Compromised data
January 2025 PowerSchool Personal data of 70 million students and staff, including Social Security numbers (SSNs)
March 2025 SSA / DOGE 300+ million Social Security records allegedly exported
March 2025 Conduent Business Services Personal and healthcare data of 62.2 million individuals
April 2025 NYC Health + Hospitals Personal, medical and biometric data of 1.8 million patients*
April 2025 Marks & Spencer Customer and employee data, resulting in a prolonged disruption of online operations
April 2025 Jaguar Land Rover Corporate systems and business operations affected through the SAP NetWeaver compromise
May 2025 Navia 2.7 million benefit records exposed through an unsecured API
May 2025–2026 Salesforce Experience Cloud Customer CRM data from approximately 100 organizations
June 2025 16-billion credential mega-leak 16 billion usernames, passwords and authentication records aggregated from 30 datasets
July 2025 University of Hawaiʻi Personal records of 1.2 million students, employees and applicants
August 2025 Miljödata / Volvo Group 870,000 user accounts across public and private organizations
February 2026 France Titres / ANTS Personal data from 11.7 million government portal accounts
June 2026 Klue Customer CRM data from Salesforce, HubSpot and Gong affecting multiple enterprise customers

The 16-billion credential mega-leak (June 2025)

The June 2025 credential mega-leak is the largest password exposure in recorded history: 16 billion login credentials across 30 separate databases, discovered by Cybernews researchers. The data was an aggregation of infostealer malware logs and prior breach compilations, assembled into a searchable corpus available on darknet markets for $10.

Infostealers harvest saved credentials from browsers and session cookies after the user has already authenticated. Credential reuse turns a single infection into an enterprise problem: according to Heimdal Security's analysis of Verizon DBIR 2025 data, 94% of passwords appear in multiple accounts. An employee whose personal account credentials were harvested may be using the same password on a corporate VPN or cloud console.

A centralized password vault that generates unique credentials per service, combined with phishing-resistant MFA, eliminates credential reuse as an attack surface.

Passwork's self-hosted vault generates and stores unique credentials for every service, making credential reuse structurally impossible. Audit logs show exactly who accessed what, and when. See how it works — https://passwork.pro/


SaaS supply chain under attack: Klue, Salesforce Experience Cloud, and Volvo/Miljödata

Third-party SaaS risk operates at three distinct levels simultaneously: credential theft, misconfiguration, and vendor concentration. 

The Klue breach (June 2026)

The Klue breach illustrates the credential theft vector. A legacy service account credential — the kind that gets created during an integration project and never rotated — was used to harvest OAuth tokens across dozens of connected platforms. The affected companies included HackerOne, Recorded Future, Jamf, and Tanium. Their CRM data in Salesforce, HubSpot, and Gong was exposed not because those platforms were breached, but because a single stale credential in a connected service gave an attacker the OAuth token needed to read data across all of them. OAuth token abuse at this scale is a direct consequence of ungoverned third-party integrations — shadow IT that security teams often cannot see until after the fact.

The Salesforce Experience Cloud misconfiguration (2025–2026) 

ShinyHunters exploited a Salesforce Experience Cloud misconfiguration to expose data across telecom, finance, and government organizations. Administrators had granted guest users broader read permissions than intended. The platforms were not breached — they were misconfigured. ShinyHunters claimed to have stolen data from around 100 high-profile companies, but Salesforce did not confirm that figure. 

The Miljödata ransomware attack (August 2025)

The DataCarry group attacked Miljödata, a Swedish HR software provider serving Volvo Group, approximately 25 other private companies, 200 Swedish municipalities, and multiple educational institutions. One vendor breach became hundreds of victims. According to Have I Been Pwned, 870,000 accounts were exposed, including government-issued identity numbers. Volvo Group North America began notifying employees on September 29, 2025, confirming that names and Social Security numbers had been exposed — data that originated in Volvo's HR processes but was stored in a third-party system Volvo did not control.

