This Week in Cybersecurity - June 20, 2025

This week in cybersecurity, we’re seeing a troubling pattern: progress in some areas, but persistent—and even growing—threats in others. From a record-breaking 16 billion passwords leaking online to misconfigured cloud storage buckets still exposing sensitive data, the risks to businesses remain high. Meanwhile, industry leaders are pushing back on rigid cybersecurity reporting rules that may be doing more harm than good. Here’s what you need to know to stay ahead.

Top News This Week

16 Billion Passwords Leaked: The Largest Breach Yet and What You Must Do Now

A massive data breach has exposed 16 billion login credentials, making it the largest leak of its kind. The data, sourced mainly from infostealer malware, includes access to platforms like Google, Facebook, and Apple. The leak spans 30+ datasets, many of which are recent and weaponizable. While there's no centralized breach, the data enables identity theft, phishing, and account takeovers.

Takeaway: If you haven’t already—change your passwords, enable multi-factor authentication, and use a password manager. Even if your account wasn't directly hit, the risk of exploitation is higher than ever.

(Cybernews)

Cloud Leaks Persist: Sensitive Data Still Exposed Despite Security Gains

Tenable’s latest report reveals that nearly 1 in 10 publicly accessible cloud storage buckets still expose sensitive data, even as overall cloud security improves. AWS had the highest percentage of exposed sensitive data compared to Google and Microsoft. While “toxic cloud trilogies” — public, vulnerable, and privileged cloud instances — are decreasing, they remain a major security risk, especially on AWS where user data often contains secrets that attackers could exploit.

Takeaway: Even with progress, misconfigured cloud buckets remain a serious threat. Organizations must regularly audit permissions, sanitize environment variables, and eliminate overly privileged, exposed instances to reduce breach risks.

(Cybersecurity Dive)

Congress Proposes New Healthcare Cybersecurity Bill Amid Rising Attacks

The National Association of Manufacturers (NAM) is urging the SEC to revise its 2023 cybersecurity disclosure rule, particularly the four-day mandatory reporting requirement for cyber incidents. NAM argues this rigid timeline hinders investigations, aids attackers, increases business costs, and risks misleading investors. Instead, they support a principles-based, flexible disclosure approach that allows companies to delay reporting when needed for national security or law enforcement coordination.

Takeaway: Cybersecurity incident reporting needs flexibility. Rigid timelines may do more harm than good—potentially undermining investigations and putting businesses and shareholders at greater risk.

(NAM)

Cyber Tip of the Week

Don’t trust your cloud settings by default. Regularly audit your cloud storage permissions and environment variables—misconfigurations are still a leading cause of data exposure.

Stat of the Week

16 billion passwords were exposed in the largest known data breach to date, according to Cybernews—highlighting the critical importance of strong, unique passwords and multi-factor authentication.

Final Thoughts

This week’s headlines make one thing clear: even as cybersecurity tools improve, the risks are evolving just as fast. Whether it's leaky cloud storage, massive password leaks, or confusing regulatory pressures, organizations must stay agile. Layered defenses, clear response protocols, and smarter user practices aren’t just nice to have—they’re essential for survival in today’s threat landscape.

Until next week—stay sharp and stay secure.

Have questions about your cybersecurity posture? Let’s talk.