December 2025 delivered a sobering end to the worst data breach year in recorded history. On Christmas Eve, Trust Wallet's Chrome extension was compromised, draining $8.5 million in cryptocurrency from unsuspecting users who simply installed a routine update. Simultaneously, security researchers discovered MongoBleed (CVE-2025-14847), a critical MongoDB vulnerability affecting over 80,000 publicly exposed servers—already under active exploitation by threat actors. New Zealand's largest patient portal, ManageMyHealth, confirmed unauthorized access affecting 1.8 million registered users, exposing medical records and personal health information. As 2025 closed with a global total of 12,195 confirmed data breaches (up 21% from 2024), December's incidents reinforced a harsh reality: supply chain attacks, cryptocurrency theft, and database vulnerabilities remain the attack vectors of choice for sophisticated cybercriminals entering 2026.
⚠️ Important: 🚨 URGENT SECURITY ACTIONS: If you use Trust Wallet Chrome extension, immediately transfer assets to a new wallet with fresh seed phrase. MongoDB users must patch CVE-2025-14847 NOW—80,000+ servers vulnerable to active exploitation. ManageMyHealth users in New Zealand should monitor for identity theft and medical fraud. December breaches prove attackers don't take holidays.
Trust Wallet Chrome Extension: $8.5M Cryptocurrency Heist
• Platform: Trust Wallet Chrome browser extension
• Attack Date: December 24, 2025 (Christmas Eve)
• Attack Vector: Compromised extension update pushed via Chrome Web Store
• Assets Stolen: $8.5 million in cryptocurrency across multiple blockchains
• Affected Users: Thousands of Trust Wallet extension users who installed Dec 24 update
• Discovery: User reports of drained wallets within hours of update
• Chrome extensions auto-update by default—users never prompted to approve
• Legitimate update mechanism turned into attack distribution channel
• No warning signs visible to users before compromise
• Malicious extension accessed browser local storage containing encrypted wallet data
• Extracted seed phrases (12-24 word recovery phrases controlling entire wallet)
• Once attackers have seed phrase, all assets across all blockchains vulnerable
• Irreversible: Cryptocurrency transactions cannot be reversed or recovered
• Users trusted official Chrome Web Store listing
• Extension had millions of installs, legitimate developer credentials
• Attack compromised Trust Wallet's update signing keys or Chrome Web Store account
• $8.5 million confirmed stolen (Trust Wallet official disclosure)
• Individual losses ranged from hundreds to hundreds of thousands of dollars
• No insurance, no chargeback rights—cryptocurrency losses are permanent
• Victims lost life savings, retirement funds, college savings
• Christmas Eve timing maximized emotional distress
• Trust in cryptocurrency ecosystem eroded
• Assume complete compromise: Your seed phrase and private keys are stolen
• Create NEW wallet with fresh seed phrase (do NOT reuse old seed phrase)
• Transfer any remaining assets immediately to new wallet
• Monitor blockchain explorers for your old wallet addresses
• Report to law enforcement (though recovery unlikely)
• Hardware wallets: Use Ledger, Trezor for significant holdings (private keys never touch internet)
• Disable browser extension auto-updates: Manually review updates before installing
• Multi-signature wallets: Require multiple approvals for transactions
• Cold storage: Keep long-term holdings offline
• Never store seed phrases digitally: Paper backup in secure physical location only
• MetaMask clones (2024): Copycat extensions with similar names
• Trust Wallet (2025): Legitimate extension compromised at source
MongoBleed (CVE-2025-14847): 80,000+ Databases Under Attack
• CVE ID: CVE-2025-14847
• Nickname: MongoBleed
• Affected Software: MongoDB versions 4.4, 5.0, 6.0, 7.0 (pre-patch)
• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Remote Code Execution via authentication bypass
• Attack Vector: Network (no authentication required)
• Exposed Servers: 80,000+ internet-facing MongoDB instances
• Exploitation Status: Active exploitation confirmed in the wild
• MongoDB's authentication handshake contains race condition vulnerability
• Attacker sends specially crafted authentication request
• Race condition allows attacker to skip credential validation
• MongoDB grants full administrative access without valid username/password
• Read all data: Customer records, financial data, PII, trade secrets
• Modify data: Alter records, inject malicious content, corrupt databases
• Delete databases: Ransomware gangs wipe data, demand payment for restoration
• Execute system commands: MongoDB runs with system privileges, RCE leads to full server compromise
• Lateral movement: Use compromised MongoDB server to attack internal network
• SaaS companies: MongoDB popular for cloud-native applications
• E-commerce platforms: Product catalogs, customer orders, payment data
• Mobile app backends: User profiles, authentication data, app content
• IoT platforms: Device data, sensor readings, telemetry
• Content management systems: Website content, user accounts
• Analytics platforms: Business intelligence, customer behavior data
• United States: 28,000+ vulnerable servers
• Europe: 19,000+ vulnerable servers
• Asia-Pacific: 24,000+ vulnerable servers
• Other regions: 9,000+ vulnerable servers
• Attackers scanning for vulnerable MongoDB instances
• Automated exploitation, database wiped
• Ransom note left: "Your database has been backed up. Pay 0.1 BTC to restore."
