CyberWire Daily – “And the Breachies go to…”

Host: Dave Bittner
Date: December 24, 2025

Episode Overview

This special holiday episode of CyberWire Daily takes a lighthearted yet incisive look back on the major cybersecurity breaches of 2025. With the help of the Electronic Frontier Foundation’s annual “Breachies” awards, Dave Bittner humorously highlights the most egregious, absurd, and avoidable privacy failures of the year. The episode offers sharp commentary on persistent industry failings—especially excessive data collection—and closes with a festive cybersecurity-themed rendition of “The Twelve Days of Christmas.”

Key Discussion Points & Insights

The State of Data Breaches in 2025

• Breaches have become so common that most Internet users now expect multiple exposures of their data over time.
• Companies frequently collect more data than necessary, retain it too long, and are then caught “surprised” when it’s stolen.
• Consequences for users include identity theft, extortion, stalking, and increased spam.

Quote:

“At this point, the modern Internet user no longer asks whether their data was exposed, but rather how many times and by whom.”
— Dave Bittner (01:07)

The EFF’s 2025 “Breachies” Awards

Award Highlights:

1. Mixpanel: “Say Something Without Saying Anything” (02:40)

• Analytics firm Mixpanel suffered a breach affecting user data from companies such as Ring and Pornhub.
• Their disclosure was notably vague, sparking criticism and confusion.
• OpenAI severed ties and provided more detail than Mixpanel itself.
• Users never directly consented to Mixpanel’s data collection, intensifying privacy concerns.

Quote:

“The real victims, of course, were users who never knowingly consented to sharing data with Mixpanel in the first place.”
— Dave Bittner (04:11)

2. Discord: “We Still Told You So” (04:15)

• Users’ age verification data was compromised in a breach at Zendesk (Discord’s customer support vendor).
• Data leaked: names, selfies, government IDs, addresses, phone numbers, IP addresses, billing info.
• Example of risks stemming from unnecessary data collection for “just in case” scenarios.

Quote:

“A textbook example of how collecting IDs just in case creates irresistible targets and predictable outcomes.”
— Dave Bittner (05:00)

3. T Dating Advice and Tonher: “T for 2” (05:15)

• Dating safety apps exposed over 70,000 images and a million private messages via unsecured databases.
• Tonher exposed even more data, including admin credentials.
• Demonstrates the extreme risk in collecting biometric and sensitive personal data.

Quote:

“Together, they offered a masterclass in why collecting biometric data should come with a very long pause.”
— Dave Bittner (06:00)

4. Blue Shield of California: “Just Stop Using Tracking Tech” (06:14)

• Misconfigured Google Analytics leaked sensitive medical data of 4.7 million people over three years.
• Not a direct hack, but an “accidental data giveaway.”
• Highlights dangers of mixing analytics, advertising, and healthcare data.

5. PowerSchool: “Hackers’ Hall Pass” (07:00)

• Over 60 million student and teacher records (SSNs, medical records, grades) were exposed.
• The breach traced to lack of basic security like multi-factor authentication.
• Legal repercussions included lawsuits and ransom payments; the incident tied to a student’s extortion plot.

Quote:

“Sometimes the faceless hacker turns out to be a college kid with a password list.”
— Dave Bittner (07:46)

6. TransUnion: “Worst Customer Service Ever” (08:00)

• Breach via third-party application exposed personal data for 4.4 million people.
• Reinforced vulnerability created by third-party vendors.
• Company reassured public that “core credit data was untouched”—little comfort to those affected.

7. Microsoft: “Annual Honorary Mention” (08:44)

• SharePoint zero-day compromise hit 400+ organizations, including major federal entities.
• Raises “uncomfortable questions about monocultures and centralization.”

8. Flat Earth, Sun, Moon and Zodiac App: “Silver Globe Award” (09:11)

• Leaked precise locations and personal details of Flat Earth believers.
• The irony of “latitude and longitude” data leaks noted as “hard to ignore.”

Notable Additional Awards:

• Gravy Analytics (“I Didn’t Even Know You Had My Information”): Exposed location data from millions, highlighting adtech dangers.
• TeslaMate (“Keeping Up with My Cybertruck”): Exposed travel data of Tesla owners via insecure dashboards.
• PACER (“Disorder in the Courts”): Breach exposed federal court records, highlighting overdue infrastructure reform.
• Cat Watchful (“Only Stalkers Allowed”): Stalkerware breach exposed both perpetrators and 26,000 victim phones.
• Plex (“Why We’re Still Stuck on Unique Passwords”): Another repetition of a breach due to password reuse.
• Troy Hunt Mailing List (“Yes Actually I Have Been Pwned”): Even world-famous security experts can be phished.

Memorable Quotes & Takeaways

• “The real scandal...was a business model that tracks a billion phones a day without most users ever knowing the company exists.”
  — Dave Bittner on Gravy Analytics (10:02)
• “When one company’s software becomes infrastructure, its failures scale accordingly.”
  — Dave Bittner on Microsoft (08:53)
• “If it can happen to the world’s most famous breach tracker, it can happen to anyone.”
  — Dave Bittner on Troy Hunt (11:13)
• Key advice: Unique passwords, two-factor authentication, delete old accounts, freeze credit, closely monitor medical bills, and above all, minimize data collection.

Timestamp: 11:19

“Companies must collect less data and secure what they keep, and lawmakers should pass meaningful privacy protections. Until then, the Breachies will remain tragically easy to award.”
— Dave Bittner

The 12 Days of Malware – Holiday Feature

Segment Begins: 12:36

A festive rendition of "The Twelve Days of Christmas," reimagined with cybersecurity threats (malware, zero days, scripts, etc.), performed by Dave Bittner, Alice Carruth, Sam, and friends.

Sample Highlights:

• “On the first day of Christmas, my malware sent to me, a keylogger logging my keys.” (12:50)
• “Seven scripts of scraping... six password spraying...” (14:25)
• “Twelve hackers hacking, eleven phishers phishing, ten darknet markets…” (16:40)

Dave Bittner (post-song, 17:17):

“Love it… hope you enjoyed our 12 Days of Malware. There is a video version of that... Happy Holidays and Merry Christmas.”

Closing Remarks & Holiday Message

Big Picture Reflections (18:38):
Dave expresses gratitude to listeners, the CyberWire team, and the broader community for their support throughout the year. He notes both the highs and lows of 2025, thanks the audience, and wishes all a restful holiday season. Regular programming will resume on January 5.

Quote:

“We wish you a Merry Christmas, happy holidays, and a safe and joyous New Year. Be kind, take care, and we'll see you next year.”
— Dave Bittner (20:40)

Notable Timestamps

• 01:07: Dave Bittner on the state of data breaches
• 02:40–10:45: Breakdown of EFF's “Breachies” award winners, with detailed case studies
• 11:13: Lessons learned and actionable advice
• 12:36–17:17: “12 Days of Malware” song
• 18:38: Host’s personal remarks and holiday message

Tone and Language

Dave Bittner maintains a witty, approachable, and slightly sardonic tone—emphasizing both the absurdity and seriousness of recurring cybersecurity failures. The holiday episode adds a festive, communal spirit while reinforcing vital security fundamentals. The “Breachies” serve as both comic relief and a call to action.

Useful for listeners who missed the episode:

• The summary provides a comprehensive tour through the year’s most notorious breaches and privacy fails, reinforces key lessons, and delivers advice relevant to both individuals and enterprises. The playful “12 Days of Malware” closes the year on a lighter note while underscoring the persistent, evolving nature of cybersecurity threats.