SOCRadar® Cyber Intelligence Inc. | June 2025: Qantas, 23andMe, Zoomcar, and Coinbase Breaches Lead Impact

Jul 25, 2025

13 Mins Read

June 2025: Qantas, 23andMe, Zoomcar, and Coinbase Breaches Lead Impact

June 2025 witnessed a wave of impactful cyber incidents spanning government agencies, critical infrastructure, healthcare, and major enterprises.

From ransomware attacks and insider-driven data leaks to dark web re-uploads of past breaches, the month underscored both the persistence of old threats and the growing risks tied to AI, cloud platforms, and geopolitical tensions.

High-profile victims included Qantas, Ahold Delhaize, Zoomcar, and Coinbase, while warnings from U.S. and UK authorities pointed to rising threats from nation-backed actors and credential abuse.

Below is a breakdown of the most significant incidents that shaped the cyber threat landscape through June 2025.

Qantas Data Breach Exposed Personal Information of 6 Million Customers

In an early July disclosure, Australian airline Qantas confirmed that a cyberattack targeting a third-party call center platform exposed the personal data of up to six million customers, making it one of the country’s largest breaches in recent years.

Exfiltrated information includes names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The airline stated that no passwords, PINs, or login credentials were accessed, and there has been no impact on flight operations or safety systems.

The breach occurred after Qantas detected suspicious activity within the external customer service system. Although the responsible threat actor has not been officially identified, security experts noted the breach followed an FBI warning about airline-focused attacks by the Scattered Spider group, which has previously compromised Hawaiian Airlines and WestJet using social engineering tactics.

Qantas is cooperating with national authorities, including the Australian Cyber Security Centre and Federal Police, and continues to investigate the full extent of the exposure.

Incident announcement on Qantas News Room

INC Ransom Attack Exposed Data of 2.2M in Ahold Delhaize Breach

In June 2025, Ahold Delhaize confirmed that a ransomware attack targeting its U.S. operations in November 2024 led to a data breach affecting over 2.2 million individuals.

The cyber incident initially disrupted services across its subsidiaries, including Giant Food, Hannaford, Food Lion, The Giant Company, and Stop & Shop. In April 2025, the INC Ransom group claimed responsibility and published roughly 800 GB of allegedly stolen data on its leak site. The group asserted it had exfiltrated 6 TB in total.

For a deeper look into Inc Ransom’s operations, tactics, and targeting patterns, explore their detailed profile on the SOCRadar blog: “Dark Web Profile: Inc Ransom”.

Subsequent investigation revealed that sensitive personal and employment-related information was compromised. Affected data may include names, contact details, Social Security numbers, driver’s license and passport information, financial account data, and health records. The stolen files primarily consisted of internal employment documents related to current and former personnel of Ahold Delhaize USA companies.

The company notified the Maine Attorney General’s Office of the breach and began alerting impacted individuals. Victims are being offered two years of complimentary identity protection and credit monitoring services. The lack of ransom payment is implied by the public data exposure.

DHS and U.S. Cyber Agencies Warn of Increased Iranian Cyber Threats

In July 2025, the U.S. Department of Homeland Security issued a National Terrorism Advisory System bulletin warning of an elevated cyber threat environment linked to ongoing tensions with Iran. The bulletin cited the potential for Iran-backed hackers and pro-Iranian hacktivists to escalate low-level cyberattacks against U.S. networks, particularly in response to recent military actions targeting Iranian nuclear facilities.

This follows previous alerts from CISA, the FBI, and allied agencies that identified Iranian threat actors – such as Br0k3r (also tracked as Pioneer Kitten and Lemon Sandstorm) – as initial access brokers exploiting known vulnerabilities and weak credentials in sectors including healthcare, energy, and defense. These actors have employed brute force, password spraying, and MFA fatigue tactics to gain access.

A joint advisory from CISA and U.S. intelligence agencies highlights the heightened risk to critical infrastructure, particularly Defense Industrial Base entities linked to Israeli defense. Threat actors may also deploy ransomware, DDoS attacks, or destructive wipers, often amplifying their activities via Telegram and X.

For a deeper exploration of the Iran-Israel cyber conflict’s ripple effects, visit our blog: “Reflections of the Israel-Iran Conflict in the Cyber World”.

Ransomware Attack on Episource Affected Millions in U.S. Healthcare Sector

Healthcare IT vendor Episource disclosed that a ransomware attack earlier this year led to a data breach impacting 5.4 million individuals, marking the second-largest healthcare data breach reported to the U.S. Department of Health and Human Services in 2025. Episource provides risk adjustment and medical coding services to health plans and providers nationwide.

More details are available in the company’s incident notice.

The company detected suspicious activity on February 6, 2025, and later confirmed that attackers had accessed and exfiltrated data from its systems between January 27 and February 6. Sensitive information compromised in the breach varied by individual and may include names, contact details, Social Security numbers, insurance data, medical record numbers, and treatment information.

Episource began notifying affected entities in April and stated it has since enhanced its cybersecurity defenses and contacted law enforcement. San Diego-based Sharp Healthcare, an Episource client, reported that nearly 27,000 individuals tied to its network were impacted. Neither organization has found evidence of data misuse as of July 2025.

Cock.li Breach Exposed Data of Over 1M Users via Roundcube Vulnerabilities

Privacy-focused email provider Cock.li confirmed that over 1 million user accounts were compromised following a breach tied to vulnerabilities in its legacy Roundcube webmail platform. The attackers exploited CVE-2021-44026, an SQL injection flaw, to exfiltrate sensitive account data including email addresses, login timestamps, language preferences, and serialized user settings.

The breach impacted all Cock.li users since 2016. For a subset of approximately 10,400 accounts, additional data such as contact names, email addresses, vCards, and user-added comments were also exposed. The disclosure followed the removal of Roundcube from Cock.li’s infrastructure in July 2025, prompted by renewed attacks exploiting a separate vulnerability, CVE-2025-49113, which enabled Remote Code Execution (RCE).

While Cock.li did not confirm exploitation of the newer flaw, the provider stated it would permanently deprecate Roundcube due to security concerns and lack of confidence in its long-term reliability.

SQL Injection in Roundcube: CVE-2021-44026 (SOCRadar Vulnerability Intelligence)

SOCRadar’s Cyber Threat Intelligence module highlights which CVEs are being exploited in real-world attacks, helping security teams cut through the noise. With enriched context on threat actor usage, campaign links, and exploitation status, it supports smarter vulnerability prioritization and faster response.

Asana MCP Bug Exposed Cross-Tenant Data in AI Integration Flaw

In May 2025, project management platform Asana introduced its Model Context Protocol (MCP) server to enable AI-powered task automation across third-party integrations. However, a logic flaw in the system resulted in a significant data exposure incident, impacting over 1,000 customer organizations.

MCPs let AI agents interact with multiple tools and data sources through one unified interface. SOCRadar’s own MCP Server is now live – learn more.

Discovered on June 4, the vulnerability allowed users from one organization to access project-level metadata, task content, and chatbot-generated responses belonging to other tenants, violating core principles of tenant isolation.

Although, the flaw was not due to an external attack; it stemmed from inadequate guardrails in MCP’s design, where agentic AI connectors received broader access than intended. Depending on integration types, leaked information may have included file uploads, internal discussions, team-level details, and auto-generated summaries.

Asana has privately notified affected customers and recommended reviewing MCP logs and restricting LLM capabilities until the exposure risks are fully mitigated.

23andMe Fined £2.31M After Credential Stuffing Breach Exposed Data of 6.9M Users

The UK Information Commissioner’s Office (ICO) fined genetic testing firm 23andMe £2.31 million following a 2023 credential stuffing attack that exposed personal data from nearly 6.9 million individuals. The breach allowed threat actors to access 14,000 user accounts using previously leaked credentials, and through those, view linked genetic profile data, including family trees and health-related information.

