TL;DR: The Electronic Frontier Foundation released their annual "Breachies": a darkly humorous awards show for the year's worst data breaches. 2025's highlights include: PowerSchool exposing 62 million students' Social Security numbers, Gravy Analytics leaking billions of location data points that could identify military personnel and people visiting abortion clinics, Blue Shield sharing 4.7 million patients' health data with Google for three years, dating apps leaking abortion planning conversations, and a 19-year-old who hacked America's school system now facing 17 years in prison. By October, 2025 had already seen 2,563 reported breaches. The question isn't whether your data was breached. It's how many times.

Welcome to the Breachies

Every year, the Electronic Frontier Foundation hands out awards nobody wants to win. The Breachies celebrate (if that's the right word) the companies that failed most spectacularly at protecting the data they collected from you.

2025 was a banner year for privacy failures. By October, researchers had documented 2,563 data breaches. That puts 2025 on track to be one of the worst years on record for sheer volume of incidents. And the EFF's selections this year include some genuinely horrifying examples of what happens when companies collect everything and protect nothing.

Here's the full rundown of who won, what they lost, and why you should care.

The "Hacker's Hall Pass" Award: PowerSchool

What leaked: Social Security numbers, medical records, grades, special education data, contact information

Who was affected: 62 million students and 9.5 million teachers across 6,500+ school districts

PowerSchool provides software to 18,000 K-12 schools across North America. On December 19, 2024, a hacker used stolen employee credentials to access PowerSchool's customer support portal. There was no multi-factor authentication. The intruder had access for nine days before anyone noticed.

The breach exposed the most sensitive data imaginable: children's Social Security numbers, medical information, special education records, grades, disciplinary histories. Everything a school knows about a student, now in criminal hands.

PowerSchool paid a $2.85 million bitcoin ransom in exchange for a video "showing" the hackers delete the data. Spoiler: it didn't work. As recently as May 2025, attackers were sending extortion emails to schools in Canada and North Carolina with samples of the stolen data.

The perpetrator? Matthew Lane, a 19-year-old student at Assumption University in Massachusetts, pleaded guilty in May and faces up to 17 years in prison. He got in through a password. No hacking required, just a credential that should have had two-factor authentication.

Canadian privacy commissioners found that school boards share the blame. They stored data they didn't need, kept it longer than necessary, and trusted PowerSchool without verification. The EFF's point: this is what happens when third-party vendors become single points of failure for millions of children.

The "I Didn't Even Know You Had My Data" Award: Gravy Analytics

What leaked: Billions of timestamped location coordinates tied to advertising IDs

Who was affected: Unknown, but Gravy claims to track "a billion devices daily"

In January 2025, a hacker calling themselves "Nightly" claimed to have stolen 17 terabytes of data from Gravy Analytics, a location data broker that most people have never heard of but that almost certainly has data on them.

Gravy Analytics collects location data from thousands of apps: Candy Crush, Tinder, Grindr, MyFitnessPal, pregnancy trackers, TikTok downloaders, and roughly 3,455 others that researchers have identified. You didn't sign up for Gravy. You probably never consented to them specifically. They got your data through the advertising ecosystem: the invisible infrastructure that tracks you across apps and sells that information to whoever pays.

The leaked data included latitude and longitude coordinates, timestamps, and device identifiers. Researchers found it could identify military personnel on bases, people visiting abortion clinics, gay people in countries where homosexuality is criminalized, and the patterns of daily life for millions of ordinary people.

Who buys this data normally? The FBI. ICE. The IRS. Police surveillance tool makers. Marketing companies. Anyone with a credit card and a use case Gravy finds acceptable.

Weeks before the breach, the FTC had banned Gravy and its subsidiary Venntel from selling sensitive location data: visits to healthcare clinics, places of worship, domestic violence shelters. But banning the sale doesn't delete the data. And now criminals have it.

The EFF's verdict: "Online behavioral advertising fuels the surveillance industry." Companies like Gravy exist because the advertising ecosystem pays for location data. Kill the ecosystem, and companies stop collecting the data in the first place.

The "Just Stop Using Tracking Tech" Award: Blue Shield of California

What leaked: Names, insurance plan details, medical service providers, patient financial responsibility

Who was affected: 4.7 million people

Blue Shield of California misconfigured Google Analytics. For three years. Health data from 4.7 million members flowed directly to Google, where it was potentially used for targeted advertising.

Not a hack. Not a sophisticated attack. A misconfiguration that nobody caught for 36 months.

The EFF gives this award annually because healthcare companies keep making the same mistake. They embed tracking tools on websites that handle sensitive medical information. Those tools send data to Google, Meta, and other advertising platforms. Patients have no idea.

This isn't a Blue Shield problem. It's an industry problem. Studies have found tracking technologies on the majority of hospital websites. The EFF's recommendation hasn't changed in years: stop putting advertising surveillance on healthcare sites. Nobody's listening.

The "Tea for Two" Award: Tea Dating Apps

What leaked: ID photos, selfies, private messages including abortion planning discussions, phone numbers

Who was affected: At least 72,000 initially, then 1.1 million messages

Tea, a dating advice app, suffered two breaches in one week in July 2025. First: 72,000 images leaked through an exposed Firebase database. 13,000 government IDs and 59,000 selfies. A week later: 1.1 million private messages exposed, including conversations where users discussed planning abortions.

Meanwhile, a rival app called TeaOnHer (same concept, different company) exposed emails, usernames, photo IDs, and admin credentials in August.

Both apps required ID verification. Both failed to protect those IDs. The EFF's point is brutal: when apps collect ID documents for "verification," they become extremely attractive targets. And unlike a password, you can't just change your face.

This is the predictable consequence of age and identity verification mandates that politicians keep proposing. Every database of ID documents is a breach waiting to happen.

The "We Still Told You So" Award: Discord

What leaked: Real names, selfies, ID documents, emails, physical addresses, phone numbers, IP addresses, partial billing info

Who was affected: A portion of Discord's 200 million monthly users

Discord got breached through Zendesk, their third-party customer support provider. The attackers accessed ID verification data: documents Discord collected to comply with age verification requirements in certain regions.

The EFF gave this award specifically because they warned this would happen. In previous years, they predicted age verification mandates would create honeypots of sensitive data. Discord's breach proves them right.

The company had to collect ID documents for some users. A third party got compromised. Now those documents are in criminal hands. This is the lifecycle of verification data: collected for compliance, breached inevitably, exploited forever.

The "Annual Microsoft Screwed Up Again" Award: Microsoft

What happened: Zero-day vulnerability in SharePoint exploited by Chinese government hackers

Who was affected: 400+ organizations including the National Nuclear Security Administration

Three Chinese government-linked hacking groups exploited a zero-day vulnerability in Microsoft SharePoint. They compromised over 400 organizations, including the agency responsible for America's nuclear weapons stockpile.

Days after Microsoft disclosed the vulnerability, thousands of self-hosted SharePoint servers remained unpatched and exposed. The EFF's larger point: Microsoft's monopolistic position in enterprise software creates systemic risk. When everyone depends on the same basket, a hole in that basket threatens everyone.

This isn't Microsoft's first appearance in the Breachies. It won't be their last. The company's centrality to global computing infrastructure means their security failures have outsized consequences. And they keep having security failures.

The "Worst Customer Service Ever" Award: TransUnion

What leaked: Names, dates of birth, Social Security numbers

Who was affected: 4.4 million customers

A third-party application serving TransUnion's customer support operations got compromised. The attackers accessed 4.4 million records (including Social Security numbers) through what was essentially a side door.

TransUnion was careful to note that actual credit reports weren't accessed. Cold comfort when your SSN is in criminal hands. The EFF highlights this breach as an example of how third-party services create unguarded entry points. Companies obsess over their main defenses while ignoring the vendors with access to the same data.

The "Disorder in the Courts" Award: PACER

What leaked: Confidential informant names from federal court cases

Who was affected: Unknown number of federal informants across multiple districts

In August 2025, hackers infiltrated the federal court filing system (CM/ECF, which uses the PACER database). They accessed sealed documents, including the names of confidential informants in federal cases.

Informant identities are among the most sensitive information in the justice system. Exposure can mean death. And this isn't the first time. A similar incident occurred in 2021. An IT official had warned Congress that both systems are "unsustainable due to cyber risks."

The warning was ignored. The breach happened anyway. Now informants are potentially in danger because the federal court system couldn't secure its own files.

The "Only Stalkers Allowed" Award: Catwatchful (and Friends)

What leaked: Customer emails and passwords, plus victims' photos, messages, and location data

Who was affected: 26,000 spyware victims

Catwatchful markets itself as a "child monitoring app." In practice, it's stalkerware: software used by abusers to monitor intimate partners without consent.

The breach exposed both sides: customer credentials AND the data those customers were collecting from 26,000 victims. Photos. Messages. Real-time location. Everything an abuser would want to know about their target, now available to anyone who downloaded the breach data.

Catwatchful wasn't alone. SpyX, Cocospy, and Spyic (all stalkerware apps) were also breached in 2025. The EFF's conclusion: these companies "must be stopped." They enable domestic abuse, and they can't even protect the data they steal.

The "Say Something Without Saying Anything" Award: Mixpanel

What leaked: User data from apps using Mixpanel's analytics SDK

Who was affected: Unknown, potentially millions across thousands of apps

Mixpanel is an analytics company. Apps embed their SDK to track user behavior. You've probably never heard of them, but your data is probably in their systems.

When Mixpanel got breached, their response was opaque: vague statements, unclear scope, no specifics about what was taken. The breach potentially affected data from Ring doorbell apps, PornHub, and thousands of other services.

The EFF's award name says it all. Most victims have no direct relationship with Mixpanel. They didn't know their devices were sending data to the company. They found out they were affected through news reports, not notifications. They deserve better than corporate non-answers.

