Summary6 min read

CyberWire Daily – “And the Breachies go to…”

Host: Dave Bittner
Date: December 24, 2025

Episode Overview

This special holiday episode of CyberWire Daily takes a lighthearted yet incisive look back on the major cybersecurity breaches of 2025. With the help of the Electronic Frontier Foundation’s annual “Breachies” awards, Dave Bittner humorously highlights the most egregious, absurd, and avoidable privacy failures of the year. The episode offers sharp commentary on persistent industry failings—especially excessive data collection—and closes with a festive cybersecurity-themed rendition of “The Twelve Days of Christmas.”

Key Discussion Points & Insights

The State of Data Breaches in 2025

Breaches have become so common that most Internet users now expect multiple exposures of their data over time.
Companies frequently collect more data than necessary, retain it too long, and are then caught “surprised” when it’s stolen.
Consequences for users include identity theft, extortion, stalking, and increased spam.

Quote:

“At this point, the modern Internet user no longer asks whether their data was exposed, but rather how many times and by whom.”
— Dave Bittner (01:07)

The EFF’s 2025 “Breachies” Awards

Award Highlights:

1. Mixpanel: “Say Something Without Saying Anything” (02:40)

Analytics firm Mixpanel suffered a breach affecting user data from companies such as Ring and Pornhub.
Their disclosure was notably vague, sparking criticism and confusion.
OpenAI severed ties and provided more detail than Mixpanel itself.
Users never directly consented to Mixpanel’s data collection, intensifying privacy concerns.

Quote:

“The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place.”
— Dave Bittner (04:11)

2. Discord: “We Still Told You So” (04:15)

Users’ age verification data was compromised in a breach at Zendesk (Discord’s customer support vendor).
Data leaked: names, selfies, government IDs, addresses, phone numbers, IP addresses, billing info.
Example of risks stemming from unnecessary data collection for “just in case” scenarios.

Quote:

“A textbook example of how collecting IDs just in case creates irresistible targets and predictable outcomes.”
— Dave Bittner (05:00)

3. T Dating Advice and Tonher: “T for 2” (05:15)

Dating safety apps exposed over 70,000 images and a million private messages via unsecured databases.
Tonher exposed even more data, including admin credentials.
Demonstrates the extreme risk in collecting biometric and sensitive personal data.

Quote:

“Together, they offered a masterclass in why collecting biometric data should come with a very long pause.”
— Dave Bittner (06:00)

4. Blue Shield of California: “Just Stop Using Tracking Tech” (06:14)

Misconfigured Google Analytics leaked sensitive medical data of 4.7 million people over three years.
Not a direct hack, but an “accidental data giveaway.”
Highlights dangers of mixing analytics, advertising, and healthcare data.

5. PowerSchool: “Hackers’ Hall Pass” (07:00)

Over 60 million student and teacher records (SSNs, medical records, grades) were exposed.
The breach traced to lack of basic security like multi-factor authentication.
Legal repercussions included lawsuits and ransom payments; the incident tied to a student’s extortion plot.

Quote:

“Sometimes the faceless hacker turns out to be a college kid with a password list.”
— Dave Bittner (07:46)

6. TransUnion: “Worst Customer Service Ever” (08:00)

Breach via third-party application exposed personal data for 4.4 million people.
Reinforced vulnerability created by third-party vendors.
Company reassured public that “core credit data was untouched”—little comfort to those affected.

7. Microsoft: “Annual Honorary Mention” (08:44)

SharePoint zero-day compromise hit 400+ organizations, including major federal entities.
Raises “uncomfortable questions about monocultures and centralization.”

8. Flat Earth, Sun, Moon and Zodiac App: “Silver Globe Award” (09:11)

Leaked precise locations and personal details of Flat Earth believers.
The irony of “latitude and longitude” data leaks noted as “hard to ignore.”

