Summary
- Total number of incidents disclosed: 44
- Total number of known breached records: 1,443,150,467
Sources of breached data
- Scraped or leaked from public APIs:
- Facebook (1.2 billion records)
- Credential dump compiled via infostealers (184 million+ credentials)
- Vendor/Cloud breaches exposing customer/employee data
- Ascension Health (via third-party file tool): 437,000
- Spyware apps (stalkerware): 3.2 million
- Direct or insider breaches involving client data:
- AT&T (unconfirmed): 31 million
- Coinbase (insider at call centre): 69,461
- Co-op UK (ransomware gang): claimed 20 million
Top 5 incidents by number of records affected
The following are the largest incidents publicly disclosed in May 2025, ranked by known/claimed impact:
- Records affected: 1.2 billion.
- Data: Full names, Facebook IDs, email addresses, phone numbers, locations, birthdates and gender.
- Cause: Scraped via a vulnerable Facebook API.
- Status: Yet to be verified – Meta claims it relates to a historic breach.
2. Unknown credentials database
- Records affected: 184,162,718 email/password pairs
- Data: Plaintext credentials tied to Google, Microsoft and Meta, and banking logins
- Cause: Likely compiled from infostealer malware and left exposed online
- Status: Removed after discovery, source undetermined
- Records affected: 31 million (claimed).
- Data: Names, birthdates, addresses, phone numbers, tax IDs, device and cookie data.
- Cause: Posted to a hacking forum.
- Status: So far unverified but sample data was provided. AT&T is investigating.
4. Co-op UK
- Records affected: ~20 million (claimed by attackers).
- Data: Names, dates of birth, contact details of current and former members.
- Cause: Ransomware gang DragonForce (linked to Scattered Spider).
- Status: Under investigation.
- Records affected: 364,000 individuals.
- Data: Full names, home addresses, dates of birth, Social Security numbers, and potentially employment/salary information.
- Cause: Data breach stemming from a hacking incident in December 2024, when attackers infiltrated internal systems and accessed personal records.
- Status: Breach discovered in January 2025 and disclosed in May 2025 after investigation. Affected individuals were offered credit monitoring.
Trends in May 2025
- Significant rise in scraped/mass-exposed data
Two of the five largest leaks came from large-scale scraping or credential aggregation (Facebook and infostealer dumps), rather than direct intrusions. - Vendor risk and insider breaches rising
Incidents at Ascension Health, Adidas, and Coinbase all stemmed from third parties – either contractors or software dependencies. - Retail and tech remain prime targets
Retailers including Co-op, Harrods, Adidas, Dior, and Victoria’s Secret were targeted or affected this month. Cloud services (TeleMessage, spyware vendors) and edtech (Pearson) also saw notable activity. - UK particularly affected
More than 5 major incidents involved UK organisations, including Co-op, Marks & Spencer, Harrods, the Legal Aid Agency and Pearson.
Key vulnerabilities exploited
- GitLab personal access token (Pearson)
A misconfigured or exposed token gave attackers source code access and credentials to internal services. - Infostealer malware (unknown credentials database)
Though not tied to a single software flaw, this dataset was likely gathered silently over months from infected devices lacking endpoint protection. - AWS misconfiguration (TeleMessage)
An unsecured S3-like store enabled unauthorised access to archived, plaintext versions of government messages.
List of data breaches and cyber attacks disclosed in May 2025
| Disclosure date | Organisation | Country | Sector | Incident type | Records affected |
| 1 May | Ascension Health | USA | Healthcare | Third-party data breach (vulnerability exploit) | 430,000 patients |
| 1 May | Barnstable County Sheriff’s Office | USA | Government (Law Enforcement) | Insider data leak | 101 employees |
| 1 May | Cobb County, Georgia | USA | Government (County) | Ransomware (Qilin) | Unknown (150 GB claimed) |
| 1 May | Synnovis (UK Labs) | UK | Healthcare (Laboratory) | Ransomware (Qilin) | Approximately 8,000 patients |
| 1 May | Commvault | USA | Tech (Data Management) | Targeted cyber attack (zero-day exploit) | Unknown |
| 1 May | Bartlesville Public Schools | USA | Education (K-12) | Cyber attack (network outage) | 6,000+ students |
| 2 May | Co-op | UK | Retail (Grocery) | Ransomware (DragonForce) | Up to 20 Million (claimed) |
| 2 May | Nova Scotia Power (Emera) | Canada | Energy (Utility) | Cyber attack (unauthorised access) | Unknown (customer data) |