Together, these three cases show that third-party risk management cannot be reduced to a vendor questionnaire. It requires continuous monitoring of OAuth grants, SaaS permission audits, and an honest assessment of how many critical processes depend on a single external provider.

👉
Read our Supply Chain Security Guide 2026 to learn how to protect your business from third-party breaches.

Healthcare under fire: NYC Health + Hospitals, Conduent, and Navia

Healthcare is the most expensive sector to breach. According to the IBM 2025 Cost of a Data Breach Report, the average cost of a healthcare breach reached $7.42 million — nearly double the global average of $4.44 million. The 2025-2026 period produced three incidents that show why.

The NYC Health + Hospitals data breach (2025)

1.8 million patients' records were exposed via a third-party vendor compromise.The NYC Health + Hospitals data breach included biometric templates — fingerprints and palm prints. Unlike passwords, biometric identifiers cannot be changed. An employee whose password is stolen can reset it. An employee whose fingerprint template is stolen has no equivalent recovery option. The permanent nature of biometric exposure makes IAM controls around biometric data storage categorically more critical than those around password storage.

Health benefits administrator Navia exposed 2.7 million records through an unauthenticated public API endpoint reachable from the open internet — a misconfiguration that mirrors the database exposure pattern above, applied to the application layer.

The Conduent Business Services breach (2025)

Attackers from the SafePay group were inside Conduent's network for 84 days before detection. Conduent processes payments, documents, and medical records for insurers and government agencies across North America. 

By the time the full scope was confirmed in June 2026, the breach had affected 62.2 million individuals, making it the third-largest healthcare data breach in recorded history. Among the confirmed victims: Premera Blue Cross, Humana, and multiple Blue Cross Blue Shield branches. The attackers never touched the insurers directly. They went through the vendor.

Healthcare's combination of high-value data, legacy infrastructure, and complex vendor ecosystems makes it the sector most consistently hit by both credential-based and extortion-based attacks.

Passwork enforces role-based access control across all credential types, including API keys and service account passwords. Explore how Passwork handles enterprise credential governance — https://passwork.pro/

When privilege becomes a weapon: SSA and PowerSchool

The DOGE/SSA incident illustrates that the most dangerous credential threat is not always external. A single privileged account with unchecked access can expose more data than any external breach.

The Social Security Administration data export (2025) 

The SSA case is the clearest argument for why privileged access management (PAM) and the principle of least privilege matter even inside organizations. DOGE operators with privileged access to SSA systems allegedly exported a full live database dump of SSN records — covering more than 300 million Americans — to an unsecured external server. No external attacker was involved. 

The PowerSchool breach (2025) 

A single support portal account, lacking MFA, session monitoring, and anomaly detection, exposed records of 60 million students and 10 million educators across the US, Canada, and the UK. 83% of affected students had their Social Security numbers exposed, along with medical records. The support account already had unrestricted access — no privilege escalation or lateral movement was needed.

Both incidents point to the same gap in IAM architecture: privileged accounts that exist outside the normal credential governance process. Support portals, vendor accounts, and administrative backdoors are frequently excluded from password rotation policies, MFA enforcement, and audit logging — the exact controls that would have prevented both breaches.

A detailed breakdown of what privileged access management is and best practices from industry experience — in this article.

Europe under attack: Marks & Spencer, Jaguar, and the cost of social engineering

Three European incidents from 2025–2026 produced the most financially documented losses of the period.

The Marks & Spencer breach (2025) 

The breach exposed personal data across M&S's customer base — names, addresses, phone numbers, dates of birth, and order history. M&S did not disclose the exact number of affected customers. Scattered Spider, a cybercriminal group known for stealing sensitive data from Fortune 500 companies, gained initial access through a third-party managed IT services provider by impersonating an employee to a helpdesk agent via SIM-swapping. From there, they moved through Active Directory. Online sales were suspended for 46 days. M&S confirmed a £300 million (around €353 million) profit impact in its annual results.

