December 31, 2025 • 26 mins
What if the scariest hacks of 2025 never looked like hacks at all? We break down five real-world scenarios where attackers didn’t smash locks—they used the keys we handed them. From an AI-cloned voice that sailed through a wire transfer to a building’s HVAC console that quietly held elevators and doors hostage, the common thread is hard to ignore: trust. Trusted voices, trusted vendors, trusted “boring” systems, trusted sessions, and trusted APIs became the most valuable attack surface of the year.
We start with a “boring” phone call that proves how caller ID and confidence can defeat policy when culture doesn’t empower people to challenge authority. Then we step into the mechanical room: cloud dashboards for HVAC and badge readers, vendor-shared credentials, and thin network segmentation made physical denial of service as simple as logging in. The pivot continues somewhere few teams watch—libraries—where an unpatched management system bridged city HR, school portals, and public access with zero alarms, because nothing looked broken.
Authentication takes a hit next. MFA worked, yet attackers won by stealing active LMS session tokens from a neglected component and riding valid access for weeks. No failed logins, no brute force—just continuation that our tools rarely question. Finally, we open the mobile app and watch the traffic. Clean, well-formed API calls mapped pricing rules, loyalty balances, and inventory signals at scale. Not a single malformed request, but plenty of business logic abuse that finance noticed before security did.
If you care about cybersecurity, IT operations, or the CompTIA mindset, the takeaways are clear: shorten trust windows, verify context continuously, rotate and scope vendor access, segment OT from IT, treat libraries and civic tech as real attack surface, bind tokens to devices, and put rate limits and behavior analytics at the heart of your API strategy. Ready to rethink where your defenses are blind? Listen now, share with your team, and tell us which assumption you’ll challenge first. And if this helped, subscribe, leave a review, and pass it on to someone who needs a wake-up call.
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:28):
And welcome to Technology Tap.
I'm the first of J Rock.
In this episode of Top Ten Hacksof Twenty Twenty-Five, let's tap
in the UK.
(01:09):
Hi, for those of you who don'tknow me, I'm Professor J.
Rod, and I'm a professor ofcybersecurity, and I love
teaching my students how to passthe A Plus, Network Plus, and
Security Plus exams.
Every now and then I tap intosomething that's a little
different, usually the historyof technology or something
related to usually technology.
(01:30):
But in this episode, we're gonnado the top 10 hacks of 2025.
We're gonna do it a little bitdifferently.
I'm not going to tell you thename of the company.
You know, maybe they don't wantyou know this out there if they
don't know.
And it also could be aneducation for if you got any
(01:50):
educators, you can have yourstudents listen to it and then
they can write who they thinkthe company is.
You know, they can do someresearch.
So it's a teachable, it's ateachable moment.
I'm gonna do this in two parts.
I'm gonna today is gonna be fromnumber 10 to number six, and
then the following episode isgonna be from number five to
number one.
(02:12):
Before we start, if you want tofollow me, I'm on Instagram at
Professor Jrod.
If you want to follow me onTikTok, there at Professor Jrod.
I'm on Facebook, Technology TapPodcast.
I'm also on YouTube, TechnologyTap Podcast.
And if you want to buy me a cupof coffee to keep this going, is
buy meacup of coffee.com slashprofessor jrod.
(02:34):
And that's J R O D.
And you could also email me atprofessorjrod at gmail.com.
All right, before we even talkabout hacks, I need you to reset
how you're thinking aboutcybersecurity for a second.
Because if you're picturinghackers in hoodies, typing fast,
breaking into systems, that'salready outdated.
(02:56):
And that matters, especially ifyou're a student, especially if
you're studying for A, NetworkPlus, or Security Plus.
Or if you're already working inIT and think, yeah, that won't
happen the way I work.
2025 proved something veryuncomfortable.
Most of the biggest breaches didnot involve advanced hacking,
they involved system doingexactly what they were
(03:17):
configured to do.
And if you remember nothing elsefrom this episode, remember this
line.
I'm going to come back to it alot.
Attackers in 2025 didn't breaksecurity, they operated inside
it.
Now keep that in the back ofyour mind because every hack we
talk about follows that pattern.
Here's how today's episodeworks.
I'm going to walk you throughthe top 10 hacks of 2025.
(03:40):
Not headlines, not sound bites,but how they actually happen.
As we go, I want you to dosomething quietly in your head.
I want you to ask, will thiswork the way I work?
Not could this happen.
But will our policies, ourtraining, and our system
actually stop this?
Alright, let's start with number10.
(04:02):
This one is dangerous because itfeels boring.
No malware, no phishing email,no suspicious link, just a phone
call.
It happened late morning and thedetails matter.
Late morning is when people arebusy and not rushed enough, but
not rushed enough to panic.
A finance employee picks up thephone.
Call ID shows an internalnumber.
