PKWARE’s running roundup of 2025 breaches is useful because it aggregates incidents across sectors and highlights common failure modes rather than treating each case in isolation. The list functions as a rapid reference for security teams tracking industry trends and for decision makers looking to prioritize vendor and supply chain risk. It is not a substitute for deep, tailored threat modeling, but it is a practical starting point for organizations that need to see patterns across dozens of incidents.

Looking at the highlights on PKWARE’s list, three trends stood out in 2025: third party and SaaS supply chain compromises, credential and token theft enabling broad exfiltration, and insider or contractor-enabled leaks. The Salesloft Drift supply chain incident is a clear example of the first two. Attackers stole OAuth tokens connected to a Drift integration and then used those tokens to pull data from many customers’ Salesforce instances. The incident exposed how over-permissive integrations and stale tokens can become a multiplier for attackers, affecting hundreds of organizations in a single campaign.

Qantas’s midyear compromise again emphasized third-party risk. The airline confirmed that a customer service platform used by a call center was breached, exposing records for roughly 5.7 million customers. The exposed data varied from simple contact information to subsets that included dates of birth and addresses. The incident underlined that even when core systems remain secure, downstream vendors can create mass exposure.

Data brokers and analytics firms were not immune. LexisNexis Risk Solutions disclosed a breach tied to a third-party development platform where attackers accessed software artifacts and sensitive PII affecting roughly 360,000 plus individuals. This kind of compromise is particularly damaging because data brokers consolidate information at scale, which makes every downstream leak a higher-value prize for attackers.

Insider and contractor threats also surfaced in 2025. Coinbase’s disclosures pointed to improper access by overseas contractors who exfiltrated customer information for extortion purposes. Insider-enabled leaks are often lower cost for attackers and harder to detect because they exploit legitimate access. This confirms the PKWARE-listed pattern that not all breaches are the result of external zero day exploits; many are process, privilege, or vendor governance failures.

What does that mean for defenders in practical terms? First, map your data flows and third-party privileges now. If you do not know which vendors have programmatic access to core data stores or SaaS connectors with OAuth scopes, start there. Use automated discovery to enumerate connectors, API tokens, and data repositories and pair that with a strict inventory of what downstream vendors can actually read or write. PKWARE’s emphasis on tracking incidents helps you identify similar vendors and control patterns to audit first.

Second, treat tokens and OAuth credentials as first class secrets. Rotate tokens frequently, enforce the narrowest scopes that meet business needs, and implement short lived tokens with strong refresh controls. Where possible substitute persistent API keys with ephemeral credentials issued by identity platforms. These controls directly mitigate supply chain exfiltration modes like the Salesloft Drift compromise.

Third, apply least privilege and behavioral monitoring for contractors and third-party users. Assume that any account with rich access could be co-opted. Implement just-in-time access, session isolation for privileged support tasks, and continuous behavioral baselining that flags large bulk exports or unusual API queries regardless of the caller’s origin. The Coinbase case shows how long-running insider access can be monetized by adversaries.

Fourth, invest in data discovery and encryption at rest and in transit. Data brokers like LexisNexis show why aggregated PII is a natural target. If sensitive attributes are tokenized, masked, or simply not present in developer or third-party environments, the downstream impact of a breach is reduced. Use discovery tools to find where sensitive fields live, then prioritize encryption, masking, or selective redaction in systems that are accessible by multiple vendors.

Fifth, ensure your incident playbooks assume vendor compromise. Response plans that only consider perimeter intrusions will falter when a SaaS integration is abused. Predefine token revocation procedures, communications templates for affected customers, and legal steps that balance injunctions with the reality that data posted on the dark web cannot be recalled. Qantas’s use of court remedies demonstrates the legal angle, but it also shows that injunctions rarely stop data abuse globally. A pragmatic response couples legal action with containment and rapid customer notification.

Finally, use aggregated lists like PKWARE’s as signal not gospel. They are efficient for identifying categories of incidents and common causes. However, relying solely on a public list for risk decisions is risky because many incidents never make headlines and disclosure timing varies. Treat these lists as one input in a broader third-party risk program that includes contractual security requirements, technical audits, continuous monitoring, and escalation criteria.

2025 made a clear point for security teams: attackers prefer big wins that require no zero day. They target connectors, tokens, vendor workflows, and people. The best defensive posture is pragmatic and process driven. Catalog your vendors and connectors, enforce the minimum privileges, rotate and shorten credential lifetimes, monitor for anomalous bulk access, and prepare vendor-specific incident plans. Those steps will not stop every breach, but they will prevent many of the multiplatform incidents that defined the year as summarized in PKWARE’s list.