The Jaguar Land Rover breach (2025) 

It’s the most expensive security breach in British corporate history, estimated at £1.9–2.1 billion (around €2.4 billion) by the Cyber Monitoring Centre. An unpatched SAP NetWeaver vulnerability (CVE-2025-31324, patched April 2025) halted production at factories globally. Wholesale deliveries fell 24.2% year-on-year in JLR's fiscal second quarter and 43% in the third. The Bank of England's manufacturing PMI for September 2025 fell to 46.2, with JLR's shutdown cited as a contributing factor.

The France Titres / ANTS breach (2026) 

Attackers exfiltrated 11.7 million accounts from France's national passport and ID portal. Government identity portals hold verified, legally binding identity data — which makes them high-value targets precisely because the data cannot be disputed or replaced.

The M&S and JLR cases confirm two attack vectors that are now financially quantified: social engineering against third-party contractors, and exploitation of unpatched enterprise ERP software.


The shadow data problem: University of Hawaiʻi and the legacy archive risk

The University of Hawaiʻi breach (2025) exposed records from 1993 to 2007 — data that had never been deleted, encrypted, or audited, demonstrating that data minimization is a direct security control.

A ransomware attack exposed 1.2 million records, including research archives created before modern encryption standards existed. Data from 1993 to 2007 was never subject to current access controls, yet it remained on live infrastructure — queryable, exfiltrable, and legally the university's liability.

Shadow IT and shadow data are two sides of the same governance failure. Shadow IT is the unauthorized application running on your network. Shadow data is the dataset that was created for a project in 2001, never deleted, and never included in any data inventory. Both are invisible to security controls because they were never registered in the first place.

The control is data minimization: retain only what is operationally necessary, and audit legacy datasets on a defined schedule. Organizations that cannot answer "what data do we hold, where is it, and who can access it?" cannot defend it.


How to protect your enterprise from the next mega-leak

The Enterprise Credential Defense Framework maps each control directly to a breach pattern from this article.

Step 1. Deploy a centralized enterprise password vault.

Eliminates credential reuse and provides a single audit trail for all credential access. A centralized password vault with role-based access control means that when a credential is compromised, the blast radius is contained to what that credential was authorized to access — not everything the employee happened to know.

Step 2. Enforce minimum 15-character passwords and phishing-resistant MFA.

Legacy password policies — 90-day mandatory rotation, complexity rules requiring symbols and mixed case — are counterproductive. NIST SP 800-63B Rev. 4 removes both requirements. The reasoning is empirical: forced rotation produces predictable incremental changes (Password1! → Password2!), and complexity rules generate passwords that are hard for humans to remember but easy for automated tools to crack.

Criterion Old approach NIST SP 800-63B Rev. 4
Minimum length 8 characters 15 characters (recommended)
Complexity rules Uppercase, number, symbol required No composition rules
Expiration 90-day rotation No periodic expiration
Rotation trigger Calendar-based Compromise-driven only
MFA requirement Optional Phishing-resistant MFA at AAL2+
Banned passwords Rarely enforced Check against known-breach lists

For MFA specifically: SMS-based OTP is not recommended at AAL2. Hardware keys and passkeys meet the phishing-resistant threshold. The Verizon 2025 DBIR notes that MFA bypass techniques are growing — token theft accounts for 31% of bypass methods, MFA fatigue for 22% — but having MFA enabled still eliminates the vast majority of credential-based attacks.

Step 3. Audit and revoke ungoverned third-party SaaS integrations and OAuth grants.

Run a quarterly audit of all OAuth grants in your identity provider. Revoke any grant that cannot be attributed to an active, documented integration. Legacy service accounts should be rotated on a defined schedule and decommissioned when the integration is retired.

Step 4. Apply PAM controls and the principle of least privilege.

No account — internal or external — should have access beyond what its documented function requires. Privileged accounts should be time-limited, session-recorded, and subject to the same MFA requirements as any other account.

Step 5. Enforce data minimization and audit legacy datasets.

Establish a data retention schedule. Run an annual audit of datasets older than five years. Data that has no current operational purpose should be deleted, not archived on a live server.

Step 6. Eliminate arbitrary password expiration; adopt compromise-driven rotation.

