The final week of 2025 and opening days of 2026 brought a relentless wave of security incidents — with over 250 million records exposed across more than 30 organizations globally. From cryptocurrency exchange panel access to government data exfiltration, here's what defenders need to know.
The Numbers at a Glance
| Metric | Count |
|---|---|
| Total records exposed | 250M+ |
| Ransomware victims | 15+ organizations |
| Countries affected | 12+ |
| Access listings sold | 10+ |
| Cryptocurrency-related | 3 major incidents |
Critical Incidents
Kraken Exchange: Admin Panel Access Sold
Date: January 2, 2026
Threat actors are selling read-only access to Kraken's internal admin panel — exposing complete KYC data, government IDs, selfies, and transaction histories. The listing includes phishing tooling priced from just $1.
Why it matters: Even "read-only" access enables devastating social engineering attacks. Attackers can reference real transaction details, generate support tickets, and target high-value accounts with inside knowledge.
Experian: 20M+ Consumer Records
Date: December 30, 2025
Credit bureau giant Experian allegedly suffered a breach exposing over 20 million consumer records — potentially including credit scores, payment histories, and personal identifiers.
| Data Type | Risk Level |
|---|---|
| Credit scores | Identity fraud, loan fraud |
| Payment histories | Financial profiling |
| Personal identifiers | Account takeover |
| Address histories | Physical security risk |
Impact: Credit bureau breaches are particularly dangerous because the data is designed to verify identity — making it perfect for identity theft.
France Mobile Database: 160M Phone Numbers
Date: December 25, 2025
A massive database containing 160 million French phone numbers appeared for sale on dark web forums — a significant portion of France's population.
Attack enablement:
- SIM swapping campaigns at scale
- SMS phishing (smishing) operations
- Voice phishing (vishing) targeting
- Account recovery exploitation
Solana Wallets: 171K Private Keys
Date: December 30, 2025
171,000 Solana wallet private keys were offered for sale — representing direct access to cryptocurrency holdings with no recovery possible for victims.
Private key compromise = Total loss
No 2FA · No recovery · No reversal
Root causes likely include:
- Malware-infected wallet generators
- Compromised browser extensions
- Phishing sites mimicking legitimate wallets
- Clipboard hijacking malware
European Space Agency: 200GB Data Leak
Date: December 27, 2025
ESA confirmed a breach after attackers claimed 200GB of data including source code, API tokens, Terraform configurations, and hardcoded credentials from collaboration servers.
Ransomware Activity
Ransomware groups remained active through the holiday period, exploiting reduced staffing and delayed incident response.
SAFEPAY Operations (December 29)
| Victim Region | Count |
|---|---|
| European Union | 5 |
| United States | 4 |
| Total | 9 |
PLAY Ransomware (December 29)
| Victim Region | Count |
|---|---|
| United States | 3 |
| Canada | 2 |
| Total | 5 |
Individual Ransomware Victims
| Organization | Country | Date |
|---|---|---|
| DGM IT | Israel | Jan 1 |
| Hunneman Real Estate | United States | Dec 31 |
| Falk Waas Law Firm | United States | Dec 30 |
| Salvation Army | United States | Dec 25 |
Holiday timing: Ransomware operators deliberately target holiday periods when IT teams are understaffed and response times are slower.
Corporate & Infrastructure Breaches
Massive Data Exposures
| Organization | Records/Data | Country | Date |
|---|---|---|---|
| YouNow | 22M accounts | Global | Jan 1 |
| Tokyo FM | 3M+ listener records | Japan | Jan 1 |
| Wired | 2.3M records | United States | Dec 27 |
| Hellowork | 2.8M job seekers | France | Dec 24 |
| Kassy.ru | 300K users | Russia | Dec 29 |
Industrial & Infrastructure Targets
| Organization | Data Volume | Sector | Date |
|---|---|---|---|
| Pickett USA Engineering | 139 GB | Infrastructure/Utilities | Jan 1 |
| Total ETO ERP | 29 GB | Enterprise Software | Dec 31 |
| KPRJ | 180 GB | Government (Malaysia) | Dec 30 |
| DGM IT | 526 GB | IT Services (Israel) | Jan 1 |
Access Sales: The Growing Threat
Beyond data dumps, threat actors are increasingly selling persistent access to compromised systems — enabling future attacks.
