2025: 2025 Sets a Record for Data Breaches — and Email Is Ground Zero

Every year, the data breach numbers get worse. Every year, security professionals say “this was the worst year on record.” And every year, the next year proves them right. 2025 continued this grim tradition with conviction: over 4,100 publicly disclosed data breaches in the United States alone, averaging more than 11 per day. Billions of records exposed. And at the center of it all, as it has been for decades, sits email — both the primary attack vector for breaching organizations and the primary payload of personal data stolen in those breaches.

The Numbers

The scale of data breaches in 2025 is difficult to comprehend in human terms.

More than 4,100 breaches were publicly disclosed in the US over the course of the year. This count includes only breaches that met state or federal reporting thresholds — the actual number, including unreported and undetected incidents, is certainly higher. Previous record years had cleared 3,000 disclosed breaches; 2025 blew past 4,000 with months to spare.

The volume of individual records exposed — names, email addresses, passwords, Social Security numbers, medical records, financial data — reached into the billions. Some individual breaches exposed tens of millions of records in a single incident. Healthcare and financial services were the hardest-hit sectors, but no industry was immune. Technology companies, retailers, educational institutions, government agencies, and critical infrastructure providers all reported significant breaches.

The financial impact continued to escalate. The average cost of a data breach in the US exceeded $10 million in 2025, factoring in incident response, legal costs, regulatory fines, notification expenses, credit monitoring for affected individuals, business disruption, and reputational damage. For healthcare organizations, the average was significantly higher.

Email: The Front Door

Email remained the primary entry point for attackers in the majority of breaches. The pattern is well-established and continues to work: an attacker sends a phishing email to an employee, the employee clicks a link or opens an attachment, and the attacker gains a foothold in the organization’s network. From there, lateral movement, privilege escalation, and data exfiltration follow.

The specific mechanisms vary. Credential phishing — emails that direct users to fake login pages to harvest their usernames and passwords — remains the most common technique. A convincing replica of a Microsoft 365 login page, a Google Workspace authentication prompt, or a corporate VPN portal is sent to an employee who enters their real credentials, handing the attacker the keys to the kingdom.

Business Email Compromise continued its reign as the most financially devastating email-based attack. The FBI’s cumulative global estimate of BEC losses exceeded $50 billion, and 2025 added billions more. BEC doesn’t require malware, doesn’t trigger antivirus software, and doesn’t exploit technical vulnerabilities. It just requires a convincing email from someone who appears to be the boss.

Malware-laden email attachments — once the dominant phishing payload — have declined in relative prevalence as security tools have improved at detecting malicious files. But attackers adapted. Instead of attaching malware directly, phishing emails now link to legitimate file-sharing services (Google Drive, Dropbox, OneDrive, SharePoint) that host the malicious payload, making detection significantly harder. The file-sharing platform’s domain passes URL reputation checks. The hosted file is often a seemingly legitimate document with embedded macros or links to secondary download stages.

The MOVEit Aftershock

The MOVEit Transfer vulnerability, first exploited in May 2023, continued to surface new victims well into 2025. The Cl0p ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit managed file transfer product, compromising organizations that used the software to transfer sensitive data. The attack was devastatingly efficient: Cl0p didn’t need to deploy ransomware or negotiate with individual victims. They simply exfiltrated data from hundreds of organizations through the compromised file transfer system and then notified each victim that their data would be published unless a ransom was paid.

The long tail of MOVEit was a defining feature of the 2025 breach landscape. Organizations that had shared data with directly compromised MOVEit users discovered — sometimes more than a year later — that their data had been exposed through the supply chain. Third-party and fourth-party risk manifested in concrete, painful terms. A company that had never used MOVEit itself found that its employee data was exposed because its benefits provider used MOVEit, or because its benefits provider’s payroll subcontractor used MOVEit.

Email notification was, ironically, the primary mechanism by which affected individuals learned about MOVEit-related breaches. Tens of millions of breach notification letters and emails were sent throughout 2024 and 2025, informing people that their personal information had been compromised in an incident they had never heard of, at an organization they had no direct relationship with.

The End of “Look for Typos”

For two decades, the standard advice for identifying phishing emails included a simple heuristic: look for spelling errors, grammatical mistakes, and awkward phrasing. The reasoning was sound — phishing emails were often written by non-native English speakers and contained telltale language errors that legitimate business communications wouldn’t.

In 2025, that advice became obsolete.

Large language models made it trivial for attackers to generate phishing emails that are grammatically perfect, stylistically appropriate, and contextually convincing. An attacker can prompt a model to “write a professional email from a CFO to an accounts payable manager requesting an urgent wire transfer” and receive output that is indistinguishable from a genuine executive communication. No typos. No awkward phrasing. No “Dear Esteemed Customer” salutations.

