Token Factory: The 5 Costliest US Breaches of 2025
2025’s priciest breaches weren’t “elite malware.” They were tokens + SaaS + downtime 🪙⏱️🔥 If your revoke MTTR is measured in days, the attackers already won.
TL;DR
- Identity-led intrusions into SaaS/cloud and MSPs drove the largest 2025 losses.
- SEC 8-Ks and regulatory notices show nine-figure direct costs plus systemic ripple effects.
- Downtime and token revocation delays materially amplified economic impact.
- Vendor off-ramps, consent governance, and JIT admin separated resilient organizations from the rest.
- Clear ATT&CK mapping highlights phishing, valid accounts, and data theft as common threads.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!
Like this? Forward this to a friend!
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Top Incidents Ranked by Estimated Economic Impact (USD)
| Rank | Organization | Incident Window | Estimated Impact (Downtime vs. Breach Costs) | Primary Sources | Corroboration |
|---|---|---|---|---|---|
| 1 | Ingram Micro | 2025-07 | $350M–$550M (downtime $250M–$400M; breach/IR $100M–$150M) | SEC 8-K and press release | TechCrunch reporting |
| 2 | Conduent (state services) | 2025-01 → 2025-11 | $150M–$300M (downtime $75M–$150M; breach $75M–$150M) | TechCrunch coverage; breach cost disclosure | HIPAA Journal estimate and follow-ups |
| 3 | Kettering Health | 2025-05 | $80M–$150M (downtime $50M–$90M; breach $30M–$60M) | CNN report of system-wide outage | Sector analyses and litigation summaries |
| 4 | UnitedHealth/Change Healthcare (2025 continuing costs) | 2025-05–07 disclosures | $50M–$100M incremental 2025 impacts (2024 breach residuals) | NYT, Reuters on 2025 financial/operational effects | Legal/industry analyses |
| 5 | Additional large US enterprise outages (2025, SEC-reported) | 2025 | $40M–$80M each (range) | SEC 8-K filings | Trade press corroboration |
Notes: Ranges are derived from disclosed or reported operational outages, service restorations, and publicly stated/estimated breach-related expenses where available. Where precise figures are absent, we present a conservative, source-bounded bracket.
![[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth](/content/images/size/w600/2025/12/zz-3.png)