Notable Additional Awards:

Gravy Analytics (“I Didn’t Even Know You Had My Information”): Exposed location data from millions, highlighting adtech dangers.
TeslaMate (“Keeping Up with My Cybertruck”): Exposed travel data of Tesla owners via insecure dashboards.
PACER (“Disorder in the Courts”): Breach exposed federal court records, highlighting overdue infrastructure reform.
Cat Watchful (“Only Stalkers Allowed”): Stalkerware breach exposed both perpetrators and 26,000 victim phones.
Plex (“Why We’re Still Stuck on Unique Passwords”): Another repetition of a breach due to password reuse.
Troy Hunt Mailing List (“Yes Actually I Have Been Pwned”): Even world-famous security experts can be phished.

Memorable Quotes & Takeaways

“The real scandal...was a business model that tracks a billion phones a day without most users ever knowing the company exists.”
— Dave Bittner on Gravy Analytics (10:02)
“When one company’s software becomes infrastructure, its failures scale accordingly.”
— Dave Bittner on Microsoft (08:53)
“If it can happen to the world’s most famous breach tracker, it can happen to anyone.”
— Dave Bittner on Troy Hunt (11:13)
Key advice: Unique passwords, two-factor authentication, delete old accounts, freeze credit, closely monitor medical bills, and above all, minimize data collection.

Timestamp: 11:19

“Companies must collect less data and secure what they keep, and lawmakers should pass meaningful privacy protections. Until then, the Breachies will remain tragically easy to award.”
— Dave Bittner

The 12 Days of Malware – Holiday Feature

Segment Begins: 12:36

A festive rendition of "The Twelve Days of Christmas," reimagined with cybersecurity threats (malware, zero days, scripts, etc.), performed by Dave Bittner, Alice Carruth, Sam, and friends.

Sample Highlights:

“On the first day of Christmas, my malware sent to me, a keylogger logging my keys.” (12:50)
“Seven scripts of scraping... six password spraying...” (14:25)
“Twelve hackers hacking, eleven phishers phishing, ten darknet markets…” (16:40)

Dave Bittner (post-song, 17:17):

“Love it… hope you enjoyed our 12 Days of Malware. There is a video version of that... Happy Holidays and Merry Christmas.”

Closing Remarks & Holiday Message

Big Picture Reflections (18:38):
Dave expresses gratitude to listeners, the CyberWire team, and the broader community for their support throughout the year. He notes both the highs and lows of 2025, thanks the audience, and wishes all a restful holiday season. Regular programming will resume on January 5.

Quote:

“We wish you a Merry Christmas, happy holidays, and a safe and joyous New Year. Be kind, take care, and we'll see you next year.”
— Dave Bittner (20:40)

Notable Timestamps

01:07: Dave Bittner on the state of data breaches
02:40–10:45: Breakdown of EFF's “Breachies” award winners, with detailed case studies
11:13: Lessons learned and actionable advice
12:36–17:17: “12 Days of Malware” song
18:38: Host’s personal remarks and holiday message

Tone and Language

Dave Bittner maintains a witty, approachable, and slightly sardonic tone—emphasizing both the absurdity and seriousness of recurring cybersecurity failures. The holiday episode adds a festive, communal spirit while reinforcing vital security fundamentals. The “Breachies” serve as both comic relief and a call to action.

Useful for listeners who missed the episode:

The summary provides a comprehensive tour through the year’s most notorious breaches and privacy fails, reinforces key lessons, and delivers advice relevant to both individuals and enterprises. The playful “12 Days of Malware” closes the year on a lighter note while underscoring the persistent, evolving nature of cybersecurity threats.