• Victims report data not actually backed up—just deleted
• Threat actors stealing databases for sale on dark web
• Personally identifiable information (PII), customer lists, business data
• Breach notifications filed for MongoBleed-related incidents
• Attackers installing cryptocurrency miners on compromised MongoDB servers
• Server resources hijacked for mining operations
• Performance degradation alerts victims to compromise
• December 15, 2025: Security researcher privately reports CVE-2025-14847 to MongoDB
• December 18, 2025: MongoDB confirms vulnerability, begins patch development
• December 23, 2025: MongoDB releases emergency patches for all affected versions
• December 24, 2025: Public disclosure, CVE assigned
• December 26, 2025: Active exploitation confirmed, 80,000+ vulnerable servers identified
• MongoDB 7.0.15: Patches CVE-2025-14847
• MongoDB 6.0.18: Patches CVE-2025-14847
• MongoDB 5.0.28: Patches CVE-2025-14847
• MongoDB 4.4.32: Patches CVE-2025-14847 (4.4 end-of-life, final patch)
• Run: db.version() in MongoDB shell to check version
• Versions 7.0.14 and below, 6.0.17 and below, 5.0.27 and below, 4.4.31 and below = VULNERABLE
• Inventory all MongoDB instances (production, staging, development, backup servers)
• Download patches from MongoDB official website
• Test in non-production environment (4-8 hours max for emergency patch)
• Deploy to production with rolling restart to minimize downtime
• Verify patch applied: db.version() should show patched version
• Remove MongoDB from public internet: Only allow access from application servers
• Firewall rules: Block port 27017 (MongoDB default) from internet
• VPN/bastion access only: Require VPN for database administration
• IP whitelisting: Restrict MongoDB access to known application server IPs
• Review MongoDB logs for December 15-26, 2025 timeframe
• Check for authentication bypass indicators (successful auth without valid credentials)
• Look for unusual queries, bulk data exports, database drops
• Preserve logs for potential breach notification
• If MongoDB was internet-accessible December 15-26, 2025, assume compromise
• Engage incident response team or forensics firm
• Assess data exposure: What data is in MongoDB? Who is affected?
• Notify legal counsel, prepare for potential breach notification under GDPR, CCPA, state laws
• Never expose MongoDB directly to internet: Application-tier access only
• Enable authentication: Always require username/password (many MongoDB instances run with auth disabled!)
• Enable encryption: MongoDB Enterprise encryption at rest + TLS in transit
• Regular backups: Automated, tested backups to separate infrastructure
• Least privilege access: Role-based access control, limit admin accounts
• Monitoring: Log all database access, alert on anomalies
• Patch management: Subscribe to MongoDB security advisories, patch within 7 days
ManageMyHealth: 1.8 Million Patient Records Breached
• Organization: ManageMyHealth (New Zealand patient portal platform)
• Users Affected: 1.8 million registered users (approximately 36% of New Zealand population)
• Discovery Date: December 30, 2025
• Attack Vector: Unauthorized access to application systems
• Data Exposed: Patient medical records, personal information, health data
• Disclosure: Public notification December 31, 2025
• Prescription requests and renewals
• Appointment booking
• Lab test results access
• Medical history records
• Health condition tracking
• Secure messaging with healthcare providers
• How attackers gained access
• How long attackers had access before detection
• Extent of data exfiltration
• Whether ransomware involved
• Diagnoses and treatment history
• Prescription medications
• Lab test results (blood tests, imaging, pathology)
• Immunization records
• Allergy information
• Chronic condition management data
• Full names, dates of birth
• Addresses, phone numbers
• Email addresses
• National Health Index (NHI) numbers (New Zealand's unique health identifier)
• Healthcare provider information
• Maximum fine: NZ$10,000 per individual affected (approx US$6,000)
• Potential total penalty: Up to NZ$18 billion if Privacy Commissioner pursues maximum penalties
• Class action risk: Affected patients may file civil lawsuits for damages
• Attackers can use stolen medical records to: • File fraudulent insurance claims • Obtain prescription medications • Access healthcare services under victim's identity • Sell medical records on dark web ($50-$1,000 per complete medical record)
• Patients with chronic conditions vulnerable to targeted scams
• Pharmaceutical companies, insurance providers may be targeted with stolen data
• Medical research data valuable for competitors
• Review insurance claims and medical bills for unauthorized services
• Check prescription history with pharmacy for unfamiliar medications
• Request copy of medical records to verify accuracy
• Place alert with New Zealand Ministry of Health
• Change ManageMyHealth password immediately
• Enable two-factor authentication if available
• Review connected apps and revoke unnecessary access
• Monitor email for phishing attempts referencing breach
• Stolen NHI numbers and personal information enable identity theft
• Monitor credit reports for new accounts, loans, credit applications
• Consider credit freeze to prevent new account openings
• Expect phishing emails claiming to be from ManageMyHealth, health insurers, government health agencies
• Verify legitimacy before clicking links or providing information
• Healthcare-themed phishing surges after medical data breaches
Is Your Website Vulnerable to Database Breaches?
