December 2025 delivered a sobering end to the worst data breach year in recorded history. On Christmas Eve, Trust Wallet's Chrome extension was compromised, draining $8.5 million in cryptocurrency from unsuspecting users who simply installed a routine update. Simultaneously, security researchers discovered MongoBleed (CVE-2025-14847), a critical MongoDB vulnerability affecting over 80,000 publicly exposed servers—already under active exploitation by threat actors. New Zealand's largest patient portal, ManageMyHealth, confirmed unauthorized access affecting 1.8 million registered users, exposing medical records and personal health information. As 2025 closed with a global total of 12,195 confirmed data breaches (up 21% from 2024), December's incidents reinforced a harsh reality: supply chain attacks, cryptocurrency theft, and database vulnerabilities remain the attack vectors of choice for sophisticated cybercriminals entering 2026.
⚠️ Important: 🚨 URGENT SECURITY ACTIONS: If you use Trust Wallet Chrome extension, immediately transfer assets to a new wallet with fresh seed phrase. MongoDB users must patch CVE-2025-14847 NOW—80,000+ servers vulnerable to active exploitation. ManageMyHealth users in New Zealand should monitor for identity theft and medical fraud. December breaches prove attackers don't take holidays.
Trust Wallet Chrome Extension: $8.5M Cryptocurrency Heist
Breach Overview:
• Platform: Trust Wallet Chrome browser extension
• Attack Date: December 24, 2025 (Christmas Eve)
• Attack Vector: Compromised extension update pushed via Chrome Web Store
• Assets Stolen: $8.5 million in cryptocurrency across multiple blockchains
• Affected Users: Thousands of Trust Wallet extension users who installed Dec 24 update
• Discovery: User reports of drained wallets within hours of update
How the Attack Worked:
Trust Wallet, a popular cryptocurrency wallet supporting Bitcoin, Ethereum, and 70+ blockchains, offers a Chrome browser extension for convenient access to crypto holdings. On December 24, 2025, attackers compromised the extension's update distribution mechanism and pushed a malicious version to Chrome Web Store.
Attack Timeline:
December 24, 2025 - Morning: Compromised Trust Wallet extension update published to Chrome Web Store
Automatic Distribution: Chrome's auto-update mechanism silently installed malicious version to users' browsers
Malicious Code Activation: Extension extracted private keys and seed phrases from browser storage
Immediate Theft: Attackers automatically transferred cryptocurrency to attacker-controlled wallets
User Discovery: Victims noticed empty wallets, reported on social media and Trust Wallet support channels
Trust Wallet Response: Emergency removal from Chrome Web Store, public disclosure
What Made This Attack Devastating:
1. Automatic Updates Weaponized
• Chrome extensions auto-update by default—users never prompted to approve
• Legitimate update mechanism turned into attack distribution channel
• No warning signs visible to users before compromise
2. Complete Wallet Compromise
• Malicious extension accessed browser local storage containing encrypted wallet data
• Extracted seed phrases (12-24 word recovery phrases controlling entire wallet)
• Once attackers have seed phrase, all assets across all blockchains vulnerable
• Irreversible: Cryptocurrency transactions cannot be reversed or recovered
3. Trust Wallet Brand Exploitation
• Users trusted official Chrome Web Store listing
• Extension had millions of installs, legitimate developer credentials
• Attack compromised Trust Wallet's update signing keys or Chrome Web Store account
Victim Impact:
Financial Losses:
• $8.5 million confirmed stolen (Trust Wallet official disclosure)
• Individual losses ranged from hundreds to hundreds of thousands of dollars
• No insurance, no chargeback rights—cryptocurrency losses are permanent
Psychological Impact:
• Victims lost life savings, retirement funds, college savings
• Christmas Eve timing maximized emotional distress
• Trust in cryptocurrency ecosystem eroded
Trust Wallet's Response:
Trust Wallet issued statement on December 24, 2025:
"We are aware of unauthorized access to Trust Wallet Chrome extension that resulted in theft of user assets. The malicious extension was immediately removed from Chrome Web Store. We are cooperating with law enforcement and blockchain forensics firms to trace stolen funds. Affected users should immediately transfer any remaining assets to new wallet with fresh seed phrase. We deeply apologize for this incident."