Loading summary

Transcript34 lines

[00:02]
Announcer
You're listening to the Cyberwire Network powered by N2K.
[00:12]
Dave Bittner
Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave, and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. We've got a light hearted look back at 2025. One heck of a year and warm holiday wishes from all of us to all of you. It's December 24, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is Christmas Eve. We're happy to have you with us here today. Another year, another avalanche of data breaches. At this point, the modern Internet user no longer asks whether their data was exposed, but rather how many times and by whom. Names, emails, medical records, location history, selfies, IDs, and the occasional deeply personal message continue to spill out of corporate servers with such regularity that it feels less like an emergency and more like background noise. To cut through that noise, the Electronic Frontier foundation once again handed out the Breechies its annual Tongue in Cheek Awards, honoring the most egregious, avoidable, and occasionally absurd privacy failures of the year. The unifying theme is depressingly familiar. Companies collect far more data than they need, keep it far longer than they should, and then act surprised when someone breaks in and takes it. If data minimization were fashionable, many of these breaches would amount to little more than a shrug. Instead, stolen information is repurposed for identity theft, extortion, stalking, and spam, while users are left assuming their personal details are just out there somewhere. So, looking at this year's awardees from the eff, Mixpanel earned the say Something Without Saying Anything award for a breach that was as vague as it was troubling. As an analytics company embedded invisibly into countless apps, Mixpanel quietly collected user data on behalf of others, and including companies like Ring and pornhub. When hackers accessed its systems, Mixpanel's public disclosure left more questions than answers. How many users were affected? What security controls failed? Did attackers demand a ransom? Silence. The most telling response came from OpenAI, which promptly dropped Mixpanel as a provider and revealed details Mixpanel itself had skipped. The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place. Discord took home the we still told you so award, a sequel to last year's warning about age verification mandates. In September, Discord users age verification data was exposed through a breach at Zendesk, its customer support vendor. Names, selfies, government IDs, addresses, phone numbers, IP addresses, and partial billing information all spilled out. While Discord itself wasn't directly hacked, that distinction offered little comfort to users whose sensitive identity data was suddenly loose. It was a textbook example of how collecting IDs just in case creates irresistible targets and predictable outcomes. The T for 2 award went to T Dating Advice and TI on her two apps built around sharing dating safety information. T aimed at women, requires selfies or photo IDs to verify gender. In July, more than 70,000 such images were found exposed through an unsecured database. A week later, a second breach revealed over a million private messages discussing topics like abortion planning and infidelity. Meanwhile, Tonher, a similar app for men, managed to expose emails, usernames, IDs, and even admin credentials through a public Web address. Together, they offered a masterclass in why collecting biometric data should come with a very long pause. Blue Shield of California won the Just stop using Tracking tech award after discovering it had been sharing sensitive health data with Google for nearly three years. A misconfigured Google Analytics setup leaked names, insurance details, providers, and financial responsibility information for 4.7 million people. This wasn't a hack so much as a slow, accidental data giveaway. And it echoed nearly identical incidents in healthcare. Year after year. Tracking tools marketed as harmless analytics continue to leak medical data, proving once again that surveillance, advertising and healthcare make a terrible pairing. PowerSchool earned the hackers Hall Pass award after attackers accessed sensitive data on more than 60 million students and teachers. Social Security numbers, medical records, grades, and special education data were exposed nationwide, all because PowerSchool failed to implement basic security protections like multi factor authentication. Lawsuits followed, ransom payments were made, and the story took an extra twist when a Massachusetts student pleaded guilty to extorting the company from millions