| 2 May | Harrods | UK | Retail (Luxury) | Cyber attack (attempted intrusion) | Unknown |
| 2 May | Raw Dating App | USA | Technology (Dating App) | Data leak (misconfiguration) | 500,000+ users (Android installs) |
| 2 May | Magento e-Stores | Global | E-commerce (Retail) | Supply-chain attack (Magecart) | 500–1,000 stores |
| 2 May | Saskatoon Children’s Hospital | Canada | Healthcare | Privacy breach (insider access) | 314 patients |
| 4 May | TeleMessage (Signal clone) | USA | Technology (Encrypted Messaging) | Hack (server takeover) | Unknown (Gov’t comms data) |
| 5 May | Coweta County Schools | USA | Education (K-12) | Cyber attack (suspected ransomware) | 23,000 students |
| 6 May | Masimo | USA | Healthcare (MedTech) | Cyber attack (operations disruption) | Unknown |
| 6 May | iHeartMedia | USA | Media (Radio) | Data breach (hackers undetected) | Unknown (multi-state) |
| 7 May | Insight Partners | USA | Finance (Venture Capital) | Cyber attack (social engineering; data theft) | Unknown (employees & investors) |
| 7 May | South African Airways | South Africa | Transportation (Airline) | Cyber attack (IT disruption) | Unknown |
| 8 May | Pearson plc | UK | Education (EdTech) | Cyberattack (token compromise; data theft) | “Millions” of customers (legacy data) |
| 8 May | Japan FSA | Japan | Government (Financial Regulator) | Account compromises (fraudulent trades) | Unknown (≈$2 B funds moved) |
| 8 May | SogoTrade, Inc. | USA | Finance (Online Brokerage) | Email account breach (phishing) | 48,696 clients |
| 10 May | iClicker | USA | Education (EdTech) | Website compromise (malware) | Unknown |
| 11 May | Global Crossing Airlines | USA | Transportation (Airline) | Cyber attack (hacktivist data theft) | Unknown |
| 12 May | State of Alabama | USA | Government (State) | “Cybersecurity event” (suspected ransomware) | Unknown |
| 13 May | Marks & Spencer | UK | Retail (Department Store) | Ransomware (DragonForce/Scattered Spider) | Unknown (mass scale) |
| 13 May | Nucor Corporation | USA | Manufacturing (Steel) | Cyber attack (IT disruption) | Unknown |
| 13 May | Multiple Orgs – SAP NetWeaver | Global | Various (Energy, Water, Manufacturing, Gov’t) | Nation‑state hacking (vulnerability exploits) | 581 systems (across orgs) |
| 14 May | Coinbase | USA | Finance (Cryptocurrency) | Insider breach + extortion | 69,461 customers |
| 14 May | Australian Human Rights Commission | Australia | Government (Civil Rights) | Data leak (misindexed documents) | “Hundreds” of files |
| 14 May | Lecardo Clinic | Russia | Healthcare (Private Hospital) | Cyber attack (hacktivist disruption) | Unknown |
| 19 May | UK Legal Aid Agency | UK | Government (Legal Services) | Cyber attack (data breach) | Millions (15 yrs of applicants) |
| 19 May | Arla Foods | Denmark (and Germany) | Food & Agriculture | Cyber attack (OT disruption) | Unknown (production only) |
| 20 May | Kettering Health | USA | Healthcare (Hospital Network) | Ransomware (Interlock) | 67,000 patients |
| 20 May | Peter Green Chilled | UK | Logistics (Food Supply) | Ransomware (Scattered Spider) | Unknown (operations impact) |
| 20 May | Cellcom | USA | Telecom (Mobile Carrier) | Cyber attack (service outage) | Approximately 300,000 customers |
| 22 May | Coca-Cola | USA/Middle East | Beverage (Retail) | Ransomware (Everest) | 959 employees |
| 22 May | Open Credentials Database | Global | N/A (Multiple platforms) | Data leak (unsecured server) | 184,162,718 accounts |
| 26 May | MathWorks (MATLAB) | USA | Technology (Software) | Ransomware attack (IT outage) | Unknown |
| 26 May | Adidas | Germany | Retail (Apparel) | Third-party breach (vendor hack) | Unknown (customer count) |
| 27 May | City of Sheboygan, WI | USA | Government (City) | Ransomware (Chort) | 67,000 residents |
| 28 May | LexisNexis Risk Solutions | USA | Data analytics (Broker) | Data breach (hacking) | 364,000 individuals |
| 28 May | Victoria’s Secret | USA | Retail (Apparel) | Cyber security incident (site offline) | Unknown |
| 29 May | ConnectWise | USA | Technology (IT Software) | Cyber attack (supply chain) | Unknown (limited clients) |
| 30 May | ASVT ISP (Moscow) | Russia | Telecoms (Internet Service Provider) | DDoS attack (service outage) | Approximately 40,000 customers |
Discover your vulnerabilities before attackers do
To avoid falling victim to cyber attacks, it’s critical to understand where you are most vulnerable to attack. Then you can close any security gaps before it’s too late.
Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.
Contact our penetration testing experts today to discuss your security needs.