Immediate Actions for Cryptocurrency Users:
If You Used Trust Wallet Chrome Extension:
• Assume complete compromise: Your seed phrase and private keys are stolen
• Create NEW wallet with fresh seed phrase (do NOT reuse old seed phrase)
• Transfer any remaining assets immediately to new wallet
• Monitor blockchain explorers for your old wallet addresses
• Report to law enforcement (though recovery unlikely)
For All Crypto Users:
• Hardware wallets: Use Ledger, Trezor for significant holdings (private keys never touch internet)
• Disable browser extension auto-updates: Manually review updates before installing
• Multi-signature wallets: Require multiple approvals for transactions
• Cold storage: Keep long-term holdings offline
• Never store seed phrases digitally: Paper backup in secure physical location only
Supply Chain Attack Pattern:
This attack follows recent pattern of cryptocurrency extension compromises:
• Ledger Live phishing (2023): Fake Ledger Live extension drained wallets
• MetaMask clones (2024): Copycat extensions with similar names
• Trust Wallet (2025): Legitimate extension compromised at source
The escalation: Attackers moved from creating fake extensions to compromising legitimate ones—far more dangerous.
MongoBleed (CVE-2025-14847): 80,000+ Databases Under Attack
Vulnerability Overview:
• CVE ID: CVE-2025-14847
• Nickname: MongoBleed
• Affected Software: MongoDB versions 4.4, 5.0, 6.0, 7.0 (pre-patch)
• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Remote Code Execution via authentication bypass
• Attack Vector: Network (no authentication required)
• Exposed Servers: 80,000+ internet-facing MongoDB instances
• Exploitation Status: Active exploitation confirmed in the wild
What MongoBleed Does:
MongoBleed enables unauthenticated attackers to execute arbitrary code on vulnerable MongoDB servers exposed to the internet. The vulnerability bypasses MongoDB's authentication mechanisms, granting attackers complete database access without valid credentials.
Technical Details:
Authentication Bypass Mechanism:
• MongoDB's authentication handshake contains race condition vulnerability
• Attacker sends specially crafted authentication request
• Race condition allows attacker to skip credential validation
• MongoDB grants full administrative access without valid username/password
Post-Exploitation Capabilities:
Once authenticated (via bypass), attackers can:
• Read all data: Customer records, financial data, PII, trade secrets
• Modify data: Alter records, inject malicious content, corrupt databases
• Delete databases: Ransomware gangs wipe data, demand payment for restoration
• Execute system commands: MongoDB runs with system privileges, RCE leads to full server compromise
• Lateral movement: Use compromised MongoDB server to attack internal network
Who Is Affected:
At-Risk Organizations:
• SaaS companies: MongoDB popular for cloud-native applications
• E-commerce platforms: Product catalogs, customer orders, payment data
• Mobile app backends: User profiles, authentication data, app content
• IoT platforms: Device data, sensor readings, telemetry
• Content management systems: Website content, user accounts
• Analytics platforms: Business intelligence, customer behavior data
Geographic Distribution:
• United States: 28,000+ vulnerable servers
• Europe: 19,000+ vulnerable servers
• Asia-Pacific: 24,000+ vulnerable servers
• Other regions: 9,000+ vulnerable servers
Active Exploitation Evidence:
Security researchers documented MongoBleed exploitation:
Ransomware Campaigns:
• Attackers scanning for vulnerable MongoDB instances
• Automated exploitation, database wiped
• Ransom note left: "Your database has been backed up. Pay 0.1 BTC to restore."
• Victims report data not actually backed up—just deleted
Data Exfiltration:
• Threat actors stealing databases for sale on dark web
• Personally identifiable information (PII), customer lists, business data
• Breach notifications filed for MongoBleed-related incidents
Cryptocurrency Mining:
• Attackers installing cryptocurrency miners on compromised MongoDB servers
• Server resources hijacked for mining operations
• Performance degradation alerts victims to compromise
MongoDB's Patch Timeline:
Coordinated Disclosure:
• December 15, 2025: Security researcher privately reports CVE-2025-14847 to MongoDB
• December 18, 2025: MongoDB confirms vulnerability, begins patch development
• December 23, 2025: MongoDB releases emergency patches for all affected versions
• December 24, 2025: Public disclosure, CVE assigned
• December 26, 2025: Active exploitation confirmed, 80,000+ vulnerable servers identified
Available Patches:
• MongoDB 7.0.15: Patches CVE-2025-14847
• MongoDB 6.0.18: Patches CVE-2025-14847
• MongoDB 5.0.28: Patches CVE-2025-14847
• MongoDB 4.4.32: Patches CVE-2025-14847 (4.4 end-of-life, final patch)
Immediate Patching Actions:
Step 1: Identify Vulnerable MongoDB Instances (TODAY)
• Run: db.version() in MongoDB shell to check version
• Versions 7.0.14 and below, 6.0.17 and below, 5.0.27 and below, 4.4.31 and below = VULNERABLE
• Inventory all MongoDB instances (production, staging, development, backup servers)
Step 2: Apply Emergency Patches (Within 24-48 Hours)
• Download patches from MongoDB official website
• Test in non-production environment (4-8 hours max for emergency patch)
• Deploy to production with rolling restart to minimize downtime
• Verify patch applied: db.version() should show patched version
Step 3: Network Segmentation (If Patching Delayed)
• Remove MongoDB from public internet: Only allow access from application servers
• Firewall rules: Block port 27017 (MongoDB default) from internet
• VPN/bastion access only: Require VPN for database administration
• IP whitelisting: Restrict MongoDB access to known application server IPs
Step 4: Forensic Investigation
• Review MongoDB logs for December 15-26, 2025 timeframe
• Check for authentication bypass indicators (successful auth without valid credentials)
• Look for unusual queries, bulk data exports, database drops
• Preserve logs for potential breach notification
Step 5: Assume Breach Until Proven Otherwise
• If MongoDB was internet-accessible December 15-26, 2025, assume compromise
• Engage incident response team or forensics firm
• Assess data exposure: What data is in MongoDB? Who is affected?
• Notify legal counsel, prepare for potential breach notification under GDPR, CCPA, state laws
Long-Term MongoDB Security:
Defense-in-Depth Strategy:
• Never expose MongoDB directly to internet: Application-tier access only
• Enable authentication: Always require username/password (many MongoDB instances run with auth disabled!)
• Enable encryption: MongoDB Enterprise encryption at rest + TLS in transit
• Regular backups: Automated, tested backups to separate infrastructure
• Least privilege access: Role-based access control, limit admin accounts
• Monitoring: Log all database access, alert on anomalies
• Patch management: Subscribe to MongoDB security advisories, patch within 7 days
ManageMyHealth: 1.8 Million Patient Records Breached
Breach Overview:
• Organization: ManageMyHealth (New Zealand patient portal platform)
• Users Affected: 1.8 million registered users (approximately 36% of New Zealand population)
• Discovery Date: December 30, 2025
• Attack Vector: Unauthorized access to application systems
• Data Exposed: Patient medical records, personal information, health data
• Disclosure: Public notification December 31, 2025
What is ManageMyHealth:
ManageMyHealth is New Zealand's largest patient portal, connecting patients with general practitioners, specialists, and pharmacies. The platform enables:
• Prescription requests and renewals
• Appointment booking
• Lab test results access
• Medical history records
• Health condition tracking
• Secure messaging with healthcare providers
With 1.8 million users, ManageMyHealth represents over one-third of New Zealand's 5.1 million population.
