2025 has firmly established a new reality: the question is no longer whether our data has been compromised, but how many times—and by whom. Thousands of breaches, millions of victims, dozens of sectors—from education and healthcare to the judicial system and dating platforms. The Breachies—an ironic yet alarming chronicle of the worst, strangest, and most dangerous incidents of the year—demonstrate one key truth: the problem is no longer technical, but structural.
The common denominator in nearly all 2025 cases is excessive data collection and retention. Companies hoard personal information “just in case,” store it for years, share it with third parties—and then act surprised when it eventually leaks.
Mixpanel, an analytics platform used by thousands of apps, became a telling example. Most affected users didn’t even know their actions, subscriptions, or payment histories were being shared with a third-party analytics provider. Poor and opaque communication after the incident only made things worse. This case clearly shows that users lack real control over the data processing chain.
A separate category includes breaches related to identity and age verification. Discord, Tea, TeaOnHer—different services, different audiences, but the same outcome: leaked selfies, documents, addresses, and private messages.
These cases confirm a long-standing warning from digital rights advocates: mandatory identification in the digital environment inevitably creates new threats. Passwords can be changed. Faces cannot. A document photo leaked to the dark web can haunt a person for years—especially women, activists, and members of vulnerable groups.
For the EU and Ukraine, where digital identity is increasingly discussed, this is a serious signal: without strict data minimization, such systems are dangerous by default.
Particularly alarming are breaches in sectors where data has not only economic but existential value.
Blue Shield of California shared medical data with Google for years due to misconfigured trackers. PowerSchool—an education giant—exposed data of over 60 million students and teachers, including medical records and information about special educational needs. PACER—the U.S. federal court system—potentially revealed the identities of confidential informants.
These incidents show that government and quasi-government systems are often technologically outdated yet handle the most sensitive information. Their compromise is no longer just a privacy issue—it is a matter of national security.
One of the most dangerous trends of 2025 is the leakage of geolocation data. Gravy Analytics, TeslaMate, even an obscure Flat Earth app—all demonstrated how easy it is to track a person’s movements.
Location data can reveal:
In countries affected by war, authoritarian regimes, or persecution of minorities, such leaks can have fatal consequences. And yet most users have no idea who is selling this data—or how—on the advertising market.
TransUnion, Discord, Microsoft—different scales, same vulnerability: third-party risk. Hackers increasingly enter not through the “front door,” but via customer support, contractors, or SDKs.
This undermines the traditional logic of responsibility. Users do not choose Zendesk, analytics libraries, or cloud services—yet these are precisely the channels through which their data is compromised. Legally, responsibility is often diluted or minimized.
Advice like using unique passwords and two-factor authentication remains necessary. But 2025 has shown their limits. Even security experts like Troy Hunt have fallen victim to phishing.
Individual cyber hygiene cannot compensate for systemic corporate irresponsibility.
The Breachies 2025 is not just a list of high-profile failures. It is a diagnosis of a digital economy where:
The way forward lies in strict regulation, real accountability, and effective access to judicial remedies. The EU is already moving in this direction through the GDPR, DSA, and AI Act. Ukraine, as it integrates into the European digital space, should learn these lessons now—rather than after the next large-scale breach.
Privacy is not dead yet. But without a change in the rules of the game, it will become a privilege, not a right.
Subscribe to our channels on social networks:
Contact us: business@avitar.legal
Violetta Loseva
,