in Bitcoin. Sometimes the faceless hacker turns out to be a college kid with a password list. TransUnion claimed the worst customer service ever award after attackers accessed the personal data of 4.4 million people through a third party support application. Names, dates of birth and Social Security numbers were taken, though TransUnion reassured customers that core credit data was untouched. The breach underscored how third party vendors function as side doors into sensitive systems, doors customers never agreed to leave unlocked. Microsoft received its annual honorary mention, this Time for a SharePoint Zero Day that compromised over 400 organizations, including the National Nuclear Security Administration. While zero days happen to everyone, Microsoft's long history of them raises uncomfortable questions about monocultures and centralization. When one company's software becomes infrastructure, its failures scale accordingly. The Silver Globe award went to the Flat Earth, Sun, Moon and Zodiac app, which leaked personal details and precise location data. The irony of Flat Earth believers unknowingly sharing latitude and longitude was, as the EFF noted, hard to ignore gravy. Analytics won the I didn't even know you had my information award after hackers claimed to steal location data tied to advertising IDs from millions of phones. The breach revealed how location Data harvested through AdTech can expose military personnel, LGBTQ individuals and others to serious risk. The real scandal, however, was not the breach itself, but a business model that tracks a billion phones a day without most users ever knowing the company exists. TeslaMate earned the keeping up with My Cybertruck award when thousands of exposed dashboards revealed Tesla owners locations, travel habits and driving data. Self hosted tools turned cars into reality shows minus the consent or ratings. PACER took home disorder in the courts after hackers accessed federal court filing systems, potentially exposing confidential informants. The breach followed years of warnings that the system was outdated and unsafe, proving once again that critical infrastructure often limps along until it breaks. Cat Watchful won Only stalkers allowed for a breach that exposed not only stalkers accounts but also data from 26,000 victims phones. It was one of several stalkerware breaches this year, reinforcing calls to shut the industry down entirely. Plex received the why we're still stuck on unique Passwords award after leaking emails, usernames and hashed passwords. It was deja vu from a similar 2022 breach and and a reminder that password reuse remains one of the Internet's most reliable self inflicted wounds. Finally, Troy Hunt's mailing list earned the yes actually I have been pwned award after he fell for a phishing attack. If it can happen to the world's most famous breach tracker, it can happen to anyone. The takeaway is bleak but actionable. Use unique passwords, enable two factor authentication, delete old accounts, freeze credit, and watch medical bills closely. More importantly, companies must collect less data and secure what they keep, and lawmakers should pass meaningful privacy protections. Until then, the breachees will remain tragically easy to award. We'll have a link to the Electronic Frontier Foundation's post in our show notes, and we appreciate them for creating this year's Breachies Award.
[11:36]
Nordstrom Rack Advertiser
Give big Save big with Rack Friday deals at Nordstrom Rack For a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save on gifts for everyone on your list from brands like Vince Cole, Haan, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom rack today.
[12:03]
Ford BlueCruise Advertiser
Ford BlueCruise hands free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply does not replace safe driving. See Ford.com BlueCruise for more details.
[12:37]
Dave Bittner
A few years back we created a special version of the twelve Days of Christmas with help from some of our friends all around the cybersecurity community. Here's that production I encourage you to go to YouTube and check out the video where you can see who has each day of the 12 days. Enjoy. On the first day of Christmas my malware sent to me a keylogger logging my keys. On the second day of Christmas my.
[13:11]
Alice Carruth
Malware gave to me two trojan apps.
[13:15]
Dave Bittner
And a keylogger logging my keys.
[13:19]
Sam
On the third day of Christmas my malware gave to me three web shells, two trojan apps and a keylogger logging my keys.
[13:31]
Dave Bittner
On the fourth day of Christmas my.
[13:33]
Sam
Malware gave to me four crypto scams, three web shells, two trojan apps and a keylogger logging my keys. Now on the day of Christmas I'm nowhere gave to me five zero days, four crypto scams, three web shells, two trojan apps and a keylor logging my keys.
[14:04]
Dave Bittner
On the 6th day of Christmas my.
[14:06]
Alice Carruth
Malware gave to me 6 password spraying 5 year old ding.
[14:17]
Sam
4 crypto scams, 3 web shells, 2 trojan apps and a keylogger logging my keys.
[14:26]
Alice Carruth
On the 7th day of Christmas my malware gave to me 7 scripts of scraping, 6 passwords spraying my spirit.
[14:41]
Dave Bittner
4.
[14:41]
Sam
Crypto scams, 3 web shells, 2 trojan apps and a keylogger loggin keys on.
[14:50]
Alice Carruth
The 8th day of Christmas my malware gave to me 8 worms a wiping 7 scripts of scraping 6 passwords spraying my spirit.
[15:06]
Sam
4 crypto Scams 3 web shells 2 trojan apps and a keylogger.
[15:12]
Alice Carruth
Logging my keys on the 9th day of Christmas my malware gave to 9 rootkits routine 8 worms of wiping 7 scripts of scraping 6 password spraying 5.
[15:29]
Sam
Keys 4 crypto scams 3 web shells.
[15:36]
Alice Carruth
2 trojan apps and a keylogger logging my keys on the 10th day of Christmas my malware gave to me 10 darknet markets 9 with kids routine 8 worms a light ring 76 password spraying 5C0 today ba dum dum dum 4.
[16:02]
Sam
Crypto scams, 3 web shells, 2 trojan apps and a keylogger loading my keys.
[16:10]
Alice Carruth
On the 11th day of Christmas my Malibu gave to me 11 fishers fishing 10 darknet markets diary kids rooting eight worms a wiping seven scripts of scraping six password spraying five zero days.
[16:31]
Dave Bittner
Four.
[16:32]
Sam
Crypto scams, three web shells, two Trojan apps and a deloger loading my keys.
[16:40]
Alice Carruth
On the 12th day of Christmas my malware gave to me 12 hackers hacking 11 fishers fishing 10 darknet markets 9 rootkits rooting 8 worms are wiping 7 thrips of scrap 6 passwords spraying my.
[16:57]
Dave Bittner
Zero days.
[17:01]
Alice Carruth
Badum dum bum 4 crypto.
[17:04]
Sam
Scams, 3 web shells, 2 trojan hats.
[17:08]
Alice Carruth
And a key learner locking my keys yeah.
[17:18]
Dave Bittner
Love it. Hey everybody Dave here. Hope you enjoyed our 12 Days of Malware. There is a video version of that that the names of all of our special friends who helped us out with that production. You can find that on our website. It's also over on YouTube. Please do check it out. Happy Holidays and Merry Christmas.
[17:48]
Announcer
VRBO helps you swap gift wrap time for quality time. Go to VRBO now and book a last minute week long stay and save over $390 this holiday season. Book your next vacation rental home on VRBO. $396.00 select homes only. Running a business comes with a lot of what ifs, but luckily there's a simple answer to Shopify. It's the commerce platform behind millions of businesses including Thrive Cosmetics and Momofuku. And it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into Sign up for your $1 per month trial at shopify.com specialoffer.
[18:39]
Dave Bittner
And finally, as the year draws to a close. We want to take a moment to thank you for spending part of it with us. It's been one heck of a year, full of highs and lows, moments of joy and moments of heartbreak. Through it all, we're genuinely grateful that you chose to listen, read and engage with the Cyberwire. It truly means the world to us that you find value in what we do, and we're looking forward to sharing more time together in the year ahead. Beginning tomorrow and continuing through next week, the Cyberwire will publish on Our winter holiday schedule will step away from our regular daily and weekly podcasts and news briefings to bring you a selection of special coverage. Instead, during the break, we invite you to visit the Cyberwire for thoughtful discussions of some of the cybersecurity sector's most interesting topics. We'll resume our regular publication schedule on January 5th. Producing the CyberWire is very much a team effort, and we'd like to extend our sincere thanks to everyone who has a hand in making the podcast and our coverage possible. From our hosts, producers, editors, researchers and writers, to our technical and operations teams, partners, sponsors and contributors, this work happens because of your talent, dedication and care. And of course, to our listeners and readers. Thank you for being part of this community. We couldn't do this without you. In the meantime, we hope you enjoy a quiet, restful holiday season. On behalf of the entire Cyberwire team, we wish you a Merry Christmas, happy holidays, and a safe and joyous New Year. Be kind, take care, and we'll see you next year. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next year.
[21:05]
Sam
Sam.