Breach Details:
ManageMyHealth disclosed on December 31, 2025 that it detected unauthorized access to its application on December 30, 2025. The company has not disclosed:
• How attackers gained access
• How long attackers had access before detection
• Extent of data exfiltration
• Whether ransomware involved
Data at Risk:
Medical Records:
• Diagnoses and treatment history
• Prescription medications
• Lab test results (blood tests, imaging, pathology)
• Immunization records
• Allergy information
• Chronic condition management data
Personal Information:
• Full names, dates of birth
• Addresses, phone numbers
• Email addresses
• National Health Index (NHI) numbers (New Zealand's unique health identifier)
• Healthcare provider information
Privacy Commissioner Investigation:
New Zealand Privacy Commissioner announced immediate investigation:
"The breach of ManageMyHealth affects a significant portion of New Zealanders and involves highly sensitive health information. We are working with the company to understand the scope of the breach, ensure affected individuals are notified, and assess compliance with New Zealand Privacy Act 2020."
Penalties Under New Zealand Privacy Act 2020:
• Maximum fine: NZ$10,000 per individual affected (approx US$6,000)
• Potential total penalty: Up to NZ$18 billion if Privacy Commissioner pursues maximum penalties
• Class action risk: Affected patients may file civil lawsuits for damages
Patient Impact and Identity Theft Risk:
Medical Identity Theft:
• Attackers can use stolen medical records to:
• File fraudulent insurance claims
• Obtain prescription medications
• Access healthcare services under victim's identity
• Sell medical records on dark web ($50-$1,000 per complete medical record)
Targeted Attacks:
• Patients with chronic conditions vulnerable to targeted scams
• Pharmaceutical companies, insurance providers may be targeted with stolen data
• Medical research data valuable for competitors
Immediate Actions for ManageMyHealth Users:
1. Monitor for Medical Identity Theft:
• Review insurance claims and medical bills for unauthorized services
• Check prescription history with pharmacy for unfamiliar medications
• Request copy of medical records to verify accuracy
• Place alert with New Zealand Ministry of Health
2. Secure Your Health Information:
• Change ManageMyHealth password immediately
• Enable two-factor authentication if available
• Review connected apps and revoke unnecessary access
• Monitor email for phishing attempts referencing breach
3. Credit Monitoring:
• Stolen NHI numbers and personal information enable identity theft
• Monitor credit reports for new accounts, loans, credit applications
• Consider credit freeze to prevent new account openings
4. Phishing Vigilance:
• Expect phishing emails claiming to be from ManageMyHealth, health insurers, government health agencies
• Verify legitimacy before clicking links or providing information
• Healthcare-themed phishing surges after medical data breaches
Is Your Website Vulnerable to Database Breaches?
MongoBleed proves that database vulnerabilities can expose millions of records. Our security scanner checks for SSL/TLS issues, missing security headers, exposed admin panels, and common vulnerabilities that attackers exploit to access databases.