23andMe fined £2.31M after 2023 breach exposed sensitive data of 6.9M users via credential stuffing attack. (Image Source)

While no DNA files were accessed, the exposed data included names, locations, ethnicity, profile photos, and health insights, impacting over 155,000 UK residents. The ICO ruled that 23andMe failed to implement adequate safeguards, such as Multi-Factor Authentication (MFA) and strong password policies, which are critical when handling special category data like genetic information.

The company, which filed for bankruptcy and is now set to be sold to TTAM Research Institute, claimed it remediated security flaws by late 2024. The new owner has made binding commitments to enhance data protection and privacy practices moving forward. Regulators in both the UK and Canada continue to stress the need for heightened security standards for firms handling sensitive health and genetic data.

Zoomcar Breach Exposed Data of 8.4 Million Users

Indian car-sharing platform Zoomcar disclosed a data breach affecting at least 8.4 million customers, involving unauthorized access to names, phone numbers, and vehicle registration details.

Zoomcar breach exposed data of 8.4M users, including names and car details.

The company detected the intrusion on June 9, 2025, after employees received outreach from a threat actor claiming access to internal systems. The breach was detailed in a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

Zoomcar stated there is no evidence that sensitive data such as financial information or plaintext passwords were compromised. In response, the company activated its incident response procedures, engaged external cybersecurity experts, and implemented enhanced security controls, including increased monitoring and cloud infrastructure protections.

Operating across 99 cities in India and select international markets, Zoomcar claims over 10 million users. Despite the breach, the company reported no operational disruptions and continued to cooperate with regulators and law enforcement.

AT&T Customer Data Re-Leaked with Decrypted SSNs and Birthdates

A threat actor has re-released data from AT&T’s 2021 breach, this time combining and decrypting fields to link Social Security numbers (SSNs) and birth dates directly to individual users. The repackaged dataset was shared on a Russian hacking forum and includes over 86 million unique records, with 48.9 million unique phone numbers tied to customer information.

The data stems from a 2021 breach attributed to ShinyHunters, who initially attempted to sell the dataset. While AT&T first denied the breach, it later confirmed the incident affected approximately 73 million customers. In 2024, another threat actor leaked the full data set for free, and the current re-release appears to be a cleaned version of that, with internal AT&T fields removed and sensitive fields decrypted.

SOCRadar alerted customers via its Dark Web News feature when AT&T records from the 2021 breach were shared on a hacker forum in May 2025.

Despite forum claims linking the leak to the Snowflake breach, AT&T stated the data likely originates from the older incident. While no new breach occurred, the restructured leak significantly heightens exposure risks by directly correlating personal identifiers, raising concerns over identity theft and fraud.

Coinbase Breach Tied to Insider Abuse at TaskUs India Office

Coinbase disclosed in a May 2025 SEC filing that a customer data breach may cost up to $400 million, with new reporting linking part of the incident to insider activity at outsourcing partner TaskUs.

According to multiple former TaskUs employees, the breach traces back to January 2025, when an India-based support agent in Indore was caught photographing customer data from her workstation using a personal phone. The employee, along with an alleged accomplice, reportedly leaked Coinbase customer data in exchange for bribes.

Coinbase breach linked to TaskUs insider data theft; over 200 staff dismissed after $400M exposure traced to January 2025.

Sources say that the cryptocurrency exchange was notified of the breach at the time, and that over 200 TaskUs staff were later dismissed in connection with the incident. The breach was publicly acknowledged by Coinbase only after it received an extortion threat on May 11, prompting a wider investigation. While the company stated that overseas contractors had accessed internal data without authorization, it did not specify TaskUs in the initial disclosure.

Both Coinbase and TaskUs have since cut ties with the implicated personnel. TaskUs characterized the event as part of a broader, coordinated campaign impacting multiple providers linked to the client.

SOCRadar’s Dark Web Monitoring

SOCRadar’s Dark Web Monitoring delivers timely alerts on hacker chatter, leaked data, and malicious activity tied to your organization, partners, or sector. Get visibility where threats emerge first. Track: