A record year for the number of breaches
Three documented 2025 incidents illustrate the scale, across three different sectors:
Healthcare alone accounted for a disproportionate share of 2025's largest breaches: the ten biggest incidents reported to HHS affected over 20 million people combined, on top of the AT&T and other telecom and retail cases above.
The vocabulary to know
Have I Been Pwned
A free service built by security researcher Troy Hunt: enter your email to check whether it appears in a known data breach.
Credential stuffing
An attacker takes credentials stolen in one breach and tries them en masse on other sites, betting that you reused the same password elsewhere.
Password spraying
The reverse of classic brute-forcing: an attacker tries one very common password across a large number of different accounts, to stay under detection thresholds.
MFA fatigue
An attacker who already has your password triggers a flood of push notification approval requests, hoping you'll eventually tap "approve" out of annoyance or mistake.
SIM swap, another technique directly tied to exploiting leaked data, is detailed in the glossary.
Frequently asked questions
How can I check if my data has been exposed?
Have I Been Pwned (haveibeenpwned.com) is a free service, built by security researcher Troy Hunt, that lets you check whether your email address appears in a known data breach.
Were 2025 breaches worse than previous years?
By count, yes: the Identity Theft Resource Center tracked 3,322 data compromises in 2025, a new all-time record and a 79% jump over five years. By number of people notified, 2025 was actually lower than 2024, because 2024 included several exceptionally large "mega-breaches" that inflated the victim count.
Why does a data breach lead to fraudulent calls and texts?
Because a breach often contains a name, phone number and sometimes details about your bank, employer or health provider — enough to build a call or text that sounds credible and personal, far more effective than a generic message sent at random.