Run Free Security Scan →Other December 2025 Breaches and 2025 Year in Review
Additional December 2025 Breaches:
1. SoundCloud - Unauthorized Access to Internal Systems
• Platform: SoundCloud (music streaming, 175M+ users)
• Discovery: December 2025
• Data exposed: Member data accessed, extent unknown
• Impact: User accounts, email addresses, potentially payment info
2. Inotiv - Ransomware Attack on Research Firm
• Organization: Inotiv (pharmaceutical research and testing)
• Attack type: Ransomware
• Affected individuals: 9,542 people
• Data exposed: Full names, addresses, dates of birth, Social Security numbers
• Notification: December 2025 disclosure letters sent
3. Condé Nast / WIRED - 2.3 Million Records Leaked
• Organization: Condé Nast (publisher of WIRED, Vogue, GQ, Vanity Fair)
• Attack: Attacker claims breach of Condé Nast systems
• Data leaked: WIRED database with 2.3 million subscriber/user records
• Disclosure: December 2025 (claimed by threat actor)
4. Manpower - 140,000 Affected in Ransomware Attack
• Organization: Manpower (staffing and recruiting)
• Attack timeline: December 29, 2024 - January 12, 2025 (disclosed Dec 2025)
• Affected individuals: 140,000 employees and job candidates
• Data exposed: Personal information, employment records
2025: The Worst Data Breach Year in History
Global Breach Statistics:
• Total breaches 2025: 12,195 confirmed incidents (up 21% from 2024's 10,073)
• Previous record: 2024 with 10,073 breaches
• Percentage increase: 2025 exceeded 2024 by 2,122 breaches
• Daily average: 33 data breaches disclosed per day in 2025
Year-over-Year Trend:
• 2021: 4,145 breaches
• 2022: 6,872 breaches (66% increase)
• 2023: 8,214 breaches (20% increase)
• 2024: 10,073 breaches (23% increase)
• 2025: 12,195 breaches (21% increase)
Why Breach Volume Keeps Increasing:
1. Ransomware Industrialization
• Ransomware-as-a-Service (RaaS) platforms lowered entry barrier
• Affiliates conduct attacks, RaaS operators provide infrastructure
• LockBit, BlackCat, ALPHV dominated 2025 ransomware landscape
2. Supply Chain Attack Effectiveness
• One vendor breach = hundreds of customer breaches
• 2025 examples: Salesforce/Gainsight (1,000 orgs), Oracle EBS (100+ orgs), MongoBleed (80,000+ servers)
• Attackers target widely-deployed software for maximum impact
3. Cloud Misconfiguration Epidemic
• 60% of breaches involved human element (phishing, stolen credentials, misconfigurations)
• S3 buckets, Azure Blob storage left publicly accessible
• Cloud services default to permissive access unless explicitly locked down
4. Cryptocurrency Theft Surge
• $8.5M Trust Wallet heist is one of hundreds of crypto thefts in 2025
• Total cryptocurrency stolen 2025: $1.7 billion (estimated)
• Browser extensions, DeFi platform exploits, bridge hacks
5. Nation-State Cyber Operations
• Russia, China, North Korea, Iran conducting aggressive cyber espionage
• Government, defense, critical infrastructure targeted
• Many nation-state breaches disclosed years after compromise
Hardest Hit Sectors in 2025:
Healthcare: 2,847 breaches (23% of total)
• Ransomware gangs target hospitals for maximum disruption
• HIPAA data valuable on dark web
• Examples: ManageMyHealth (1.8M), Change Healthcare (100M+), Kaiser Permanente (13.4M)
Financial Services: 1,951 breaches (16% of total)
• Banking, investment, payment processors
• Examples: TransUnion (Salesforce breach), Capital One incidents
Retail/E-commerce: 1,707 breaches (14% of total)
• Customer payment data, loyalty programs
• Examples: Dooney & Bourke, Dior, Kering (luxury brands)
Technology: 1,463 breaches (12% of total)
• SaaS platforms, cloud services
• Ironic: Security vendors breached (Cloudflare, Proofpoint)
Education: 1,220 breaches (10% of total)
• Universities, K-12 school districts
• Examples: Harvard, University of Phoenix, dozens more
Looking Ahead to 2026:
Expect 2026 to surpass 2025's record-breaking breach total. Key trends:
• AI-powered attacks: Phishing, deepfakes, automated exploitation
• Quantum computing threat: "Harvest now, decrypt later" attacks on encrypted data
• IoT vulnerabilities: Connected devices with poor security
• 5G network attacks: Expanded attack surface
• Supply chain dependencies: Software supply chain remains high-value target
December breaches prove attackers don't take holidays. Neither should your security posture.
December 2025 closed the deadliest year for data breaches in recorded history with a trio of devastating incidents that exposed the fragility of digital trust. The Trust Wallet Chrome extension breach—stealing $8.5 million in cryptocurrency on Christmas Eve—demonstrated how automatic software updates can be weaponized to drain user assets in minutes. MongoBleed (CVE-2025-14847) revealed that 80,000+ MongoDB servers remained exposed to the internet, vulnerable to a critical authentication bypass already under active exploitation by ransomware gangs. And ManageMyHealth's compromise of 1.8 million patient records proved that even healthcare platforms serving over one-third of a nation's population can fall victim to unauthorized access.
The common thread: Each December breach succeeded because of preventable security failures. Trust Wallet users had no choice in Chrome's automatic extension updates. MongoDB administrators left database servers internet-accessible without proper network segmentation. ManageMyHealth's application security controls failed to prevent unauthorized access. These weren't sophisticated zero-day exploits requiring nation-state resources—they were exploitation of known attack patterns that continue succeeding because organizations underinvest in basic security hygiene.
2025's 12,195 data breaches represent a 21% increase over 2024's record-breaking total, averaging 33 breach disclosures every single day. This isn't a temporary spike—it's the new baseline. Ransomware gangs have industrialized attacks through RaaS platforms. Supply chain attacks multiply one vendor's vulnerability into hundreds of customer breaches. Cloud misconfigurations expose data to the internet. And cryptocurrency theft has become a billion-dollar criminal industry.
Key Lessons from December 2025:
1. Trust, But Verify—Even Official Software Updates • Trust Wallet was legitimate Chrome Web Store extension with millions of installs • Attackers compromised update mechanism at the source • Cryptocurrency users must adopt hardware wallets for significant holdings • Disable auto-updates for security-critical extensions, manually review changes
2. Internet-Exposed Databases Are Indefensible • 80,000+ MongoDB servers exposed to internet = 80,000 potential breaches • No database should be directly accessible from public internet • Network segmentation, VPN access, IP whitelisting are non-negotiable • MongoBleed exploited authentication bypass—even auth-enabled databases were vulnerable
3. Healthcare Data Remains Prime Target • Medical records worth $50-$1,000 each on dark web (10-100x credit card data value) • 2,847 healthcare breaches in 2025 (23% of all breaches) • HIPAA compliance doesn't prevent breaches, only defines notification requirements • Patient portals process sensitive data but often lack enterprise-grade security
4. Supply Chain Risk is Unmanageable Without Defense-in-Depth • Trust Wallet, Salesforce/Gainsight, Oracle EBS, MongoBleed—all supply chain attacks • You can't control vendor security, only mitigate impact when they're breached • Defense-in-depth: Network segmentation, least privilege, monitoring, backups • Assume breach mentality: Plan for vendor compromise, not if but when
Immediate Actions for 2026:
For Cryptocurrency Users: • Migrate significant holdings to hardware wallets (Ledger, Trezor) • Never store seed phrases digitally (paper backup in secure physical location) • Use multi-signature wallets requiring multiple approvals for transactions
For MongoDB Users: • Patch CVE-2025-14847 immediately if running versions 4.4-7.0 • Remove MongoDB from public internet, require VPN/bastion access • Enable authentication and encryption (shocking how many MongoDB instances run with auth disabled) • Regular backups to separate infrastructure
For Healthcare Providers: • If you use patient portals, audit security controls NOW • Multi-factor authentication mandatory for all access • Regular penetration testing of patient-facing applications • Incident response plan specifically for patient data breaches
For Everyone: • 2026 will surpass 2025's breach total—assume you'll be targeted • Patch management: 7-day SLA for critical vulnerabilities • Network segmentation: Isolate sensitive systems from internet • Backup and recovery: Immutable backups, quarterly restore testing • Security awareness training: Phishing remains #1 initial access vector • Cyber insurance: Verify coverage for ransomware, supply chain breaches
As we enter 2026, one truth is undeniable: The breach environment isn't improving, it's accelerating. Organizations that treat cybersecurity as a compliance checkbox will become case studies. Those that embrace defense-in-depth, assume breach mentality, and invest in proactive security will survive.
December 2025 closed the worst breach year in history. Don't let your organization become January 2026's headline breach.