MongoBleed proves that database vulnerabilities can expose millions of records. Our security scanner checks for SSL/TLS issues, missing security headers, exposed admin panels, and common vulnerabilities that attackers exploit to access databases.
Run Free Security Scan →Other December 2025 Breaches and 2025 Year in Review
• Platform: SoundCloud (music streaming, 175M+ users)
• Discovery: December 2025
• Data exposed: Member data accessed, extent unknown
• Impact: User accounts, email addresses, potentially payment info
• Organization: Inotiv (pharmaceutical research and testing)
• Attack type: Ransomware
• Affected individuals: 9,542 people
• Data exposed: Full names, addresses, dates of birth, Social Security numbers
• Notification: December 2025 disclosure letters sent
• Organization: Condé Nast (publisher of WIRED, Vogue, GQ, Vanity Fair)
• Attack: Attacker claims breach of Condé Nast systems
• Data leaked: WIRED database with 2.3 million subscriber/user records
• Disclosure: December 2025 (claimed by threat actor)
• Organization: Manpower (staffing and recruiting)
• Attack timeline: December 29, 2024 - January 12, 2025 (disclosed Dec 2025)
• Affected individuals: 140,000 employees and job candidates
• Data exposed: Personal information, employment records
• Total breaches 2025: 12,195 confirmed incidents (up 21% from 2024's 10,073)
• Previous record: 2024 with 10,073 breaches
• Percentage increase: 2025 exceeded 2024 by 2,122 breaches
• Daily average: 33 data breaches disclosed per day in 2025
• 2021: 4,145 breaches
• 2022: 6,872 breaches (66% increase)
• 2023: 8,214 breaches (20% increase)
• 2024: 10,073 breaches (23% increase)
• 2025: 12,195 breaches (21% increase)
• Ransomware-as-a-Service (RaaS) platforms lowered entry barrier
• Affiliates conduct attacks, RaaS operators provide infrastructure
• LockBit, BlackCat, ALPHV dominated 2025 ransomware landscape
• One vendor breach = hundreds of customer breaches
• 2025 examples: Salesforce/Gainsight (1,000 orgs), Oracle EBS (100+ orgs), MongoBleed (80,000+ servers)
• Attackers target widely-deployed software for maximum impact
• 60% of breaches involved human element (phishing, stolen credentials, misconfigurations)
• S3 buckets, Azure Blob storage left publicly accessible
• Cloud services default to permissive access unless explicitly locked down
• $8.5M Trust Wallet heist is one of hundreds of crypto thefts in 2025
• Total cryptocurrency stolen 2025: $1.7 billion (estimated)
• Browser extensions, DeFi platform exploits, bridge hacks
• Russia, China, North Korea, Iran conducting aggressive cyber espionage
• Government, defense, critical infrastructure targeted
• Many nation-state breaches disclosed years after compromise
• Ransomware gangs target hospitals for maximum disruption
• HIPAA data valuable on dark web
• Examples: ManageMyHealth (1.8M), Change Healthcare (100M+), Kaiser Permanente (13.4M)
• Banking, investment, payment processors
• Examples: TransUnion (Salesforce breach), Capital One incidents
• Customer payment data, loyalty programs
• Examples: Dooney & Bourke, Dior, Kering (luxury brands)
• SaaS platforms, cloud services
• Ironic: Security vendors breached (Cloudflare, Proofpoint)
• Universities, K-12 school districts
• Examples: Harvard, University of Phoenix, dozens more
• AI-powered attacks: Phishing, deepfakes, automated exploitation
• Quantum computing threat: "Harvest now, decrypt later" attacks on encrypted data
• IoT vulnerabilities: Connected devices with poor security
• 5G network attacks: Expanded attack surface
• Supply chain dependencies: Software supply chain remains high-value target
December 2025 closed the deadliest year for data breaches in recorded history with a trio of devastating incidents that exposed the fragility of digital trust. The Trust Wallet Chrome extension breach—stealing $8.5 million in cryptocurrency on Christmas Eve—demonstrated how automatic software updates can be weaponized to drain user assets in minutes. MongoBleed (CVE-2025-14847) revealed that 80,000+ MongoDB servers remained exposed to the internet, vulnerable to a critical authentication bypass already under active exploitation by ransomware gangs. And ManageMyHealth's compromise of 1.8 million patient records proved that even healthcare platforms serving over one-third of a nation's population can fall victim to unauthorized access.
