Global Data Breaches and Cyber Attacks in June 2025: Over 16 billion records exposed

Summary

  • Total number of incidents disclosed: 33
  • Total number of known records breached: 16,023,217,882
  • Total number of known records breached excluding the mass credential leak: 23,217,882

Welcome to another monthly round-up of monthly cyber attack and data breach news. In June 2025, IT Governance found 33 publicly disclosed cyber security incidents, including the leak of 16 billion user credentials compiled from years of infostealer malware and previous breaches. Although this was, strictly speaking, not a new data breach, we include it in this month’s round-up as it featured in the news in June and still requires individuals and organisations to take action to secure their accounts.

Excluding this mass credential dump, more than 23 million records were compromised in newly revealed attacks, reflecting the persistent threat of ransomware, phishing and third-party compromise across all sectors.

Although no single new breach matched the scale of previous mega-incidents, June was notable for a surge in ransomware disruption across the healthcare and government sectors, a dramatic hacktivist-led assault on Iran’s financial infrastructure, and a spike in supply-chain and credential-based attacks.


Top three sources of breached data

  1. Aggregated credential dumps – over 16 billion username/password combinations
  2. Healthcare service providers and suppliers – over 7.8 million records
  3. Retail and consumer services – over 2.2 million records

Top 5 incidents by number of records affected

The following are the largest incidents publicly disclosed in June 2025, ranked by known/claimed impact:

1. Mass credential leak – 16 billion records

  • Records affected: 16 billion.
  • Data: Usernames and password combinations.
  • Cause: Aggregation of credentials stolen over many years.
  • Status: Discovered in June 2025 across approximately 30 datasets. Not a new data breach, but many major platforms have advised users to reset their credentials and adopt MFA (multifactor authentication).

2. Episource LLC – 5.4 million records

  • Records affected: 5,418,866.
  • Data: Names, dates of birth, contact information, Medicaid IDs, insurance data, diagnoses, test results and treatment details.
  • Cause: Ransomware attack and unauthorised network access between January and February 2025.
  • Status: Breach investigation concluded in spring. Public disclosure and victim notification began in June. Credit monitoring is being provided.

3. McLaren Health Care – 743,000 records

  • Records affected: 743,000.
  • Data: Patient contact information, and insurance and health records, potentially including Social Security numbers.
  • Cause: July 2024 ransomware attack by INC Ransom, undisclosed until forensic analysis was completed.
  • Status: Victims notified in June 2025, 11 months after the breach. Free identity protection is now offered.

4. Kettering Health – approximately 730,000 records

  • Records affected: Approximately 730,000.
  • Data: Patient health records and internal financial or operational documents.
  • Cause: Ransomware attack by the Interlock gang in May 2025.
  • Status: Breach disclosed in June. Internal systems have been recovered and affected individuals are being notified. Class-action lawsuits have begun.

5. Ahold Delhaize (USA operations) – 2.24 million records

  • Records affected: 2,242,521.
  • Data: Names, contact information, dates of birth, government ID numbers, bank account details and workers’ compensation data.
  • Cause: Ransomware attack by INC Ransom in November 2024. Data breach confirmed in 2025.
  • Status: Data breach notifications issued in June 2025. Internal and customer payment systems were not affected.

Trends in June 2025

  • Hacktivist activity intensified
    Iran saw coordinated attacks from the pro-Israel hacktivist group Predatory Sparrow, which disrupted banking services and destroyed $90 million in cryptocurrency by targeting Nobitex and Bank Sepah.
  • Healthcare remained the most targeted sector
    High-impact ransomware incidents affected healthcare providers and suppliers in Ohio, Michigan and across the USA, compromising millions of patient records.
  • Credential stuffing and supply-chain abuse persisted
    Attacks on The North Face and Gluestack demonstrated how credential reuse and malicious code injection remain active and dangerous vectors.
  • Public sector services were disrupted globally
    City and state-level governments in the USA and UK experienced ransomware attacks and outages, and often lacked the resilience or backups needed for rapid recovery.
  • Ransomware groups continued to use double extortion
    Double-extortion tactics remained standard, with threat actors stealing and leaking data whether or not a ransom was paid.

Key vulnerabilities exploited

Several high-profile incidents in June 2025 highlight the continued exploitation of well-known vulnerabilities and attack surfaces:

  • Supply-chain compromise
    Gluestack’s popular JavaScript packages were injected with malware and downloaded nearly a million times before discovery.
  • Credential harvesting malware
    The 16 billion-record credential dump was built from infostealer logs collected via trojans on compromised devices.
  • Phishing and social engineering
    Targeted impersonation and spear-phishing led to breaches at organisations including Aflac and Illinois HFS.
  • Third-party access risks
    Scania’s data breach occurred after attackers used credentials stolen from a service provider, emphasising the risk of poorly secured partner systems.

