CyberWire Daily – “And the Breachies go to…”

Host: Dave Bittner
Date: December 24, 2025

Episode Overview

This special holiday episode of CyberWire Daily takes a lighthearted yet incisive look back on the major cybersecurity breaches of 2025. With the help of the Electronic Frontier Foundation’s annual “Breachies” awards, Dave Bittner humorously highlights the most egregious, absurd, and avoidable privacy failures of the year. The episode offers sharp commentary on persistent industry failings—especially excessive data collection—and closes with a festive cybersecurity-themed rendition of “The Twelve Days of Christmas.”

Key Discussion Points & Insights

The State of Data Breaches in 2025

Breaches have become so common that most Internet users now expect multiple exposures of their data over time.
Companies frequently collect more data than necessary, retain it too long, and are then caught “surprised” when it’s stolen.
Consequences for users include identity theft, extortion, stalking, and increased spam.

Quote:

“At this point, the modern Internet user no longer asks whether their data was exposed, but rather how many times and by whom.”
— Dave Bittner (01:07)

The EFF’s 2025 “Breachies” Awards

Award Highlights:

1. Mixpanel: “Say Something Without Saying Anything” (02:40)

Analytics firm Mixpanel suffered a breach affecting user data from companies such as Ring and Pornhub.
Their disclosure was notably vague, sparking criticism and confusion.
OpenAI severed ties and provided more detail than Mixpanel itself.
Users never directly consented to Mixpanel’s data collection, intensifying privacy concerns.

Quote:

“The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place.”
— Dave Bittner (04:11)

2. Discord: “We Still Told You So” (04:15)

Users’ age verification data was compromised in a breach at Zendesk (Discord’s customer support vendor).
Data leaked: names, selfies, government IDs, addresses, phone numbers, IP addresses, billing info.
Example of risks stemming from unnecessary data collection for “just in case” scenarios.

Quote:

“A textbook example of how collecting IDs just in case creates irresistible targets and predictable outcomes.”
— Dave Bittner (05:00)

3. T Dating Advice and Tonher: “T for 2” (05:15)

Dating safety apps exposed over 70,000 images and a million private messages via unsecured databases.
Tonher exposed even more data, including admin credentials.
Demonstrates the extreme risk in collecting biometric and sensitive personal data.

Quote:

“Together, they offered a masterclass in why collecting biometric data should come with a very long pause.”
— Dave Bittner (06:00)

4. Blue Shield of California: “Just Stop Using Tracking Tech” (06:14)

Misconfigured Google Analytics leaked sensitive medical data of 4.7 million people over three years.
Not a direct hack, but an “accidental data giveaway.”
Highlights dangers of mixing analytics, advertising, and healthcare data.

5. PowerSchool: “Hackers’ Hall Pass” (07:00)

Over 60 million student and teacher records (SSNs, medical records, grades) were exposed.
The breach traced to lack of basic security like multi-factor authentication.
Legal repercussions included lawsuits and ransom payments; the incident tied to a student’s extortion plot.

Quote:

“Sometimes the faceless hacker turns out to be a college kid with a password list.”
— Dave Bittner (07:46)

6. TransUnion: “Worst Customer Service Ever” (08:00)

Breach via third-party application exposed personal data for 4.4 million people.
Reinforced vulnerability created by third-party vendors.
Company reassured public that “core credit data was untouched”—little comfort to those affected.

7. Microsoft: “Annual Honorary Mention” (08:44)

SharePoint zero-day compromise hit 400+ organizations, including major federal entities.
Raises “uncomfortable questions about monocultures and centralization.”

8. Flat Earth, Sun, Moon and Zodiac App: “Silver Globe Award” (09:11)

Leaked precise locations and personal details of Flat Earth believers.
The irony of “latitude and longitude” data leaks noted as “hard to ignore.”

Notable Additional Awards:

Gravy Analytics (“I Didn’t Even Know You Had My Information”): Exposed location data from millions, highlighting adtech dangers.
TeslaMate (“Keeping Up with My Cybertruck”): Exposed travel data of Tesla owners via insecure dashboards.
PACER (“Disorder in the Courts”): Breach exposed federal court records, highlighting overdue infrastructure reform.
Cat Watchful (“Only Stalkers Allowed”): Stalkerware breach exposed both perpetrators and 26,000 victim phones.
Plex (“Why We’re Still Stuck on Unique Passwords”): Another repetition of a breach due to password reuse.
Troy Hunt Mailing List (“Yes Actually I Have Been Pwned”): Even world-famous security experts can be phished.