The common thread: Each December breach succeeded because of preventable security failures. Trust Wallet users had no choice in Chrome's automatic extension updates. MongoDB administrators left database servers internet-accessible without proper network segmentation. ManageMyHealth's application security controls failed to prevent unauthorized access. These weren't sophisticated zero-day exploits requiring nation-state resources—they were exploitation of known attack patterns that continue succeeding because organizations underinvest in basic security hygiene.
2025's 12,195 data breaches represent a 21% increase over 2024's record-breaking total, averaging 33 breach disclosures every single day. This isn't a temporary spike—it's the new baseline. Ransomware gangs have industrialized attacks through RaaS platforms. Supply chain attacks multiply one vendor's vulnerability into hundreds of customer breaches. Cloud misconfigurations expose data to the internet. And cryptocurrency theft has become a billion-dollar criminal industry.
Key Lessons from December 2025:
1. Trust, But Verify—Even Official Software Updates • Trust Wallet was legitimate Chrome Web Store extension with millions of installs • Attackers compromised update mechanism at the source • Cryptocurrency users must adopt hardware wallets for significant holdings • Disable auto-updates for security-critical extensions, manually review changes
2. Internet-Exposed Databases Are Indefensible • 80,000+ MongoDB servers exposed to internet = 80,000 potential breaches • No database should be directly accessible from public internet • Network segmentation, VPN access, IP whitelisting are non-negotiable • MongoBleed exploited authentication bypass—even auth-enabled databases were vulnerable
3. Healthcare Data Remains Prime Target • Medical records worth $50-$1,000 each on dark web (10-100x credit card data value) • 2,847 healthcare breaches in 2025 (23% of all breaches) • HIPAA compliance doesn't prevent breaches, only defines notification requirements • Patient portals process sensitive data but often lack enterprise-grade security
4. Supply Chain Risk is Unmanageable Without Defense-in-Depth • Trust Wallet, Salesforce/Gainsight, Oracle EBS, MongoBleed—all supply chain attacks • You can't control vendor security, only mitigate impact when they're breached • Defense-in-depth: Network segmentation, least privilege, monitoring, backups • Assume breach mentality: Plan for vendor compromise, not if but when
Immediate Actions for 2026:
For Cryptocurrency Users: • Migrate significant holdings to hardware wallets (Ledger, Trezor) • Never store seed phrases digitally (paper backup in secure physical location) • Use multi-signature wallets requiring multiple approvals for transactions
For MongoDB Users: • Patch CVE-2025-14847 immediately if running versions 4.4-7.0 • Remove MongoDB from public internet, require VPN/bastion access • Enable authentication and encryption (shocking how many MongoDB instances run with auth disabled) • Regular backups to separate infrastructure
For Healthcare Providers: • If you use patient portals, audit security controls NOW • Multi-factor authentication mandatory for all access • Regular penetration testing of patient-facing applications • Incident response plan specifically for patient data breaches
For Everyone: • 2026 will surpass 2025's breach total—assume you'll be targeted • Patch management: 7-day SLA for critical vulnerabilities • Network segmentation: Isolate sensitive systems from internet • Backup and recovery: Immutable backups, quarterly restore testing • Security awareness training: Phishing remains #1 initial access vector • Cyber insurance: Verify coverage for ransomware, supply chain breaches
As we enter 2026, one truth is undeniable: The breach environment isn't improving, it's accelerating. Organizations that treat cybersecurity as a compliance checkbox will become case studies. Those that embrace defense-in-depth, assume breach mentality, and invest in proactive security will survive.
December 2025 closed the worst breach year in history. Don't let your organization become January 2026's headline breach.