The cyber security world kicked off 2025 with a series of high-profile incidents and vulnerabilities as marketing co-ordinator Abbey Wright discovered. From data breaches to sophisticated malware removal, here’s a breakdown of the month’s most significant stories and what they mean for your organisation.
Scholastic Data Breach Exposes Millions
Over 4 million users had their personal information compromised following a breach at Scholastic, a leading provider of educational books and services. The attackers accessed sensitive customer data, leaving millions of book enthusiasts vulnerable to phishing attacks, identity theft, and other malicious activity.
Key Takeaway: Organisations handling large amounts of customer data must implement robust encryption, regular audits, and thorough incident response plans to mitigate such risks.
FBI Eliminates Chinese Malware from Thousands of Computers
In a bold move, the FBI successfully neutralised malware linked to Chinese hackers on thousands of US-based systems. Using a court-authorised operation, they remotely executed commands to delete the malware.
Key Takeaway: The FBI’s intervention underscores the growing need for collaboration between government agencies and private entities in responding to large-scale cyber threats.
Microsoft Identifies macOS Bug exploited by hackers
A macOS vulnerability was discovered that allows attackers to install malicious system drivers, granting them deep access to compromised systems. Microsoft revealed the flaw and stressed the need for users to update their devices to patch the vulnerability.
Key Takeaway: Always ensure operating systems and applications are up to date to protect against known vulnerabilities.
Apple USB-C Controller Hacked
A security researcher demonstrated a hack on Apple’s ACE3 USB-C controller, exposing risks to Apple devices that rely on the controller for power and data management. While this was a proof-of-concept, it highlights potential vulnerabilities in hardware-based security.
Key Takeaway: Ensure all operating system updates released by Apple, have been applied.
Phishing Scams Target Apple iMessage Users
Phishing texts have been tricking iMessage users into disabling their security protections, leaving them vulnerable to further attacks. These texts often mimic official Apple messages, making them highly convincing.
Key Takeaway: Users should never click on unsolicited links or respond to texts asking for sensitive information. Enabling two-factor authentication and staying vigilant against phishing attempts is crucial.
Backdoored Chrome Extensions Affect Millions
Researchers uncovered 33 malicious Chrome extensions installed on over 2.6 million devices. These extensions, some of which had been compromised through spear-phishing campaigns targeting developers, were used to steal credentials and browsing data.
One notable example is Cyberhaven, a data-protection plugin that fell victim to phishing emails disguised as Chrome Web Store warnings. Attackers leveraged these phishing schemes to inject malicious code into trusted extensions.
Key Takeaway: Regularly review your browser extensions, only install those from verified sources, and pay attention to permissions requested by extensions.
WordPress Vulnerability Exposes 3 million Websites
A high-severity vulnerability (CVSS score: 8.8/10) in the UpdraftPlus plugin has left over 3 million WordPress websites at risk. This exploit could allow unauthenticated attackers to delete files, retrieve sensitive data, or execute malicious code.
The vulnerability requires administrative action to trigger but can be exploited once an attacker uploads the malicious payload. As of January 2025, website owners are urged to update to version 1.24.12 immediately.
Key Takeaway: Website owners should routinely update plugins and themes, monitor admin activity, and use firewalls to limit the impact of potential attacks.
Lessons for 2025
January’s incidents remind us that cyber security is a constantly shifting landscape where threats can emerge from multiple angles, including:
- Supply Chain Vulnerabilities: As seen in the Chrome extension breaches, attackers often exploit trusted platforms to infiltrate users.
- Hardware Weaknesses: Proof-of-concept attacks on devices like Apple’s USB-C controller show the growing need for robust hardware security.
- Persistent Phishing Threats: From iMessage scams to developer-targeted campaigns, phishing remains a top method for attackers.
To stay protected in 2025:
- Regularly update all software, firmware, and hardware.
- Use multi-factor authentication (MFA) wherever possible.
- Educate yourself and your team on spotting phishing attempts.
- Back up critical data frequently and securely.
- Consider following a recognised security standard such as Cyber Essentials. Find out more here
By learning from these events and staying proactive, individuals and organisations can better defend against the ever-evolving threats in the cyber landscape.
If you want to stay up to date on the latest cyber news, follow us on LinkedIn: https://www.linkedin.com/company/20874747/admin/dashboard/
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)