(04:23):
Already the brain relaxes alittle.
The voice of the other endsounds familiar.
Not dramatic, not urgent, justconfident.
Hey, I need you to push througha transfer.
The eagle already reviewed it,I'll take responsibility.
Now pause right there.
This is where in class I stopand ask, what security control
was just bypass?
(04:44):
And the answer is none, becausethis wasn't a technical attack.
This was a trust attack.
Let me say this slowly becausethis is one of the biggest
lessons of 2025.
Security training spent yearstelling people don't click
links.
It did not train people to say,let me challenge authority, and
that's the gap.
(05:05):
By 2025, AI voice cloning didn'tneed to be perfect, it just
needed to be believable.
A few minutes of public audio,some internal language patterns,
a calm delivery, and suddenlythe attacker isn't guessing
passwords, they're boringidentity.
Now, here's the scary part.
From the assistant point ofview, nothing went wrong.
(05:27):
Legitimate user, legitimaterequest, legitimate process.
No alerts fired, no logs looksuspicious.
And that's when the organizationstarts realizing if your
security depends on humans, justknowing you don't actually have
security.
Remember earlier when I saidattackers in 2025 didn't break
in?
That's what I meant.
(05:48):
They didn't fight securitycontrols, they used them
correctly.
And once you see that pattern,you start seeing it everywhere.
Which brings us back to hacknumber nine.
And this one surprised a lot ofpeople.
Let me ask you a question.
When was the last time yourcybersecurity team audited the
HVAC system?
Exactly.
This is where the attackerswent.
(06:14):
Alright, before I go further,let me ask you something.
And I want an answer, and I wantyou to answer it honestly, even
if it's in your head.
Who manages security for yourbuilding systems?
Not the server, not the laptop,the building, the badge readers,
the doors, the elevators, theHVAC.
Because this is where a lot oforganizations get very
(06:35):
comfortable very fast.
This didn't begin with alarmsgoing off.
It never does.
It started with a facilitymanager noticing the temperature
felt wrong.
The dashboard said everythingwas fine, but people were
complaining.
That's important.
Because in modern environments,when you feel what you feel and
(06:56):
what the systems report don'talways match.
Then a badge reader failed.
Not all of them, just one sideentrance.
Someone shrugged it off.
Probably a glitch.
And this is where I want you tonotice something about human
behavior.
When technology fails partially,we assume it's broken.
When it fails completely, weassume it's under attack.
(07:17):
Partial failure buys attackers'time.
Let me slow this down.
In your Comptea brain,especially if you're a network
of security plus, what's thefirst thing we asked during
troubleshooting?
Is it isolated or widespread?
Attackers love isolated becauseisolated doesn't trigger
escalation.
(07:38):
By mid morning, IT was in waslooped in.
They checked networkconnectivities, authentication
servers, badge system logs.
Everything looked normal.
That's the word that keepscoming up.
Normal.
But elevators weren't respondingto floor requests, conference
rooms couldn't unlock, and thenfacilities did something
(08:00):
critical.
They logged into the vendorportal.
Not an internal server, a clouddashboard.
And that's when they saw it.
Configuration changes madeovernight.
From an IP address no onerecognized.
Now here's the part everybodyhates hearing.
(08:21):
They didn't bypass the firewall.
They logged in using credentialsthat have been sent by the
vendor, shared with contractors,never rotated, never monitored.
And here's the quiet failure.
Those credentials workedeverywhere.
HVAC, badge, access, elevators,lighting.
(08:42):
Why?
Because the building wasdesigned for convenience, not
defense.
Let me say this clearly becausethis shows up on exams and in
real life.
If a system has an IP address,it is part of your attack
surface.
Facility systems get ignoredbecause they feel physical, but
they're not.
(09:03):
They're computers that controlphysical things.
And the attackers figured outsomething in 2025 that changed
the game.
You don't have to steal data towin, you just have to stop work.
The ransom note didn't threatenleaks, it didn't mention files.
It simply said payment restoreaccess.
(09:24):
And suddenly leadershipunderstood the leverage.
You can operate without email.
You can operate without doors.
This wasn't ransomware as weknew it.
This was physical denial ofservice.
Remember Hack 10?
The voice call?
That worked because peopletrusted authority.
This works because organizationstrusted vendors.
(09:46):
Different target, same weakness.
Unquestioned trust.
Let me be blunt here, and thisis the professor talking.
Security teams didn't miss thisbecause they were bad.
They missed it because thiswasn't even considered their
problem.
No SOC dashboard monitor thebuilding telemetry.
(10:07):
No semi-correlated HVAC logins.
No alerts existed for badgesystem configuration changes.
Because no one thought attackerswould go there.
In 2025, attackers went therewhere defenders weren't looking.
If I turned this into a Comptequestion, it wouldn't ask what
(10:28):
malware was used.
It would ask which system wasmost vulnerable to the lack of
monitoring and segmentation.
And the answer wouldn't be theserver, it would be the
building.
Now here's where the episodestarts getting uncomfortable.
Because once attacker realizedthey can control spaces, they
start asking a bigger question.
(10:50):
What other trusted places dopeople stop paying attention to?
And that's when they found thequietest targets of all.
(11:21):
And that feeling, thatassumption, is exactly what made
them dangerous in 2025.
When people talk aboutcybersecurity risk, libraries
never come up.
Banks come up, hospitals comeup, schools come up, libraries
don't.
Because in our heads, librariesare about books.
But in reality, libraries areabout identity.
(11:42):
They verify residency, theyissue library cards tied to
personal data, they provideaccess to job portals,
government services, studentsystems, public computers.
And here's the key thing, andlearn learn in learn from this.
Libraries sit at an intersectionof multiple systems without
owning any of them.
(12:04):
That makes them perfect pivotpoints.
This breach didn't begin with adramatic attack.
It began with outdated software.
A library management system thatkind of has been running just
fine for years.
But it hasn't been patched.
Why?
Because it wasn't consideredcritical.
And the attackers love thephrase not critical.
(12:27):
They didn't rush, they didn'tdrop ransomware, they logged in,
they explored, they learned howthe systems talked to other
systems, and then they didsomething very patient.
They stayed quiet.
Let me stop here and saysomething I tell students every
semester.
The most dangerous attackers arethe ones who don't rush.
(12:49):
If nothing breaks, no one looks.
If no one looks, no one notices.
And the libraries are placeswhere nothing's broken is the
norm.
The attackers didn't stealbooks, they didn't deface
systems, they started mappingconnections, shared credentials
between them, the librarysystem, the city HR portals, and
the school district accesspoint.
(13:10):
Because years ago, someone said,let's reuse this account, it's
easier.
That sentence has probablycaused more breaches than any
malware ever written.
Here's what makes this hackespecially uncertain.
There were no alarms, trackertraffic volumes looked normal.
Logins came from expectedlocations.
(13:31):
Why?
Because library systems wereready use, public usage, varied
IP address, and unpredictableaccess time.
So nothing stood out.
The attackers blended into thenoise.
That's not hacking, that'scamouflage.
Remember hack number nine, thebuilding systems?
That worked because no one elsewas watching.
(13:52):
This works for the same reason,but at a social level.
Libraries are trusted.
Trusted spaces get fewerquestions.
Trusted systems get feweraudits.
And the attackers understandtrust better than most
offenders.
The first sign that somethingwas wrong didn't come from the
library, it came from somewhereelse.
A city department noticedunusual account behavior.
(14:15):
Then a school district flaggedaccessed.
Then HR saw records accessed atodd hours.
Only later did someone connectthe dots.
The library wasn't the victim,it was the doorway.
Let me reframe the way I wouldsay I would do it in class.
This wasn't a failure ofencryption, this wasn't a
failure of authentication, thiswas a failure of scope.
(14:39):
Security teams protected whatthey thought mattered.
Attackers went where securitywasn't looking.
If this showed up on an exam,the question wouldn't ask what
system would breach.
It would ask which system wasmost likely exploited due to
implicit trust and lack ofmonitoring.
And the correct answer will bethe one everyone ignores.
(15:03):
Attackers don't need the crownjewels if they can get the
master key.
Libraries weren't the prize,they were just the access.
And once the attacker provedthey can sit quietly inside
trusted systems, they ask newquestions.
What happens if we don't stealcredentials at all?
What happens if we stealsessions?
(15:23):
That's where hack number sevencomes in.
Learning management systems,single sign-on.
And the day login stoppedmattering.
Alright, let me start this withone question I ask my students.
What does authenticationactually mean?
Most people answer withsomething like typing your
username and password or usingMFA.
(15:46):
And that's wrong.
And that's not wrong, but it'snot complete, it's incomplete.
Authentication is not a moment,it's a decision that the system
makes.
And in 2025, attackers figuredout how to steal the decision
after it was made.
From a student, from the studentperspective, nothing felt wrong.
(16:06):
They logged into the LMS, thedashboard loaded, assignments
were there, grades were there.
From the professor'sperspective, same thing.
Courses open normally, materialswere accessible, nothing looked
hacked.
And that's the most importantdetail of the entire hack.
Nothing looked broken becausenothing was broken.
(16:29):
Let me slow this down becausethis is one of the most
misunderstood attacks of 2025.
This was not credentialed death.
No password was guessed, no MFAprompts for bypass.
Instead, attackers went up tosomething went after something
more powerful.
Sessions.
When you log into the system,the system doesn't want to ask
(16:52):
you every five seconds yourusername and password.
So it gives you a token.
Think of it like a wristband ata concert.