The sophistication went beyond grammar. Attackers used publicly available information — LinkedIn profiles, company websites, press releases, social media posts — to add contextual details that made phishing emails deeply convincing. A phishing email might reference a real upcoming conference the target was attending, a real project their company had announced, or a real colleague who had recently changed roles. These details, which would have required significant manual research in earlier years, could be assembled in seconds by feeding publicly available information through a language model.

The volume of phishing also increased. What previously required human labor to craft at scale — writing hundreds of customized phishing emails targeting different individuals at a target organization — became automated. An attacker could generate personalized phishing emails for every employee in a company directory, each one tailored to the recipient’s role, department, and recent professional activity.

For security awareness training programs, this represented a fundamental challenge. The traditional “spot the fake” approach to phishing education became much harder when the fakes were better than most genuine business emails. Training programs shifted toward behavioral approaches: treat every unexpected email requesting action (clicking a link, opening a file, sending money, sharing credentials) with skepticism, regardless of how legitimate it appears.

The Passkey Promise

Against this backdrop of escalating email-based attacks, passkeys and phishing-resistant multi-factor authentication (MFA) continued their gradual adoption in 2025.

Passkeys — cryptographic credentials stored on a user’s device and authenticated via biometrics or PIN — are fundamentally phishing-resistant. There is no password to steal. There is no code to intercept. The authentication happens through a cryptographic challenge that is bound to the legitimate website’s domain. A phishing site, regardless of how convincing it looks, cannot trigger the passkey authentication because the domain doesn’t match.

Google, Apple, and Microsoft all expanded passkey support across their platforms in 2025. Major websites and services increasingly offered passkeys as an authentication option. Some security-focused organizations began requiring passkeys for employee authentication, eliminating passwords entirely.

But adoption remained far from universal. The vast majority of email accounts — personal and business — were still protected by passwords, often without any form of multi-factor authentication. The gap between what’s available (phishing-resistant authentication) and what’s deployed (passwords, sometimes with SMS-based MFA that can be intercepted) remains enormous.

This gap is the central tension of email security in 2025. The technology to make email-based credential theft nearly impossible exists and is freely available. The adoption of that technology lags years behind the threat. Every breach that begins with a stolen email password is, in a sense, a failure of deployment rather than a failure of technology.

What This Means for Email

The 2025 breach record reinforces what the security community has been saying for years: email is the front door to virtually every organization, and most organizations leave that door unlocked.

The practical implications for email marketers and senders are significant. Subscriber data — email addresses, names, behavioral data — is a high-value target. Every email list is a data asset that attackers want. The security of email marketing platforms, the handling of subscriber data, and the authentication of sending infrastructure are not just technical concerns — they are business risks.

For individual email users, the message is simpler but no less urgent: enable multi-factor authentication on every email account. Use a password manager. Be suspicious of every email that asks you to take action, regardless of how professional it looks. The phishing emails of 2025 don’t look like phishing emails. They look like real email from real people. The only defense is systematic skepticism and strong authentication.

The data breach record will almost certainly be broken again. The question is not whether email will remain the primary attack vector — it will — but whether the adoption of stronger authentication will begin to close the gap between attacker capability and defender preparedness. In 2025, that gap remained dangerously wide.

Infographic

Share this visual summary. Right-click to save.

Frequently Asked Questions

How many data breaches occurred in 2025?

Over 4,100 data breaches were publicly disclosed in the United States in 2025, averaging more than 11 per day. This exceeded previous annual records and continued a multi-year trend of escalating breach volume. The total number of records exposed reached into the billions, though exact figures vary by reporting source due to differences in breach disclosure timelines and counting methodologies.

Why is email the primary target in data breaches?

Email is the primary attack vector because it is universal (virtually every employee has an email address), it delivers content directly to the target's workspace, and it enables social engineering at scale. Phishing emails can deliver malware, steal credentials, or manipulate users into taking harmful actions. Business Email Compromise (BEC) — which uses email to impersonate trusted contacts and redirect payments — alone accounts for over $50 billion in global losses. Email credentials provide attackers with access to other systems through password reuse and single sign-on chains.

How did phishing change in 2025?

Phishing emails in 2025 became significantly more convincing due to the use of large language models to generate grammatically flawless, contextually appropriate messages at scale. Traditional advice to 'look for typos and grammatical errors' became obsolete — machine-generated phishing emails are indistinguishable from legitimate business communications in terms of language quality. Attackers also increasingly used personalized, context-aware phishing that references real business relationships, recent transactions, and organizational details gathered from social media and previous breaches.