List of data breaches and cyber attacks disclosed in June 2025

Disclosure date Organisation Country Sector Incident type Records affected
01 June City of Durant (Oklahoma) USA Government (city) Ransomware (unspecified gang) Unknown (city services disrupted)
01 June Lorain County (Ohio) USA Government (county) Likely ransomware (network intrusion) Unknown (court operations halted)
02 June The North Face (VF Corp) USA Retail (apparel) Data breach (credential stuffing) 2,990 customer accounts
02 June Cartier Global Retail (luxury) Data breach (unauthorised access) Unknown (limited client data)
03 June Puerto Rico Dept. of Justice Puerto Rico Government (justice) Cyber attack (unspecified) Unknown (services suspended)
04 June Lee Enterprises USA Media (news publishing) Ransomware – Qilin gang (data theft) 39,779 individuals
05 June Kettering Health USA Healthcare (14-hospital network) Ransomware – Interlock gang ~730,000 patients (estimated)
05 June United Natural Foods, Inc. (UNFI) USA Food distribution Cyber attack (unspecified, likely ransomware) Unknown (operational impact)
06 June Optima Tax Relief USA Financial services Ransomware – Chaos gang (double-extortion) 69 GB of data (clients & corporate)
07 June NPM (Gluestack packages) India / Global Software (open-source supply chain) Supply chain attack Unknown
09 June Sensata Technologies USA / Global Manufacturing (industrial tech) Ransomware (gang unnamed) 15,630 individuals
09 June Texas Department of Transportation (TxDOT) USA Government Data breach – account compromise 291,000 records
09 June Illinois Dept. of Healthcare and Family Services USA Government Data breach – phishing 933 individuals
09 June SentinelOne USA Cyber security tech Cyber attack – supply chain and APT espionage None (attempt foiled)
10 June Yes24 South Korea E-Commerce (ticketing & retail) Ransomware (actor TBD) Unknown (service outage; investigation ongoing)
12 June Aflac USA Insurance Cyber attack – social engineering and data theft Unknown (under investigation)
13 June Thomasville, NC & Ogeechee Judicial Circuit, GA USA Government (city & district attorney) Cyber attacks –likely ransomware Unknown (services disrupted)
14 June WestJet Canada Transportation (airline) Cyber attack (investigation ongoing) Unknown
15 June The Washington Post USA Media (newspaper) Data breach – email accounts hacked (APT) Limited (specific journalists)
17 June Episource LLC USA Healthcare tech (SaaS) Data breach – Ransomware 5,418,866 individuals
17 June Scania AB Sweden Manufacturing (automotive) Data breach Unknown (thousands of claim files)
17 June Bank Sepah (Iran) Iran Financial (banking) Cyber attack – Hacktivist (service disruption) Unknown (service downtime)
18 June Nobitex (Crypto Exchange) Iran Financial (crypto-currency) Cyber attack – Hacktivist (theft / destruction of assets) ~$90 million USD in crypto
19 June Glasgow City Council UK Government (city) Cyber “Incident” – (under investigation) Unknown (possible data accessed)
19 June Hawaiian Airlines USA Transportation (airline) Cyber attack – (unspecified; possible ransomware) Unknown (internal incident)
19 June Mass Credential Leak – 16 Billion Records Multiple N/A (All sectors) Data leak – Credential compilation (infostealers) 16 billion credentials (usernames & passwords)
20 June Viasat Inc. USA Telecoms Cyber espionage – state sponsored (Salt Typhoon) Unknown (no customer data lost)
21 June Oxford City Council UK Government (city) Data breach – unauthorised access Unknown (data from 2001–2022)
22 June McLaren Health Care USA Healthcare (hospital network) Ransomware (INC Ransom) 743,000 patients
22 June Nucor Corporation USA Manufacturing (steel) Cyber attack – (ransomware suspected) Unknown (“limited” data exfiltrated)
26 June Ahold Delhaize (USA operations) Netherlands / USA Retail (supermarkets) Ransomware (INC Ransom) 2,242,521 individuals
30 June Radix (Swiss health NGO) Switzerland Non-profit (public health) Ransomware – Sarcoma group Unknown (~2 TB of data claimed)


Discover your vulnerabilities before attackers do

To avoid falling victim to cyber attacks, it’s critical to understand where you are most vulnerable to attack. Then you can close any security gaps before it’s too late.

Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.

Contact our penetration testing experts today to discuss your security needs.


The post Global Data Breaches and Cyber Attacks in June 2025: Over 16 billion records exposed appeared first on IT Governance Blog.

Leave a Reply