You show your ID once, and afterthat, the wristband says, this
person is already proving whothey are.
And in most systems, thatwristband lasts a long time,
sometimes hours, sometimes days,sometimes longer than it ever
(17:14):
should.
In this case, the attackersdidn't go after users, they went
after the LMS infrastructure, athird-party plugin, a
misconfigured backend service, asystem component no one looked
at closely in years.
From there, they access memory.
And inside memory, activesession tokens.
Hundreds of them, thousands.
(17:35):
And here's the part that makesthe security team wince.
Those tokens were valid.
Still trusted, still accepted.
This is where a lot of peopleget frustrated.
But we had MFA, yes.
And MFA did its job once.
After that, the system assumedtrust.
The attackers didn't log in,they continued.
(17:58):
And security teams are terribleat detecting continuation.
Let me tell you what the logslooked like.
Valid sessions, normal accesspatterns, no failed logins, no
brute forced attempts.
Everything looked legitimate.
Because from the system point ofview, it was.
The attacker wasn'timpersonating a person.
(18:19):
They were the users.
Remember the library breach?
How attackers blended intonormal traffic?
Same idea.
Noise is camouflage.
If your system already expectsstudents logging in at odd
hours, access from multiplelocations, and inconsistent
behavior, then the abnormalbecomes invisible.
(18:40):
The first red flags didn't comefrom IT, they came from
instructors.
Grades changed unexpectedly.
Assignment appeared, submittedtwice.
Discussion posts showed activityfrom students who swore they
weren't logged in.
And even then the assumption wasan attack.
It was probably a system glitch.
That assumption costs weeks.
(19:03):
This hack forced organizationsto confront something
uncomfortable.
Authentication withoutcontinuous validation is
fragile.
We build systems that say youproving who you are once, that's
enough.
Attackers say, Great, that's allwe need.
If this was the Comstia stylequestion, it wouldn't ask what
(19:24):
attack stole the passwords.
It would ask which weaknessallowed attackers to reuse
legitimate access withouttriggering alerts.
And the answer would be overtrusted sessions.
If your systems trustyesterday's login forever,
attackers only need yesterday.
Say that again because that'sthe lesson.
(19:46):
Now, here's where the episodetakes a turn.
Because after the attackerslearned they didn't need
credentials, after they learnedthey did any malware, they
started asking a new question.
What if we don't even pretend tobe?
Users, what if we just talkdirectly to the system?
That's hack number six APIs.
(20:07):
And the moment the organizationsrealized their back ends were
more exposed than their frontdoors.
Alright, let me start this onewith something I say all the
time in class.
Most attacks don't hit whatusers see, they hit what users
don't see.
And in 2025, that meant APIs.
(20:30):
When organizations think aboutsecurity, they picture login
pages, websites, firewalls,maybe email.
APIs don't usually make thatmental list.
They're considered internal.
Behind the scenes, justplumbing.
And that mindset is exactly whythis hack worked.
(20:51):
From a customer point of view,nothing was wrong.
The website loaded, the mobileapp worked, prices looked
normal, no outages, no errors.
But behind the scene, somethingwas wrong.
Quietly, relentlessly.
Request, thousands of them,perfectly formed, exactly the
way the system expected.
(21:11):
Let me stop right here and saythis slowly.
An API doesn't know intent.
It only knows structure.
If the request is valid, the APIanswers.
And the attackers understoodthat better than the defenders.
This part isn't glamorous andthat's important.
They didn't scan aggressively.
They didn't brute force.
They opened the mobile app, theywatched traffic.
(21:35):
Because every modern app is justa front end talking to an API.
Once you see the endpoints, youstart asking questions.
What happens if I call thisdirectly?
What happens if I call itfaster?
What happens if I call it athousand times?
And the system kept answering.
This wasn't about stealingcredit cards.
That would trigger alarms.
Instead, attackers went afterlogic.
(21:57):
Pricing rules, inventoryaccounts, loyalty point
balances, coupon behavior.
They mapped the business itself.
And that data, that's gold.
You can resell it, exploit it,undercut competitors.
All without ever breaking in.
Here's the uncomfortable truth.
From a technical standpoint,nothing was wrong.
(22:20):
No malformed requests, noauthentication failures, no
errors.
Everything looked healthy, andsecurity teams are trained to
look for failure, not overuse.
Remember how the session theftblended into normal behavior?
Same pattern here.
If your systems already expectheavy traffic, global access,
(22:42):
and unpredictable spikes, thenabuse looks like success.
Let me reframe this in plainterms.
This wasn't hacking.
This was automation.
The system did exactly what itwas designed to do.
It answered questions over andover without asking why.
If this showed up on an exam,the question wouldn't say what
(23:05):
malware was installed.
It would ask what securitycontrol was missing that allowed
excessive legitimate requests tocause data exposure.
