Global Cyber Breach Recap: Major Incidents in October & November 2025

Byadmin

As 2025 enters its final quarter, the cyber threat landscape has escalated far beyond the usual credential leaks and opportunistic phishing activity. October and November delivered some of the most significant breaches of the year, combining large-scale data exposure, supply-chain compromise, identity abuse, and exploitation of enterprise software at global scale.

Across these two months, organisations worldwide faced attacks that exposed tens of millions of records, targeted major cloud and ERP platforms, and demonstrated how quickly attackers can pivot from access to exfiltration.

This article breaks down the defining incidents of October and November 2025, the trends behind them, and what security teams should take away.

The State of Cybersecurity: October–November 2025

  • More than 21 million records were confirmed breached in October alone.
  • Attack volume increased by 48% month-over-month, according to industry analysis.
  • November saw a surge in supply-chain and ERP zero-day exploitation, affecting government, media and financial organisations.
  • Compromised identities, misconfigured cloud workloads, and vulnerable enterprise platforms featured heavily across all incident categories.

The message is clear: the attack surface is expanding, and adversaries are moving faster than ever.

Major Breaches: What Happened and Why It Matters

1. Prosper Marketplace – 17.6 Million Records Exposed (October 2025)

Prosper Marketplace disclosed a major breach after attackers used stolen administrative credentials to infiltrate backend systems. Roughly 17.6 million customer records were accessed, including personally identifying information such as names, addresses, dates of birth, and portions of SSNs.

Why this breach stands out:

  • A single compromised admin account triggered a massive data loss.
  • Highlights ongoing issues with privileged identity security in fintech.
  • Demonstrates that perimeter controls alone cannot prevent large-scale compromise.

2. Dukaan – Misconfigured Cloud Stream Exposes Customer Data

Indian e-commerce platform Dukaan suffered a cloud configuration failure involving a publicly exposed Apache Kafka data stream. The leak revealed live order information, customer details, API tokens, and internal operations metadata.

Key lessons:

  • Misconfigured cloud pipelines can expose real-time data unintentionally.
  • API token exposure dramatically increases downstream threat impact.
  • “Silent” breaches—those with no initial attacker—still require full forensic handling.

3. Red Hat Consulting – 570 GB Source-Code & Client Data Stolen

A breach of Red Hat Consulting’s GitLab environment resulted in 570 GB of internal content being stolen, including client infrastructure information, code repositories, access tokens, and configuration data.

Why this incident matters:

  • Exposed code repositories often contain sensitive operational data.
  • Represents a significant supply-chain risk for downstream clients.
  • Reinforces that developer platforms are high-value targets for attackers.

4. University of Pennsylvania – SSO-Based Compromise Impacts Over 1.2 Million

A compromised PennKey SSO account provided attackers with access to donor, student, and alumni data affecting more than 1.2 million individuals.

Impact and implications:

  • Identity provider weaknesses continue to drive large breaches.
  • Educational networks remain attractive due to mixed-environment sprawl.
  • Highlights need for behavioural MFA and identity anomaly monitoring.

5. Oracle E-Business Suite Zero-Day Campaign (November 2025)

In early November, a coordinated exploit campaign against Oracle E-Business Suite impacted over 100 organisations globally, including The Washington Post. The attack chain was linked to Clop ransomware affiliates leveraging a previously unknown vulnerability.

Why this event is critical:

  • Shows the dangerous ripple effect of ERP-level zero-day vulnerabilities.
  • Targets high-value enterprise systems bridging finance, HR, and operations.
  • Demonstrates how a single vendor vulnerability can cascade across industries.

Emerging Trends from October & November 2025

1. Identity Abuse Continues to Lead the Attack Chain

Whether through compromised SSO accounts or elevated admin profiles, attackers consistently exploit identity weaknesses.

Action: Strengthen IAM hardening, session monitoring, and just-in-time privilege elevation.

2. Cloud Misconfigurations are Still a Top Breach Vector

Exposed Kafka streams, open storage buckets, and leaked API keys reveal that cloud governance gaps remain widespread.

Action: Implement continuous cloud posture scanning and real-time configuration drift detection.

3. Supply-Chain Vulnerabilities Are Increasingly Weaponised

From Red Hat’s GitLab exposure to Oracle’s zero-day, supply-chain breaches amplified the impact across multiple organisations.

Action: Extend risk assessments to vendors, cloud services, and development pipelines—not just direct partners.

4. Faster Exfiltration and “Smash-and-Grab” Attacks

Attackers are now exfiltrating data within hours of initial access, reducing the window for detection and response.

Action: Invest in behavioural analytics and high-fidelity alerting to detect early indicators of compromise.

What These Breaches Mean for PCI, SOC, and Frontend Security

For PCI DSS 4.0 Environments:

  • Enhanced monitoring (Requirement 10) must extend beyond card-data systems.
  • Third-party risk (Requirement 12.8) is more critical than ever, especially with ERP and cloud integrations.

For SOC Teams:

  • Identity and cloud misconfiguration events must be treated as high-severity alerts.
  • Repository monitoring and developer environment scanning need priority.

For Frontend Security & Compliance:

Events like Dukaan show that exposed upstream APIs and data pipelines can undermine PCI-compliant environments even without direct card-data exposure.

How Organisations Can Strengthen Protection Right Now

  • Enforce MFA and behavioural identity analytics across all platforms.
  • Tighten cloud workload configurations and review access policies weekly.
  • Map and monitor all API endpoints, especially public-facing ones.
  • Conduct red-team exercises focused on identity and supply-chain breach paths.
  • Maintain real-time monitoring for data-stream activity, code-repository access, and unusual login events.
  • Patch ERP and legacy platforms immediately when vendor advisories are released.

Final Thoughts

The final quarter of 2025 has clearly demonstrated how modern breaches move far beyond traditional malware campaigns. Attackers now target identities, cloud data-streams, source-code systems, and enterprise ERP platforms—leveraging the weakest link anywhere in the digital ecosystem.

For security teams, the lesson is clear: visibility, speed, and layered controls are essential. Compliance frameworks can guide the baseline, but real-time monitoring and proactive detection are becoming the true differentiators.

At Breachfin.com, we’ll continue tracking these developments and helping organisations stay ahead of the evolving threat landscape.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *