Source Article: https://www.eff.org/deeplinks/2025/12/breachies-2025-worst-weirdest-most-impactful-data-breaches-year
Here’s a per-breach summary of what EFF describes in the “Breachies 2025” post (the “winner” sections). Where EFF only lists a compa as a (dis)honorable mention without details.
Mixpanel (analytics SDK / “Say Something Without Saying Anything”): Mixpanel disclosed a major breach in November 2025, but EFF notes the company’s public explanation was unusually vague/opaque, leaving key questions unanswered (scope, ransom demand, affected parties). EFF emphasizes the risk of user data being spread to third-party analytics providers that most end users don’t even know they’re sharing data with.
Discord via Zendesk (age-verification data / “We Still Told You So”): Attackers compromised Discord’s third-party support provider (Zendesk), exposing Discord age-verification/support data. EFF says exposed data included real names, selfies, ID documents, email and physical addresses, phone numbers, IP addresses, and other support-submitted details; in some cases limited billing info was accessed.
Tea Dating Advice – breach #1 (IDs/selfies / “Tea for Two”): EFF says ~72,000 images were leaked (reported in July), including ~13,000 photo IDs and ~59,000 selfies; EFF attributes exposure to an exposed Firebase-hosted database.
Tea Dating Advice – breach #2 (private messages): About a week later, EFF says a second breach exposed private user messages, including sensitive topics (phone numbers, abortion planning, cheating), totaling 1.1+ million messages spanning early 2023 to mid-2025.
Tea Dating Advice response: EFF notes Tea temporarily disabled its chat feature after the message exposure.
TeaOnHer (similar app; exposed user data + admin creds): EFF says TechCrunch found user info (emails, usernames, and uploaded IDs/selfies) accessible via a publicly available web address, and also found the creator’s admin login email/password exposed.
Blue Shield of California (tracking tech misconfiguration / “Just Stop Using Tracking Tech”): EFF says Blue Shield disclosed it shared 4.7 million people’s health data with Google for nearly three years due to a misconfigured Google Analytics setup; EFF lists data types including names, plan details, medical service providers, and patient financial responsibility, and notes it may have been used for targeted advertising.
PowerSchool (student information system / “Hacker’s Hall Pass”): EFF says PowerSchool (major U.S. student information system provider) was breached (December 2024) after hackers used stolen credentials to access an internal customer support portal, exposing sensitive data for 60M+ students/teachers (including SSNs, medical records, grades, special education data). EFF also highlights lack of basic measures like MFA, plus ensuing lawsuits and extortion-related developments.
TransUnion (credit bureau / “Worst. Customer. Service. Ever.”): EFF says TransUnion notified customers about a hack affecting 4.4 million people, tied to a “third-party application serving [its] U.S. consumer support operations.” EFF says stolen data included names, dates of birth, and Social Security numbers, while TransUnion stated core credit report data wasn’t accessed.
Microsoft SharePoint zero-day (mass compromise / “Annual Microsoft Screwed Up Again”): EFF describes a July 2025 SharePoint zero-day that led to compromise of 400+ organizations, including sensitive U.S. government agencies; EFF also notes attribution to multiple China-linked hacking groups and that many vulnerable self-hosted servers remained online days after disclosure.
Flat Earth Sun, Moon & Zodiac (aka Flat Earth, Sun, Moon, & Clock) (“Silver Globe”): EFF says researchers found issues in 2024 and the breach was confirmed in March 2025; notably, the dataset included user location (latitude/longitude) alongside personal profile details.
Gravy Analytics (location broker / “I Didn’t Even Know You Had My Information”): EFF says hackers claimed theft of millions of people’s timestamped location histories tied to advertising IDs, and that analysis of the leaked data suggested it referenced thousands of apps illustrating how location data can be harvested via the ad-tech ecosystem.
TeslaMate (self-hosted dashboards exposed / “Keeping Up With My Cybertruck”): EFF says a researcher found 1,300+ exposed, self-hosted TeslaMate dashboards leaking sensitive vehicle telemetry (location, speed, charging habits, trip details), highlighting how location data exposure can enable harassment and other harms.
PACER / CM/ECF (federal courts filing system / “Disorder in the Courts”): EFF says hackers infiltrated the CM/ECF system (sharing a database with PACER), with particular concern that names of confidential informants may have been exposed across multiple court districts.
Catwatchful (stalkerware / “Only Stalkers Allowed”): EFF says Catwatchful was breached, exposing both customer credentials (people who bought/used the spyware) and data exfiltrated from victims’ phones (EFF cites ~26,000 victim devices), potentially including photos, messages, and real-time location. EFF notes other stalkerware breaches (SpyX, Cocospy, Spyic) as contenders.
Plex (credentials exposure / “Why We’re Still Stuck on Unique Passwords”): EFF says Plex had a breach exposing customer emails, usernames, and hashed passwords, and points out a similar Plex incident occurred in 2022 using it as a reminder about unique passwords, password managers, and 2FA.
Troy Hunt’s mailing list (phishing / “Uh, Yes, Actually, I Have Been Pwned”): EFF recounts Troy Hunt’s writeup: a Mailchimp phishing attack led to attackers exporting his blog’s mailing list; EFF frames it as a reminder that phishing can catch anyone.
(Dis)honorable mentions: EFF lists these as notable 2025 breaches but doesn’t summarize them in the article itself (it links out to coverage): Salesforce, F5, Oracle, WorkComposer, Raw, Stiizy, Ohio Medical Alliance LLC, Hello Cake, Lovense, Kettering Health, LexisNexis, WhatsApp, Nexar, McDonalds, Congressional Budget Office, DoorDash, Louis Vuitton, Adidas, Columbia University, Hertz, HCRG Care Group, Lexipol, Color Dating, Workday, Aflac, Coinbase, plus “last minute entrants” Home Depot, 700Credit, and Petco.