And the answer wouldn't beantivirus.
It would be things like ratelimiting, monitoring, behavior
analysis, the boring stuff, thestuff no one prioritized.
(23:27):
This breach wasn't discovered byIT, it was discovered by
finance.
Margins didn't make sense.
Competitors knew things theyshouldn't.
Inventory behavior feltpredicted.
Only later does someone trace itback to the API, the quietest
part of the system.
APIs don't get hacked, they getused.
(23:50):
Say it again.
Demystify it.
Because once you understandthat, you start looking at
systems very differently.
Alright, those are the top 10 to6 hacks of 2025.
(24:11):
Coming up next, we'll do finishthe countdown on the next
episode 5 to 1.
And have you guessed whichcompanies are involved in these
hacks?
I hope you have.
(25:42):
You can follow me at TikTok atProfessor J Rod at J R O D, or
you can email me at Professor JRod Jr.
at gmail.com.
And welcome to Technology Tap.
I'm the first of J Rock.
In this episode of Top Ten Hacksof Twenty Twenty-Five, let's tap
in the UK.
(01:09):
Hi, for those of you who don'tknow me, I'm Professor J.
Rod, and I'm a professor ofcybersecurity, and I love
teaching my students how to passthe A Plus, Network Plus, and
Security Plus exams.
Every now and then I tap intosomething that's a little
different, usually the historyof technology or something
related to usually technology.
(01:30):
But in this episode, we're gonnado the top 10 hacks of 2025.
We're gonna do it a little bitdifferently.
I'm not going to tell you thename of the company.
You know, maybe they don't wantyou know this out there if they
don't know.
And it also could be aneducation for if you got any
(01:50):
educators, you can have yourstudents listen to it and then
they can write who they thinkthe company is.
You know, they can do someresearch.
So it's a teachable, it's ateachable moment.
I'm gonna do this in two parts.
I'm gonna today is gonna be fromnumber 10 to number six, and
then the following episode isgonna be from number five to
number one.
(02:12):
Before we start, if you want tofollow me, I'm on Instagram at
Professor Jrod.
If you want to follow me onTikTok, there at Professor Jrod.
I'm on Facebook, Technology TapPodcast.
I'm also on YouTube, TechnologyTap Podcast.
And if you want to buy me a cupof coffee to keep this going, is
buy meacup of coffee.com slashprofessor jrod.
(02:34):
And that's J R O D.
And you could also email me atprofessorjrod at gmail.com.
All right, before we even talkabout hacks, I need you to reset
how you're thinking aboutcybersecurity for a second.
Because if you're picturinghackers in hoodies, typing fast,
breaking into systems, that'salready outdated.
(02:56):
And that matters, especially ifyou're a student, especially if
you're studying for A, NetworkPlus, or Security Plus.
Or if you're already working inIT and think, yeah, that won't
happen the way I work.
2025 proved something veryuncomfortable.
Most of the biggest breaches didnot involve advanced hacking,
they involved system doingexactly what they were
(03:17):
configured to do.
And if you remember nothing elsefrom this episode, remember this
line.
I'm going to come back to it alot.
Attackers in 2025 didn't breaksecurity, they operated inside
it.
Now keep that in the back ofyour mind because every hack we
talk about follows that pattern.
Here's how today's episodeworks.
I'm going to walk you throughthe top 10 hacks of 2025.
(03:40):
Not headlines, not sound bites,but how they actually happen.
As we go, I want you to dosomething quietly in your head.
I want you to ask, will thiswork the way I work?
Not could this happen.
But will our policies, ourtraining, and our system
actually stop this?
Alright, let's start with number10.
(04:02):
This one is dangerous because itfeels boring.
No malware, no phishing email,no suspicious link, just a phone
call.
It happened late morning and thedetails matter.
Late morning is when people arebusy and not rushed enough, but
not rushed enough to panic.
A finance employee picks up thephone.
Call ID shows an internalnumber.
(04:23):
Already the brain relaxes alittle.
The voice of the other endsounds familiar.
Not dramatic, not urgent, justconfident.
Hey, I need you to push througha transfer.
The eagle already reviewed it,I'll take responsibility.
Now pause right there.
This is where in class I stopand ask, what security control
was just bypass?
(04:44):
And the answer is none, becausethis wasn't a technical attack.
This was a trust attack.
Let me say this slowly becausethis is one of the biggest
lessons of 2025.
Security training spent yearstelling people don't click
links.
It did not train people to say,let me challenge authority, and
that's the gap.
(05:05):
By 2025, AI voice cloning didn'tneed to be perfect, it just
needed to be believable.
A few minutes of public audio,some internal language patterns,
a calm delivery, and suddenlythe attacker isn't guessing
passwords, they're boringidentity.
Now, here's the scary part.
From the assistant point ofview, nothing went wrong.
