Every year, cybercriminals find new ways to steal money and data from businesses. Breaching a business network, extracting sensitive data, and selling it on the dark web has become a reliable payday.
But in 2025, the data breaches that affected small and medium-sized businesses (SMBs) challenged our perceived wisdom about exactly which types of businesses cybercriminals are targeting.
This article will outline the learnings from key data breaches in 2025 as well as the most effective ways for SMBs to protect themselves in the coming year.
Examining the 2025 data breaches
Prior to 2025, large businesses were popular targets for hackers because of their large pools of resources. It was assumed that smaller businesses simply weren’t as vulnerable to cyberattacks because there was less value in attacking them.
But new security research from the Data Breach Observatory shows that’s changing: Small- and medium-sized businesses (SMBs) are now more likely to become a target. This change in tactic has been caused by large businesses investing in their cybersecurity and also refusing to pay ransoms. Cybercriminals are less likely to extract anything of value by attacking these businesses, so instead they’re turning to attacking smaller businesses.
While the payday may be smaller when attacking SMBs, by increasing the volume of attacks, cybercriminals can make up the shortfall. Smaller businesses have fewer resources to protect their networks and thus have become more reliable targets. Four in five small businesses have suffered a recent data breach.
By examining some of these data breaches and the companies they affected, a pattern emerges, and failings can be identified. Here are three key SMB data breaches from 2025:
- Tracelo — More than 1.4 million records stolen from this American mobile geolocating business appeared on the dark web following an attack from a hacker known as Satanic. Customer names, addresses, phone numbers, email addresses, and passwords were all made available for sale.
- PhoneMondo — This German telecommunications company was infiltrated by hackers and had more than 10.5+ million records stolen and posted online. Customer names, dates of birth, addresses, phone numbers, email addresses, usernames, passwords, and IBANs all made it onto the dark work.
- SkilloVilla — The 60-person team behind this Indian edtech platform wasn’t able to protect the extensive customer data collected by the platform, and more than 33 million records were leaked on the dark web. Customer names, addresses, phone numbers, and email addresses have all been spotted online.
What can we learn?
Looking at these particular breaches and taking into account the wider data breach landscape, we can identify trends that shaped 2025:
- SMBs were the number one target for hackers in 2025, accounting for 70.5% of the data breaches identified in the Data Breach Observatory. This means that companies between 1 and 249 employees were the most vulnerable to cybersecurity breaches throughout the year.
- Retail, tech, and media/entertainment businesses were targeted most frequently.
- Names and contact information are the most common records to appear on the dark web, increasing the risk of phishing attacks targeting workers. Names and emails appeared in 9 out of 10 data breaches.
With these trends in mind, it’s likely that hackers will continue targeting SMBs in the new year. If your organization falls into this category, your risk of a data breach could be higher.
It’s not inevitable, however. By considering your business’s sensitive data, how it’s stored, and what you use to protect it, you can secure your organization.
How to avoid data breaches in 2026
Avoiding a data breach doesn’t have to be costly or complicated, as long as your business takes the right approach and finds the right tools.
Employ two-factor authentication
If all it takes to gain access to one of your business tools is a username and a password, your network is significantly easier to breach. Two-factor authentication (2FA) makes it harder for unauthorized individuals to gain access.
By introducing a secondary authentication method, such as an OTP code, security key, or biometric login, authentication and authorization take less time for your system, as well as increasing the barrier to entry.
Secure access control to your network
The principle of least privilege is a method used to decide who has access to what business tools and data. It dictates that any given team member should have access to strictly the necessary information they need to perform their role and nothing else. This approach to access control protects your organization by reducing the number of entry points into your network.
When access has been granted to strictly necessary team members, that access needs to be secured with good password hygiene. This includes creating strong passwords, not reusing passwords for multiple accounts, and ensuring that your business is notified if any of your data appears on the dark web. Strong and enforceable password policies support good password hygiene, and you can ensure that the dark web is regularly scanned for business data with a tool or service such as a password manager.
Store sensitive data securely
Leaked passwords and email addresses contribute to the risk that your employees will be targeted by phishing attacks or have their accounts compromised. Even a single compromised account can lead to a data breach.
Create a single, secure repository for every business credential by adopting a secure business password manager. With a password manager, every team member can safely generate strong passwords that meet your business’s password policy, autofill them on frequently visited websites and apps, and securely share credentials when needed. This secures all of these vital entry points into your business network.