Memorable Quotes & Takeaways

“The real scandal...was a business model that tracks a billion phones a day without most users ever knowing the company exists.”
— Dave Bittner on Gravy Analytics (10:02)
“When one company’s software becomes infrastructure, its failures scale accordingly.”
— Dave Bittner on Microsoft (08:53)
“If it can happen to the world’s most famous breach tracker, it can happen to anyone.”
— Dave Bittner on Troy Hunt (11:13)
Key advice: Unique passwords, two-factor authentication, delete old accounts, freeze credit, closely monitor medical bills, and above all, minimize data collection.

Timestamp: 11:19

“Companies must collect less data and secure what they keep, and lawmakers should pass meaningful privacy protections. Until then, the Breachies will remain tragically easy to award.”
— Dave Bittner

The 12 Days of Malware – Holiday Feature

Segment Begins: 12:36

A festive rendition of "The Twelve Days of Christmas," reimagined with cybersecurity threats (malware, zero days, scripts, etc.), performed by Dave Bittner, Alice Carruth, Sam, and friends.

Sample Highlights:

“On the first day of Christmas, my malware sent to me, a keylogger logging my keys.” (12:50)
“Seven scripts of scraping... six password spraying...” (14:25)
“Twelve hackers hacking, eleven phishers phishing, ten darknet markets…” (16:40)

Dave Bittner (post-song, 17:17):

“Love it… hope you enjoyed our 12 Days of Malware. There is a video version of that... Happy Holidays and Merry Christmas.”

Closing Remarks & Holiday Message

Big Picture Reflections (18:38):
Dave expresses gratitude to listeners, the CyberWire team, and the broader community for their support throughout the year. He notes both the highs and lows of 2025, thanks the audience, and wishes all a restful holiday season. Regular programming will resume on January 5.

Quote:

“We wish you a Merry Christmas, happy holidays, and a safe and joyous New Year. Be kind, take care, and we'll see you next year.”
— Dave Bittner (20:40)

Notable Timestamps

01:07: Dave Bittner on the state of data breaches
02:40–10:45: Breakdown of EFF's “Breachies” award winners, with detailed case studies
11:13: Lessons learned and actionable advice
12:36–17:17: “12 Days of Malware” song
18:38: Host’s personal remarks and holiday message

Tone and Language

Dave Bittner maintains a witty, approachable, and slightly sardonic tone—emphasizing both the absurdity and seriousness of recurring cybersecurity failures. The holiday episode adds a festive, communal spirit while reinforcing vital security fundamentals. The “Breachies” serve as both comic relief and a call to action.

Useful for listeners who missed the episode:

The summary provides a comprehensive tour through the year’s most notorious breaches and privacy fails, reinforces key lessons, and delivers advice relevant to both individuals and enterprises. The playful “12 Days of Malware” closes the year on a lighter note while underscoring the persistent, evolving nature of cybersecurity threats.

Transcript

Announcer (0:02)

You're listening to the Cyberwire Network powered by N2K.

Dave Bittner (0:11)

Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave, and with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. We've got a light hearted look back at 2025. One heck of a year and warm holiday wishes from all of us to all of you. It's December 24, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is Christmas Eve. We're happy to have you with us here today. Another year, another avalanche of data breaches. At this point, the modern Internet user no longer asks whether their data was exposed, but rather how many times and by whom. Names, emails, medical records, location history, selfies, IDs, and the occasional deeply personal message continue to spill out of corporate servers with such regularity that it feels less like an emergency and more like background noise. To cut through that noise, the Electronic Frontier foundation once again handed out the Breechies its annual Tongue in Cheek Awards, honoring the most egregious, avoidable, and occasionally absurd privacy failures of the year. The unifying theme is depressingly familiar. Companies collect far more data than they need, keep it far longer than they should, and then act surprised when someone breaks in and takes it. If data minimization were fashionable, many of these breaches would amount to little more than a shrug. Instead, stolen information is repurposed for identity theft, extortion, stalking, and spam, while users are left assuming their personal details are just out there somewhere. So, looking at this year's awardees from the eff, Mixpanel earned the say Something Without Saying Anything award for a breach that was as vague as it was troubling. As an analytics company embedded invisibly into countless apps, Mixpanel quietly collected user data on behalf of others, and including companies like Ring and pornhub. When hackers accessed its systems, Mixpanel's public disclosure left more questions than answers. How many users were affected? What security controls failed? Did attackers demand a ransom? Silence. The most telling response came from OpenAI, which promptly dropped Mixpanel as a provider and revealed details Mixpanel itself had skipped. The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place. Discord took home the we still told you so award, a sequel to last year's warning about age verification mandates. In September, Discord users age verification data was exposed through a breach at Zendesk, its customer support vendor. Names, selfies, government IDs, addresses, phone numbers, IP addresses, and partial billing information all spilled out. While Discord itself wasn't directly hacked, that distinction offered little comfort to users whose sensitive identity data was suddenly loose. It was a textbook example of how collecting IDs just in case creates irresistible targets and predictable outcomes. The T for 2 award went to T Dating Advice and TI on her two apps built around sharing dating safety information. T aimed at women, requires selfies or photo IDs to verify gender. In July, more than 70,000 such images were found exposed through an unsecured database. A week later, a second breach revealed over a million private messages discussing topics like abortion planning and infidelity. Meanwhile, Tonher, a similar app for men, managed to expose emails, usernames, IDs, and even admin credentials through a public Web address. Together, they offered a masterclass in why collecting biometric data should come with a very long pause. Blue Shield of California won the Just stop using Tracking tech award after discovering it had been sharing sensitive health data with Google for nearly three years. A misconfigured Google Analytics setup leaked names, insurance details, providers, and financial responsibility information for 4.7 million people. This wasn't a hack so much as a slow, accidental data giveaway. And it echoed nearly identical incidents in healthcare. Year after year. Tracking tools marketed as harmless analytics continue to leak medical data, proving once again that surveillance, advertising and healthcare make a terrible pairing. PowerSchool earned the hackers Hall Pass award after attackers accessed sensitive data on more than 60 million students and teachers. Social Security numbers, medical records, grades, and special education data were exposed nationwide, all because PowerSchool failed to implement basic security protections like multi factor authentication. Lawsuits followed, ransom payments were made, and the story took an extra twist when a Massachusetts student pleaded guilty to extorting the company from millions in Bitcoin. Sometimes the faceless hacker turns out to be a college kid with a password list. TransUnion claimed the worst customer service ever award after attackers accessed the personal data of 4.4 million people through a third party support application. Names, dates of birth and Social Security numbers were taken, though TransUnion reassured customers that core credit data was untouched. The breach underscored how third party vendors function as side doors into sensitive systems, doors customers never agreed to leave unlocked. Microsoft received its annual honorary mention, this Time for a SharePoint Zero Day that compromised over 400 organizations, including the National Nuclear Security Administration. While zero days happen to everyone, Microsoft's long history of them raises uncomfortable questions about monocultures and centralization. When one company's software becomes infrastructure, its failures scale accordingly. The Silver Globe award went to the Flat Earth, Sun, Moon and Zodiac app, which leaked personal details and precise location data. The irony of Flat Earth believers unknowingly sharing latitude and longitude was, as the EFF noted, hard to ignore gravy. Analytics won the I didn't even know you had my information award after hackers claimed to steal location data tied to advertising IDs from millions of phones. The breach revealed how location Data harvested through AdTech can expose military personnel, LGBTQ individuals and others to serious risk. The real scandal, however, was not the breach itself, but a business model that tracks a billion phones a day without most users ever knowing the company exists. TeslaMate earned the keeping up with My Cybertruck award when thousands of exposed dashboards revealed Tesla owners locations, travel habits and driving data. Self hosted tools turned cars into reality shows minus the consent or ratings. PACER took home disorder in the courts after hackers accessed federal court filing systems, potentially exposing confidential informants. The breach followed years of warnings that the system was outdated and unsafe, proving once again that critical infrastructure often limps along until it breaks. Cat Watchful won Only stalkers allowed for a breach that exposed not only stalkers accounts but also data from 26,000 victims phones. It was one of several stalkerware breaches this year, reinforcing calls to shut the industry down entirely. Plex received the why we're still stuck on unique Passwords award after leaking emails, usernames and hashed passwords. It was deja vu from a similar 2022 breach and and a reminder that password reuse remains one of the Internet's most reliable self inflicted wounds. Finally, Troy Hunt's mailing list earned the yes actually I have been pwned award after he fell for a phishing attack. If it can happen to the world's most famous breach tracker, it can happen to anyone. The takeaway is bleak but actionable. Use unique passwords, enable two factor authentication, delete old accounts, freeze credit, and watch medical bills closely. More importantly, companies must collect less data and secure what they keep, and lawmakers should pass meaningful privacy protections. Until then, the breachees will remain tragically easy to award. We'll have a link to the Electronic Frontier Foundation's post in our show notes, and we appreciate them for creating this year's Breachies Award.

CyberWire Daily – “And the Breachies go to…”

Host: Dave Bittner
Date: December 24, 2025

Episode Overview

Key Discussion Points & Insights

The State of Data Breaches in 2025

Breaches have become so common that most Internet users now expect multiple exposures of their data over time.
Companies frequently collect more data than necessary, retain it too long, and are then caught “surprised” when it’s stolen.
Consequences for users include identity theft, extortion, stalking, and increased spam.

Quote:

“At this point, the modern Internet user no longer asks whether their data was exposed, but rather how many times and by whom.”
— Dave Bittner (01:07)

The EFF’s 2025 “Breachies” Awards

Award Highlights:

1. Mixpanel: “Say Something Without Saying Anything” (02:40)

Analytics firm Mixpanel suffered a breach affecting user data from companies such as Ring and Pornhub.
Their disclosure was notably vague, sparking criticism and confusion.
OpenAI severed ties and provided more detail than Mixpanel itself.
Users never directly consented to Mixpanel’s data collection, intensifying privacy concerns.

Quote:

“The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place.”
— Dave Bittner (04:11)

2. Discord: “We Still Told You So” (04:15)

Users’ age verification data was compromised in a breach at Zendesk (Discord’s customer support vendor).
Data leaked: names, selfies, government IDs, addresses, phone numbers, IP addresses, billing info.
Example of risks stemming from unnecessary data collection for “just in case” scenarios.

Quote:

“A textbook example of how collecting IDs just in case creates irresistible targets and predictable outcomes.”
— Dave Bittner (05:00)

3. T Dating Advice and Tonher: “T for 2” (05:15)

Dating safety apps exposed over 70,000 images and a million private messages via unsecured databases.
Tonher exposed even more data, including admin credentials.
Demonstrates the extreme risk in collecting biometric and sensitive personal data.

Quote:

“Together, they offered a masterclass in why collecting biometric data should come with a very long pause.”
— Dave Bittner (06:00)

4. Blue Shield of California: “Just Stop Using Tracking Tech” (06:14)

Misconfigured Google Analytics leaked sensitive medical data of 4.7 million people over three years.
Not a direct hack, but an “accidental data giveaway.”
Highlights dangers of mixing analytics, advertising, and healthcare data.

5. PowerSchool: “Hackers’ Hall Pass” (07:00)

Over 60 million student and teacher records (SSNs, medical records, grades) were exposed.
The breach traced to lack of basic security like multi-factor authentication.
Legal repercussions included lawsuits and ransom payments; the incident tied to a student’s extortion plot.

Quote:

“Sometimes the faceless hacker turns out to be a college kid with a password list.”
— Dave Bittner (07:46)

6. TransUnion: “Worst Customer Service Ever” (08:00)

Breach via third-party application exposed personal data for 4.4 million people.
Reinforced vulnerability created by third-party vendors.
Company reassured public that “core credit data was untouched”—little comfort to those affected.

7. Microsoft: “Annual Honorary Mention” (08:44)

SharePoint zero-day compromise hit 400+ organizations, including major federal entities.
Raises “uncomfortable questions about monocultures and centralization.”

8. Flat Earth, Sun, Moon and Zodiac App: “Silver Globe Award” (09:11)

Leaked precise locations and personal details of Flat Earth believers.
The irony of “latitude and longitude” data leaks noted as “hard to ignore.”

Notable Additional Awards:

Gravy Analytics (“I Didn’t Even Know You Had My Information”): Exposed location data from millions, highlighting adtech dangers.
TeslaMate (“Keeping Up with My Cybertruck”): Exposed travel data of Tesla owners via insecure dashboards.
PACER (“Disorder in the Courts”): Breach exposed federal court records, highlighting overdue infrastructure reform.
Cat Watchful (“Only Stalkers Allowed”): Stalkerware breach exposed both perpetrators and 26,000 victim phones.
Plex (“Why We’re Still Stuck on Unique Passwords”): Another repetition of a breach due to password reuse.
Troy Hunt Mailing List (“Yes Actually I Have Been Pwned”): Even world-famous security experts can be phished.

Memorable Quotes & Takeaways

“The real scandal...was a business model that tracks a billion phones a day without most users ever knowing the company exists.”
— Dave Bittner on Gravy Analytics (10:02)
“When one company’s software becomes infrastructure, its failures scale accordingly.”
— Dave Bittner on Microsoft (08:53)
“If it can happen to the world’s most famous breach tracker, it can happen to anyone.”
— Dave Bittner on Troy Hunt (11:13)
Key advice: Unique passwords, two-factor authentication, delete old accounts, freeze credit, closely monitor medical bills, and above all, minimize data collection.

Timestamp: 11:19

“Companies must collect less data and secure what they keep, and lawmakers should pass meaningful privacy protections. Until then, the Breachies will remain tragically easy to award.”
— Dave Bittner

The 12 Days of Malware – Holiday Feature

Segment Begins: 12:36

A festive rendition of "The Twelve Days of Christmas," reimagined with cybersecurity threats (malware, zero days, scripts, etc.), performed by Dave Bittner, Alice Carruth, Sam, and friends.

Sample Highlights:

“On the first day of Christmas, my malware sent to me, a keylogger logging my keys.” (12:50)
“Seven scripts of scraping... six password spraying...” (14:25)
“Twelve hackers hacking, eleven phishers phishing, ten darknet markets…” (16:40)

Dave Bittner (post-song, 17:17):

“Love it… hope you enjoyed our 12 Days of Malware. There is a video version of that... Happy Holidays and Merry Christmas.”

Closing Remarks & Holiday Message

Quote:

“We wish you a Merry Christmas, happy holidays, and a safe and joyous New Year. Be kind, take care, and we'll see you next year.”
— Dave Bittner (20:40)

Notable Timestamps

01:07: Dave Bittner on the state of data breaches
02:40–10:45: Breakdown of EFF's “Breachies” award winners, with detailed case studies
11:13: Lessons learned and actionable advice
12:36–17:17: “12 Days of Malware” song
18:38: Host’s personal remarks and holiday message

Tone and Language

Useful for listeners who missed the episode:

The summary provides a comprehensive tour through the year’s most notorious breaches and privacy fails, reinforces key lessons, and delivers advice relevant to both individuals and enterprises. The playful “12 Days of Malware” closes the year on a lighter note while underscoring the persistent, evolving nature of cybersecurity threats.

And the Breachies go to…

Summary

CyberWire Daily – “And the Breachies go to…”

Episode Overview

Key Discussion Points & Insights

The State of Data Breaches in 2025

The EFF’s 2025 “Breachies” Awards

1. Mixpanel: “Say Something Without Saying Anything” (02:40)

2. Discord: “We Still Told You So” (04:15)

3. T Dating Advice and Tonher: “T for 2” (05:15)

4. Blue Shield of California: “Just Stop Using Tracking Tech” (06:14)

5. PowerSchool: “Hackers’ Hall Pass” (07:00)

6. TransUnion: “Worst Customer Service Ever” (08:00)

7. Microsoft: “Annual Honorary Mention” (08:44)

8. Flat Earth, Sun, Moon and Zodiac App: “Silver Globe Award” (09:11)

Notable Additional Awards:

Memorable Quotes & Takeaways

The 12 Days of Malware – Holiday Feature

Closing Remarks & Holiday Message

Notable Timestamps

Tone and Language

Transcript

Summary

CyberWire Daily – “And the Breachies go to…”

Episode Overview

Key Discussion Points & Insights

The State of Data Breaches in 2025

The EFF’s 2025 “Breachies” Awards

1. Mixpanel: “Say Something Without Saying Anything” (02:40)

2. Discord: “We Still Told You So” (04:15)

3. T Dating Advice and Tonher: “T for 2” (05:15)

4. Blue Shield of California: “Just Stop Using Tracking Tech” (06:14)

5. PowerSchool: “Hackers’ Hall Pass” (07:00)

6. TransUnion: “Worst Customer Service Ever” (08:00)

7. Microsoft: “Annual Honorary Mention” (08:44)

8. Flat Earth, Sun, Moon and Zodiac App: “Silver Globe Award” (09:11)

Notable Additional Awards:

Memorable Quotes & Takeaways

The 12 Days of Malware – Holiday Feature

Closing Remarks & Holiday Message

Notable Timestamps

Tone and Language