(05:27):
Legitimate user, legitimaterequest, legitimate process.
No alerts fired, no logs looksuspicious.
And that's when the organizationstarts realizing if your
security depends on humans, justknowing you don't actually have
security.
Remember earlier when I saidattackers in 2025 didn't break
in?
That's what I meant.
(05:48):
They didn't fight securitycontrols, they used them
correctly.
And once you see that pattern,you start seeing it everywhere.
Which brings us back to hacknumber nine.
And this one surprised a lot ofpeople.
Let me ask you a question.
When was the last time yourcybersecurity team audited the
HVAC system?
Exactly.
This is where the attackerswent.
(06:14):
Alright, before I go further,let me ask you something.
And I want an answer, and I wantyou to answer it honestly, even
if it's in your head.
Who manages security for yourbuilding systems?
Not the server, not the laptop,the building, the badge readers,
the doors, the elevators, theHVAC.
Because this is where a lot oforganizations get very
(06:35):
comfortable very fast.
This didn't begin with alarmsgoing off.
It never does.
It started with a facilitymanager noticing the temperature
felt wrong.
The dashboard said everythingwas fine, but people were
complaining.
That's important.
Because in modern environments,when you feel what you feel and
(06:56):
what the systems report don'talways match.
Then a badge reader failed.
Not all of them, just one sideentrance.
Someone shrugged it off.
Probably a glitch.
And this is where I want you tonotice something about human
behavior.
When technology fails partially,we assume it's broken.
When it fails completely, weassume it's under attack.
(07:17):
Partial failure buys attackers'time.
Let me slow this down.
In your Comptea brain,especially if you're a network
of security plus, what's thefirst thing we asked during
troubleshooting?
Is it isolated or widespread?
Attackers love isolated becauseisolated doesn't trigger
escalation.
(07:38):
By mid morning, IT was in waslooped in.
They checked networkconnectivities, authentication
servers, badge system logs.
Everything looked normal.
That's the word that keepscoming up.
Normal.
But elevators weren't respondingto floor requests, conference
rooms couldn't unlock, and thenfacilities did something
(08:00):
critical.
They logged into the vendorportal.
Not an internal server, a clouddashboard.
And that's when they saw it.
Configuration changes madeovernight.
From an IP address no onerecognized.
Now here's the part everybodyhates hearing.
(08:21):
They didn't bypass the firewall.
They logged in using credentialsthat have been sent by the
vendor, shared with contractors,never rotated, never monitored.
And here's the quiet failure.
Those credentials workedeverywhere.
HVAC, badge, access, elevators,lighting.
(08:42):
Why?
Because the building wasdesigned for convenience, not
defense.
Let me say this clearly becausethis shows up on exams and in
real life.
If a system has an IP address,it is part of your attack
surface.
Facility systems get ignoredbecause they feel physical, but
they're not.
(09:03):
They're computers that controlphysical things.
And the attackers figured outsomething in 2025 that changed
the game.
You don't have to steal data towin, you just have to stop work.
The ransom note didn't threatenleaks, it didn't mention files.
It simply said payment restoreaccess.
(09:24):
And suddenly leadershipunderstood the leverage.
You can operate without email.
You can operate without doors.
This wasn't ransomware as weknew it.
This was physical denial ofservice.
Remember Hack 10?
The voice call?
That worked because peopletrusted authority.
This works because organizationstrusted vendors.
(09:46):
Different target, same weakness.
Unquestioned trust.
Let me be blunt here, and thisis the professor talking.
Security teams didn't miss thisbecause they were bad.
They missed it because thiswasn't even considered their
problem.
No SOC dashboard monitor thebuilding telemetry.
(10:07):
No semi-correlated HVAC logins.
No alerts existed for badgesystem configuration changes.
Because no one thought attackerswould go there.
In 2025, attackers went therewhere defenders weren't looking.
If I turned this into a Comptequestion, it wouldn't ask what
(10:28):
malware was used.
It would ask which system wasmost vulnerable to the lack of
monitoring and segmentation.
And the answer wouldn't be theserver, it would be the
building.
Now here's where the episodestarts getting uncomfortable.
Because once attacker realizedthey can control spaces, they
start asking a bigger question.
(10:50):
What other trusted places dopeople stop paying attention to?
And that's when they found thequietest targets of all.
(11:21):
And that feeling, thatassumption, is exactly what made
them dangerous in 2025.
When people talk aboutcybersecurity risk, libraries
never come up.
Banks come up, hospitals comeup, schools come up, libraries
don't.
Because in our heads, librariesare about books.
But in reality, libraries areabout identity.
(11:42):
They verify residency, theyissue library cards tied to
personal data, they provideaccess to job portals,
government services, studentsystems, public computers.
And here's the key thing, andlearn learn in learn from this.
Libraries sit at an intersectionof multiple systems without
owning any of them.