Rotate credentials when a compromise is detected or suspected — not on a calendar. Integrate your password vault with breach intelligence feeds so that rotation is triggered by evidence, not by a 90-day clock that trains users to make predictable changes.


Conclusion

Three root causes appear in breach after breach across this article: credentials that were unmanaged or reused, access that was unchecked or over-permissioned, and data retained long past any operational purpose. Every incident covered here, from the 16-billion credential dump to the £1.9 billion JLR shutdown, maps to at least one of those three failures.

Every control in the Enterprise Credential Defense Framework maps to a documented failure in a named breach above. The question for your organization: which of those failures are you replicating right now?

Start with a credential audit: every privileged account, every OAuth grant, every service account in your environment. If you cannot answer those questions in under an hour, you have a visibility problem before you have a security problem.

Passwork is a self-hosted password and secrets manager built for exactly that audit: centralized vaults, role-based access, and zero-knowledge encryption, so you always know who has access to what. Explore deployment options — passwork.pro


Frequently asked questions

What was the biggest data breach in 2025?

The 16-billion credential mega-leak in June 2025 is the largest password exposure in recorded history. Cybernews researchers discovered 30 separate databases containing 16 billion login credentials aggregated from infostealer malware logs and prior breach compilations. The data was available on criminal markets for as little as $10 per access.

How do data-theft extortion attacks work?

Attackers exfiltrate sensitive data, set a ransom deadline, and publish if unpaid. No encryption is deployed — there is no technical recovery path. The only leverage is the threat of publication. This model requires no decryption key management and no negotiation over system restoration, which is why groups like ShinyHunters adopted it at scale. The only effective defense is preventing exfiltration in the first place: access controls, egress monitoring, and least-privilege enforcement.

What is the most common initial access vector in 2025–2026 breaches?

Vulnerability exploitation overtook credential theft for the first time in the Verizon 2026 DBIR, accounting for 31% of initial access versus 13% for stolen credentials. But compromised credentials still appear in 39% of all breaches when the full attack chain is considered — most commonly through infostealer malware harvesting reused passwords from personal accounts and applying them to corporate systems.

How does third-party risk translate into a direct breach?

A vendor, SaaS provider, or OAuth integration with access to your systems is an extension of your attack surface. The Conduent breach affected 62.2 million individuals across dozens of insurers — none of whom were directly attacked. The Klue breach exposed CRM data across HackerOne, Recorded Future, Jamf, and Tanium through a single stale service account credential. By 2026, 48% of confirmed breaches traced back to a third party (Verizon 2026 DBIR).

Can biometric data be recovered after a breach?

No. Unlike passwords, biometric identifiers such as fingerprints and palm prints cannot be changed or reissued. The NYC Health + Hospitals breach exposed biometric templates for 1.8 million patients. Those individuals have no equivalent of a password reset — their biometric identifiers are permanently compromised for any system that relies on them.

What made the Marks & Spencer breach so expensive?

The £300 million loss came from operational disruption, not from the breach itself. Scattered Spider used SIM-swapping and helpdesk impersonation to obtain credentials for a third-party contractor, then moved through Active Directory. Online sales were suspended for 46 days. The attack required no technical exploit — a phone call to a helpdesk agent was sufficient. That is what makes social engineering disproportionately costly: it bypasses technical controls entirely.

Passwork vs 1Password: Best Password Manager for EU
GDPR, NIS2, ANSSI 2027 — the regulatory pressure keeps building. We compare Passwork and 1Password on the criteria that matter to European businesses: data sovereignty, audit readiness, deployment model, and real total cost of ownership.
Team password management: The complete guide for 2026
Learn how teams share credentials securely in 2026 — RBAC, audit logs, offboarding checklists, NIST SP 800-63B Rev. 4 requirements, and self-hosted vs. cloud deployment.
11 password reuse risks and how to avoid them
Reusing a password feels harmless. It isn’t. Here’s why one leaked credential can unravel your entire organization’s security — and how to stop it from happening.