Data Breach Roundup (Dec 12 – Dec 18, 2025)

Welcome to Data Breach Roundups, our new weekly series where we highlight notable data breaches we encounter. They're more common than you might think! If you want this weekly digest delivered to your inbox in the future, edit your newsletter settings to subscribe to the new 'Data Breach Roundups' mailing list.

Edit Newsletter Subscriptions

Flaw in photo booth maker’s website exposes customers’ pictures

A researcher discovered photos accessible on the servers of Hama Film, a photo booth maker with presence in Australia, UAE, and the US. The article says that Hama Film prints out photos, so it may be possible users have no idea a copy of their photos also gets uploaded to the company's servers. The researcher said the photos do appear to be deleted every 2-3 weeks, but the company has not yet responded to the disclosure in any way.

Home Depot exposed access to internal systems for a year, says researcher

A researcher says that Home Depot exposed access to internal systems for a year after accidentally publishing a private access token online. The leak has been closed, though the researcher's initial disclosure attempts were ignored for "several weeks."

Data breach at credit check giant 700Credit affects at least 5.6 million

700Credit is a company that runs credit checks and identity verification for car dealerships nationwide in the US. Impacted people had their names, addresses, dates of birth, and Social Security numbers exposed.

PornHub extorted after hackers steal Premium member activity data

This was the result of a data breach at a third-party vendor, Mixpanel, who suffered a breach in November 2025 after a successful SMS phishing attack. Pornhub says that this impacted a "limited number" of customers and said that it impacted "historical analytics" data from 2021 and earlier. Meanwhile, the cybercriminals claim to have over 200 million records totaling 94 GB, and includes sensitive data llike email address, video URL, location, time of the event, and more.

Askul confirms theft of 740k customer records in ransomware attack

Askul is a Japanese "e-commerce giant" specializing in office supplies and logistics. This breach occurred in October 2025. Askul believes the compromise was the result of an admin account that didn't have 2FA enabled. The company has been very tight-lipped on public details.

SoundCloud confirms breach after member data stolen, VPN access disrupted

For the past several days, SoundCloud has been suffering issues. Most notably, users connecting over VPNs have reported issues connecting. We now know this was the result of a cyberattack. SoundCloud says the attacker did manage to breach data, but that this was limited to email addresses and "information already visible on public SoundCloud profiles."

Tech provider for NHS England confirms data breach

Another third-party breach, this one from DXS International, a company that provides unspecified "healthcare tech" for England's National Health Service. NHS has not been forthcoming with details other than the fact that a breach did occur. A ransomware group took credit for the breach and claims to have 300 GB of data.

University of Sydney suffers data breach exposing student and staff info

This attack appears to have impacted a code repository belonging to the university. The article didn't elaborate on what sort of repository or why personal data was also stored there. Regardless, this impacted the names, dates of birth, phone numbers, home addresses, and job details of over 27,000 individuals of all roles (staff, student, alumni, and "affiliates") between 2010-2019.

Coupang data breach traced to ex-employee who retained system access

An update to a story from last week: It has since come to light that the Coupang data breach was the result of a former employee who still had access to Coupang's systems. It's unclear if this was a malicious use of that access or if some third party (such as a cybercriminal) leveraged this access without the ex-employee's knowledge.