(12:04):
That makes them perfect pivotpoints.
This breach didn't begin with adramatic attack.
It began with outdated software.
A library management system thatkind of has been running just
fine for years.
But it hasn't been patched.
Why?
Because it wasn't consideredcritical.
And the attackers love thephrase not critical.
(12:27):
They didn't rush, they didn'tdrop ransomware, they logged in,
they explored, they learned howthe systems talked to other
systems, and then they didsomething very patient.
They stayed quiet.
Let me stop here and saysomething I tell students every
semester.
The most dangerous attackers arethe ones who don't rush.
(12:49):
If nothing breaks, no one looks.
If no one looks, no one notices.
And the libraries are placeswhere nothing's broken is the
norm.
The attackers didn't stealbooks, they didn't deface
systems, they started mappingconnections, shared credentials
between them, the librarysystem, the city HR portals, and
the school district accesspoint.
(13:10):
Because years ago, someone said,let's reuse this account, it's
easier.
That sentence has probablycaused more breaches than any
malware ever written.
Here's what makes this hackespecially uncertain.
There were no alarms, trackertraffic volumes looked normal.
Logins came from expectedlocations.
(13:31):
Why?
Because library systems wereready use, public usage, varied
IP address, and unpredictableaccess time.
So nothing stood out.
The attackers blended into thenoise.
That's not hacking, that'scamouflage.
Remember hack number nine, thebuilding systems?
That worked because no one elsewas watching.
(13:52):
This works for the same reason,but at a social level.
Libraries are trusted.
Trusted spaces get fewerquestions.
Trusted systems get feweraudits.
And the attackers understandtrust better than most
offenders.
The first sign that somethingwas wrong didn't come from the
library, it came from somewhereelse.
A city department noticedunusual account behavior.
(14:15):
Then a school district flaggedaccessed.
Then HR saw records accessed atodd hours.
Only later did someone connectthe dots.
The library wasn't the victim,it was the doorway.
Let me reframe the way I wouldsay I would do it in class.
This wasn't a failure ofencryption, this wasn't a
failure of authentication, thiswas a failure of scope.
(14:39):
Security teams protected whatthey thought mattered.
Attackers went where securitywasn't looking.
If this showed up on an exam,the question wouldn't ask what
system would breach.
It would ask which system wasmost likely exploited due to
implicit trust and lack ofmonitoring.
And the correct answer will bethe one everyone ignores.
(15:03):
Attackers don't need the crownjewels if they can get the
master key.
Libraries weren't the prize,they were just the access.
And once the attacker provedthey can sit quietly inside
trusted systems, they ask newquestions.
What happens if we don't stealcredentials at all?
What happens if we stealsessions?
(15:23):
That's where hack number sevencomes in.
Learning management systems,single sign-on.
And the day login stoppedmattering.
Alright, let me start this withone question I ask my students.
What does authenticationactually mean?
Most people answer withsomething like typing your
username and password or usingMFA.
(15:46):
And that's wrong.
And that's not wrong, but it'snot complete, it's incomplete.
Authentication is not a moment,it's a decision that the system
makes.
And in 2025, attackers figuredout how to steal the decision
after it was made.
From a student, from the studentperspective, nothing felt wrong.
(16:06):
They logged into the LMS, thedashboard loaded, assignments
were there, grades were there.
From the professor'sperspective, same thing.
Courses open normally, materialswere accessible, nothing looked
hacked.
And that's the most importantdetail of the entire hack.
Nothing looked broken becausenothing was broken.
(16:29):
Let me slow this down becausethis is one of the most
misunderstood attacks of 2025.
This was not credentialed death.
No password was guessed, no MFAprompts for bypass.
Instead, attackers went up tosomething went after something
more powerful.
Sessions.
When you log into the system,the system doesn't want to ask
(16:52):
you every five seconds yourusername and password.
So it gives you a token.
Think of it like a wristband ata concert.
You show your ID once, and afterthat, the wristband says, this
person is already proving whothey are.
And in most systems, thatwristband lasts a long time,
sometimes hours, sometimes days,sometimes longer than it ever
(17:14):
should.
In this case, the attackersdidn't go after users, they went
after the LMS infrastructure, athird-party plugin, a
misconfigured backend service, asystem component no one looked
at closely in years.
From there, they access memory.
And inside memory, activesession tokens.
Hundreds of them, thousands.
(17:35):
And here's the part that makesthe security team wince.
Those tokens were valid.
Still trusted, still accepted.
This is where a lot of peopleget frustrated.
But we had MFA, yes.
And MFA did its job once.
After that, the system assumedtrust.
The attackers didn't log in,they continued.
(17:58):
And security teams are terribleat detecting continuation.
Let me tell you what the logslooked like.
Valid sessions, normal accesspatterns, no failed logins, no
brute forced attempts.