Access Listings This Week
| Target | Access Type | Price/Detail | Date |
|---|---|---|---|
| GitHub repos | Admin API keys | $50K each | Dec 29 |
| DID panel | $12M balance access | Undisclosed | Dec 30 |
| Taiwan manufacturer | VPN + local admin | Sold | Dec 31 |
| UAE finance/insurance | Initial access | Sold | Dec 26 |
| French university | Unauthorized access | Sold | Dec 25 |
| Forti Web admin | Admin panel access | Sold | Dec 25 |
| Vietnam Tax Dept | Employee email | Sold | Dec 31 |
| Singapore office supplies | DB + shell | Sold | Dec 28 |
| U.S. student system | System access | Sold | Dec 25 |
Credential & Financial Data
Forti VPN Credentials
December 30: Approximately 1,000 valid Fortinet VPN credentials sold globally — providing direct network access to enterprise environments.
Critical because:
- VPN credentials bypass perimeter security entirely
- Often grant internal network access immediately
- May remain valid for extended periods if not rotated
UK Credit Cards
December 30: 486 UK credit cards sold with claimed 70–90% validity rate — indicating recent theft from active payment systems.
Educational & Government Sector
| Organization | Data Exposed | Country | Date |
|---|---|---|---|
| ENSAI Engineering School | Students, payments, photos, source code | France | Dec 31 |
| KPRJ | 180 GB government data | Malaysia | Dec 30 |
| Vietnam Tax Department | Employee email access | Vietnam | Dec 31 |
| Unidentified French university | System access sold | France | Dec 25 |
| U.S. student information system | Access sold | United States | Dec 25 |
Educational institutions remain prime targets due to:
- Large PII datasets (students, staff, alumni)
- Often underfunded security programs
- Complex, distributed IT environments
- Valuable research data
Regional Breakdown
By Geography
| Region | Incidents |
|---|---|
| United States | 9 |
| France | 4 |
| Global/Multi-region | 4 |
| Japan | 1 |
| Israel | 1 |
| Malaysia | 1 |
| Taiwan | 1 |
| Singapore | 1 |
| Indonesia | 2 |
| Vietnam | 1 |
| Spain | 1 |
| UAE | 1 |
| Russia | 1 |
| United Kingdom | 1 |
By Sector
| Sector | Incidents |
|---|---|
| Financial Services | 5 |
| Technology/IT | 4 |
| Government | 3 |
| Education | 3 |
| Media/Entertainment | 3 |
| Manufacturing | 2 |
| Cryptocurrency | 2 |
| Real Estate | 2 |
| Healthcare/Non-profit | 1 |
| Others | 5+ |
Patterns & Takeaways
1. Holiday Exploitation
Threat actors aggressively targeted the Dec 24–Jan 2 period. Organizations should:
- Maintain security operations coverage during holidays
- Pre-position incident response capabilities
- Implement automated detection and response
2. Access-as-a-Service
The proliferation of access sales (VPN credentials, admin panels, API keys) indicates a maturing cybercrime ecosystem where initial access is commoditized.
3. Credential Exposure Remains Endemic
From hardcoded secrets in source code to VPN credentials for sale, credential management failures underpin most breaches. Solutions include:
- Secrets management platforms
- Automatic credential rotation
- Zero standing privileges
- Hardware security modules
4. Scale of Data Aggregation
When 160M phone numbers or 20M credit records are breached, the data enables attacks far beyond the original victims — fueling fraud, phishing, and identity theft for years.
Defensive Recommendations
Immediate Actions
- Rotate credentials — especially VPN, admin panels, API keys
- Audit external-facing systems — collaboration tools, development infrastructure
- Enable MFA everywhere — particularly on privileged accounts
- Monitor dark web — for mentions of your organization
- Review holiday coverage — ensure security operations continuity
Strategic Improvements
- Implement zero-trust architecture — assume breach, verify everything
- Encrypt data at rest and in transit — limit breach impact
- Segment networks — prevent lateral movement
- Deploy endpoint detection — catch ransomware early
- Conduct tabletop exercises — prepare for incident response
Key Takeaways
- 250M+ records exposed across 30+ organizations in 10 days
- Holiday periods are prime attack windows — threat actors exploit reduced staffing
- Access sales are proliferating — credentials, panels, and API keys traded as commodities
- Ransomware remains active — SAFEPAY and PLAY groups claimed 14+ victims
- Credential failures underpin most breaches — from VPN access to hardcoded secrets
The velocity and scale of these incidents demonstrate that traditional security perimeters are insufficient. Organizations must assume breach and protect data at its source — ensuring that even when systems are compromised, sensitive information remains encrypted and unusable to attackers.
Want to ensure your data remains protected even when systems are breached? Learn how CIFER's encryption architecture keeps data safe regardless of infrastructure compromise.