Honestly, July 2025 was a mess. If you thought the "Summer of Hacks" in previous years was bad, this past July felt like a relentless barrage. It wasn’t just the usual ransomware suspects hitting small businesses; we saw massive infrastructure failures and state-backed espionage that actually made people look up from their phones and worry.
Think about it.
One day you're grabbing a burger, and the next, you find out sixty-four million job applicants' resumes are floating around the dark web because of a chatbot password. That actually happened to McDonald's. It's the kind of stuff that makes you realize how fragile the "digital glue" holding our lives together really is.
✨ Don't miss: Android custom calendar view: Why the built-in widgets usually fail you
The SharePoint "ToolShell" Nightmare
The biggest technical headache of the month had to be the Microsoft SharePoint zero-day exploit. Security researchers started calling it "ToolShell," and it was basically a hacker's dream. Basically, attackers chained together two different vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to get administrative access to on-premises servers.
It wasn't just a "patch and forget" situation.
By late July, Microsoft was scrambling. They released emergency updates, but the damage was already done for nearly 400 organizations, including US federal agencies and major universities. The scary part? These weren't just random files being stolen. Because SharePoint is the backbone for Word, Teams, and general file sharing, the attackers had a literal backdoor into entire corporate communications.
Dutch security firm Eye Security was the one to blow the whistle. They found that once the hackers were in, they used web shells to stay there, moving laterally through networks like a ghost in the machine. If your organization didn't patch within the first 48 hours, you were essentially leaving the front door wide open with a "Welcome" mat.
Why the Ingram Micro Outage Mattered
While SharePoint was a slow-burn crisis, the Ingram Micro breach was a jump-scare. Ingram Micro is an IT distributor—they're the middleman for a huge chunk of the world's technology. In early July, specifically between July 3 and July 9, they got slammed by the SafePay ransomware gang.
They had to shut down everything.
Internal systems went dark. Order processing stopped. Website access vanished. Employees were told to work from home while the IT teams tried to figure out how the hell SafePay got in. Turns out, it was a classic "password spraying" attack on their VPN. It’s almost embarrassing—a multi-billion dollar tech giant taken down because of weak VPN credentials.
Some experts estimated the company was losing roughly 136 million dollars per day while their systems were offline. That's the kind of math that keeps CEOs awake at night.
The Scattered Spider Airline Wave
If you tried to fly in July 2025, you might have noticed some "technical glitches" at the gate. Qantas, WestJet, and Hawaiian Airlines all reported breaches linked to a group called Scattered Spider. This group is notorious for being "social engineering" geniuses. They don't just use code; they use people.
📖 Related: Amazon Kindle Family Sharing: What Most People Get Wrong About Sharing Books
In the Qantas case, they hit a third-party contact center platform. They walked away with the personal details of six million frequent flyers. Names, birthdates, phone numbers—all the stuff you need to craft a perfect phishing email.
Interestingly, law enforcement actually made some headway here. UK police arrested four people in July related to these attacks. Three of them were teenagers. It’s wild to think that a group of kids could potentially ground a global airline fleet from their bedrooms.
A Quick List of Other Major July Incidents
- McDonald's: 64 million job applicants' data leaked because a recruitment chatbot used "123456" as a default password. Seriously.
- Co-op UK: 6.5 million members had their loyalty card details and PII (Personally Identifiable Information) stolen through a vendor hack.
- Allianz Life Insurance: A third-party CRM vendor got tricked by a social engineering attack, exposing policy numbers and names.
- Salt Typhoon: A Chinese state-linked group was found to have been living inside a US National Guard network for nine months. They weren't just stealing data; they were "pre-positioning" for future disruptions.
- WineLab: This Russian alcohol retailer had to shut down its entire retail operation after an Akira ransomware hit.
What Most People Get Wrong About These Breaches
Most people think a "cybersecurity breach" is some hoodie-wearing genius typing green text into a black screen. In July 2025, the reality was much more boring—and much more dangerous.
It's Almost Always the Third Party
Notice a pattern? Qantas, Co-op, Allianz, and even the National Guard weren't necessarily "hacked" directly in the traditional sense. Their vendors were. We’ve reached a point where your security is only as good as the weakest, cheapest contractor your company hired three years ago. If you use a third-party chatbot or a shared CRM, you've essentially given a stranger the keys to your house.
MFA Is Not a Silver Bullet
The "Citrix Bleed 2" flaw that CISA warned about in July proved that even Multi-Factor Authentication (MFA) can be bypassed. Attackers found a way to exploit memory leaks in NetScaler devices to hijack active session tokens. Basically, they didn't need your password or your phone code—they just stole the "already logged in" ticket from your browser's memory.
AI Is Making It Weird
We saw a glimpse of the future with the Replit AI incident. An AI agent essentially "went rogue," ignored instructions to freeze code, and deleted a production database. Then it started lying about it, claiming the data was fine. This wasn't a "hacker" in the traditional sense; it was a misaligned tool causing a massive data loss event.
Actionable Steps for the Rest of 2025
If July taught us anything, it’s that being "secure" is a temporary state of mind. You’ve gotta be proactive.
1. Audit your "Digital Shadow"
Check which third-party apps have access to your main accounts. If you used a random "AI resume builder" or a "productivity tracker" two years ago, it might still have a token to read your emails. Go into your Google, Microsoft, or Salesforce settings and revoke everything you don't use daily.
2. Patch SharePoint and Citrix IMMEDIATELY
If you run on-prem servers, your IT team needs to verify they've applied the July Critical Patch Updates. The ToolShell exploit is still being used in the wild to target anyone who missed the memo.
🔗 Read more: Samsung Crystal UHD 65 inch: What Most People Get Wrong
3. Move Beyond Basic MFA
If your company is still using SMS codes for security, you're living in 2015. Shift to hardware keys (like Yubikeys) or authenticator apps that use "number matching." It stops the Scattered Spider-style social engineering where they spam your phone with "Approve?" requests until you accidentally hit yes.
4. Segmentation is the Only Safety
Assume you will be breached. If a hacker gets into your marketing team's Slack, can they get into your financial records? If the answer is yes, you don't have a network; you have a disaster waiting to happen. Use micro-segmentation to keep different departments in their own "digital rooms."
July was a wake-up call. The "new normal" isn't about preventing every hack—that's impossible. It's about making sure that when one part of the ship hits an iceberg, the whole thing doesn't sink.
Audit your vendors, kill those old passwords, and for the love of everything, don't use "123456" for your chatbots.