Everything looked legitimate.
Because from the system point ofview, it was.
The attacker wasn'timpersonating a person.
(18:19):
They were the users.
Remember the library breach?
How attackers blended intonormal traffic?
Same idea.
Noise is camouflage.
If your system already expectsstudents logging in at odd
hours, access from multiplelocations, and inconsistent
behavior, then the abnormalbecomes invisible.
(18:40):
The first red flags didn't comefrom IT, they came from
instructors.
Grades changed unexpectedly.
Assignment appeared, submittedtwice.
Discussion posts showed activityfrom students who swore they
weren't logged in.
And even then the assumption wasan attack.
It was probably a system glitch.
That assumption costs weeks.
(19:03):
This hack forced organizationsto confront something
uncomfortable.
Authentication withoutcontinuous validation is
fragile.
We build systems that say youproving who you are once, that's
enough.
Attackers say, Great, that's allwe need.
If this was the Comstia stylequestion, it wouldn't ask what
(19:24):
attack stole the passwords.
It would ask which weaknessallowed attackers to reuse
legitimate access withouttriggering alerts.
And the answer would be overtrusted sessions.
If your systems trustyesterday's login forever,
attackers only need yesterday.
Say that again because that'sthe lesson.
(19:46):
Now, here's where the episodetakes a turn.
Because after the attackerslearned they didn't need
credentials, after they learnedthey did any malware, they
started asking a new question.
What if we don't even pretend tobe?
Users, what if we just talkdirectly to the system?
That's hack number six APIs.
(20:07):
And the moment the organizationsrealized their back ends were
more exposed than their frontdoors.
Alright, let me start this onewith something I say all the
time in class.
Most attacks don't hit whatusers see, they hit what users
don't see.
And in 2025, that meant APIs.
(20:30):
When organizations think aboutsecurity, they picture login
pages, websites, firewalls,maybe email.
APIs don't usually make thatmental list.
They're considered internal.
Behind the scenes, justplumbing.
And that mindset is exactly whythis hack worked.
(20:51):
From a customer point of view,nothing was wrong.
The website loaded, the mobileapp worked, prices looked
normal, no outages, no errors.
But behind the scene, somethingwas wrong.
Quietly, relentlessly.
Request, thousands of them,perfectly formed, exactly the
way the system expected.
(21:11):
Let me stop right here and saythis slowly.
An API doesn't know intent.
It only knows structure.
If the request is valid, the APIanswers.
And the attackers understoodthat better than the defenders.
This part isn't glamorous andthat's important.
They didn't scan aggressively.
They didn't brute force.
They opened the mobile app, theywatched traffic.
(21:35):
Because every modern app is justa front end talking to an API.
Once you see the endpoints, youstart asking questions.
What happens if I call thisdirectly?
What happens if I call itfaster?
What happens if I call it athousand times?
And the system kept answering.
This wasn't about stealingcredit cards.
That would trigger alarms.
Instead, attackers went afterlogic.
(21:57):
Pricing rules, inventoryaccounts, loyalty point
balances, coupon behavior.
They mapped the business itself.
And that data, that's gold.
You can resell it, exploit it,undercut competitors.
All without ever breaking in.
Here's the uncomfortable truth.
From a technical standpoint,nothing was wrong.
(22:20):
No malformed requests, noauthentication failures, no
errors.
Everything looked healthy, andsecurity teams are trained to
look for failure, not overuse.
Remember how the session theftblended into normal behavior?
Same pattern here.
If your systems already expectheavy traffic, global access,
(22:42):
and unpredictable spikes, thenabuse looks like success.
Let me reframe this in plainterms.
This wasn't hacking.
This was automation.
The system did exactly what itwas designed to do.
It answered questions over andover without asking why.
If this showed up on an exam,the question wouldn't say what
(23:05):
malware was installed.
It would ask what securitycontrol was missing that allowed
excessive legitimate requests tocause data exposure.
And the answer wouldn't beantivirus.
It would be things like ratelimiting, monitoring, behavior
analysis, the boring stuff, thestuff no one prioritized.
(23:27):
This breach wasn't discovered byIT, it was discovered by
finance.
Margins didn't make sense.
Competitors knew things theyshouldn't.
Inventory behavior feltpredicted.
Only later does someone trace itback to the API, the quietest
part of the system.
APIs don't get hacked, they getused.
(23:50):
Say it again.
Demystify it.
Because once you understandthat, you start looking at
systems very differently.
Alright, those are the top 10 to6 hacks of 2025.
(24:11):
Coming up next, we'll do finishthe countdown on the next
episode 5 to 1.
And have you guessed whichcompanies are involved in these
hacks?
I hope you have.
(25:42):
You can follow me at TikTok atProfessor J Rod at J R O D, or
you can email me at Professor JRod Jr.
at gmail.com.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.