The "Keeping Up With My Cybertruck" Award: Teslamate

What leaked: Vehicle location, speed, charging habits, trip details

Who was affected: 1,300+ Tesla owners using self-hosted dashboards

Teslamate is a third-party tool (not made by Tesla) that lets owners track their vehicle data. In August 2025, researchers found 1,300+ self-hosted Teslamate dashboards publicly exposed online.

The data revealed everywhere those cars had been: home addresses, workplaces, charging stops, travel patterns. Location data enables stalking, harassment, and worse. The EFF uses this breach to argue for legislation protecting location data, because right now, there's nothing stopping this data from existing in the first place.

The "Yes, Actually, I Have Been Pwned" Award: Troy Hunt

What happened: Phishing attack on the creator of HaveIBeenPwned

Troy Hunt created HaveIBeenPwned, the service that tells you if your email appeared in data breaches. In 2025, he got phished. Attackers compromised his Mailchimp account and accessed his blog's mailing list.

The EFF includes this not to mock Hunt (he's done more for security awareness than most) but to make a point: phishing can get anyone. If the guy who runs the breach notification service can fall for a convincing email, so can you. So can your employees. So can that vendor with access to your systems.

The Dishonorable Mentions

The main awards only scratch the surface. The EFF listed 35+ additional companies that suffered notable breaches in 2025:

Tech Giants

Salesforce, Oracle, Microsoft, F5, Workday, Coinbase

Consumer Brands

McDonald's, Hertz, Louis Vuitton, Adidas, Home Depot, Petco, DoorDash

Dating & Adult

Lovense, WhatsApp (for breach-related issues), various dating apps

Government & Education

Congressional Budget Office, Columbia University

Healthcare & Insurance

Aflac, Kettering Health, various medical practices

Data Brokers

LexisNexis, various analytics companies

The Pattern Nobody Wants to See

Every Breachies list tells the same story:

  1. Companies collect data they don't need
  2. They store it longer than necessary
  3. They trust third parties without verification
  4. They skip basic security (like MFA)
  5. They get breached
  6. They issue vague statements
  7. Nobody goes to jail
  8. The data lives forever in criminal hands

The EFF has been making the same recommendations for years: data minimization (collect less), privacy by design (protect what you collect), federal privacy legislation with real penalties, and eliminating the surveillance advertising ecosystem that creates incentives to hoard data.

Nobody in power is listening. So we get 2,563 breaches by October, and counting.

What You Can Do

Assume You're Breached

The question isn't "if" but "how many times." Check HaveIBeenPwned regularly. Assume your SSN is compromised and act accordingly.

Freeze Your Credit

All three bureaus. Right now. It's free and prevents fraudulent accounts. Our guide explains how.

Use Unique Passwords

A password manager generates and stores unique passwords for every site. When one site gets breached, the rest stay safe.

Enable Two-Factor Authentication

Everywhere it's offered. Use an authenticator app, not SMS. This would have stopped the PowerSchool breach.

Delete Old Accounts

That forum you signed up for in 2012? Delete it. Every account is a potential breach vector. Reduce your attack surface.

Limit Location Access

Review app permissions. Most apps don't need your location. Turn it off and deny Gravy Analytics another data point.

The Systemic Problem

Individual actions help, but they don't fix the system.

The companies in the Breachies collected your data because there's no law stopping them. They stored it insecurely because there's no penalty that hurts. They issued vague non-apologies because there's no requirement for transparency. And they'll do it again next year because the business model remains profitable.

The EFF's actual agenda isn't teaching you to use password managers. It's federal privacy legislation with a private right of action, meaning you can sue companies that mishandle your data. It's banning online behavioral advertising, killing the economic incentive to collect location data in the first place. It's data minimization requirements, forcing companies to delete what they don't need.

Until that happens, we'll keep having Breachies. And your data will keep appearing in them.

The Bottom Line

2025's Breachies include 62 million children's school records, billions of location data points, 4.7 million healthcare records, dating app messages about abortion, and the names of federal informants. Third-party vendors were compromised. Basic security was ignored. Ransoms were paid and didn't work. A 19-year-old faces 17 years for using a stolen password.

The EFF's darkly comic awards format makes a serious point: this is normal now. Data breaches aren't exceptions. They're the expected outcome of a system designed to collect everything and protect nothing.

Your data was probably in at least one of these breaches. Probably more. The companies involved will face minimal consequences. The data will circulate forever.

Welcome to 2025. Your information was already stolen. Multiple times.

References

  1. EFF - The Breachies 2025: The Worst, Weirdest, Most Impactful Data Breaches of the Year (December 2025)
  2. TechCrunch - What PowerSchool isn't saying about its massive student data breach (March 2025)
  3. The Register - Schools share blame for PowerSchool mega-hack, say watchdogs (November 2025)
  4. TechCrunch - Gravy Analytics breach threatens privacy of millions (January 2025)
  5. FTC - Order Prohibiting Gravy Analytics from Selling Sensitive Location Data (January 2025)
  6. Malwarebytes - Massive breach at location data seller (January 2025)
  7. Daily Security Review - PowerSchool breach exposes 60 million students (2025)
  8. Kaspersky - Gravy Analytics leak: How to protect your location data