Top 10 Hacks in 2025 Part 1

Show Notes

What if the scariest hacks of 2025 never looked like hacks at all? We break down five real-world scenarios where attackers didn’t smash locks—they used the keys we handed them. From an AI-cloned voice that sailed through a wire transfer to a building’s HVAC console that quietly held elevators and doors hostage, the common thread is hard to ignore: trust. Trusted voices, trusted vendors, trusted “boring” systems, trusted sessions, and trusted APIs became the most valuable attack surface of the year.

We start with a “boring” phone call that proves how caller ID and confidence can defeat policy when culture doesn’t empower people to challenge authority. Then we step into the mechanical room: cloud dashboards for HVAC and badge readers, vendor-shared credentials, and thin network segmentation made physical denial of service as simple as logging in. The pivot continues somewhere few teams watch—libraries—where an unpatched management system bridged city HR, school portals, and public access with zero alarms, because nothing looked broken.

Authentication takes a hit next. MFA worked, yet attackers won by stealing active LMS session tokens from a neglected component and riding valid access for weeks. No failed logins, no brute force—just continuation that our tools rarely question. Finally, we open the mobile app and watch the traffic. Clean, well-formed API calls mapped pricing rules, loyalty balances, and inventory signals at scale. Not a single malformed request, but plenty of business logic abuse that finance noticed before security did.

If you care about cybersecurity, IT operations, or the CompTIA mindset, the takeaways are clear: shorten trust windows, verify context continuously, rotate and scope vendor access, segment OT from IT, treat libraries and civic tech as real attack surface, bind tokens to devices, and put rate limits and behavior analytics at the heart of your API strategy. Ready to rethink where your defenses are blind? Listen now, share with your team, and tell us which assumption you’ll challenge first. And if this helped, subscribe, leave a review, and pass it on to someone who needs a wake-up call.

Turn Any Doc Into a Private Audiobook. No Subscriptions. Try WithAudio on Your Mac/PC.
100% Local AI. No cloud. No tracking. Convert URLs, PDFs & EPUBs into high-quality audio.

Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions

Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod

Chapters

• 0:00: Setting The Stakes For 2025
• 2:42: Rethinking Hackers And Trust
• 4:02: Hack #10: The AI Voice Call
• 9:35: Hack #9: Building Systems Compromised
• 11:01: [Ad] Turn Any Doc Into a Private Audiobook. No Subscriptions. Try WithAudio on Your Mac/PC.
• 11:36: (Cont.) Hack #9: Building Systems Compromised
• 17:50: Trust, Vendors, And Blind Spots
• 19:39: Libraries As Silent Pivot Points

Transcript

SPEAKER_00: 0:28

And welcome to Technology Tap. I'm the first of J Rock. In this episode of Top Ten Hacks of Twenty Twenty-Five, let's tap in the UK. Hi, for those of you who don't know me, I'm Professor J. Rod, and I'm a professor of cybersecurity, and I love teaching my students how to pass the A Plus, Network Plus, and Security Plus exams. Every now and then I tap into something that's a little different, usually the history of technology or something related to usually technology. But in this episode, we're gonna do the top 10 hacks of 2025. We're gonna do it a little bit differently. I'm not going to tell you the name of the company. You know, maybe they don't want you know this out there if they don't know. And it also could be an education for if you got any educators, you can have your students listen to it and then they can write who they think the company is. You know, they can do some research. So it's a teachable, it's a teachable moment. I'm gonna do this in two parts. I'm gonna today is gonna be from number 10 to number six, and then the following episode is gonna be from number five to number one. Before we start, if you want to follow me, I'm on Instagram at Professor Jrod. If you want to follow me on TikTok, there at Professor Jrod. I'm on Facebook, Technology Tap Podcast. I'm also on YouTube, Technology Tap Podcast. And if you want to buy me a cup of coffee to keep this going, is buy meacup of coffee.com slash professor jrod. And that's J R O D. And you could also email me at professorjrod at gmail.com. All right, before we even talk about hacks, I need you to reset how you're thinking about cybersecurity for a second. Because if you're picturing hackers in hoodies, typing fast, breaking into systems, that's already outdated. And that matters, especially if you're a student, especially if you're studying for A, Network Plus, or Security Plus. Or if you're already working in IT and think, yeah, that won't happen the way I work. 2025 proved something very uncomfortable. Most of the biggest breaches did not involve advanced hacking, they involved system doing exactly what they were configured to do. And if you remember nothing else from this episode, remember this line. I'm going to come back to it a lot. Attackers in 2025 didn't break security, they operated inside it. Now keep that in the back of your mind because every hack we talk about follows that pattern. Here's how today's episode works. I'm going to walk you through the top 10 hacks of 2025. Not headlines, not sound bites, but how they actually happen. As we go, I want you to do something quietly in your head. I want you to ask, will this work the way I work? Not could this happen. But will our policies, our training, and our system actually stop this? Alright, let's start with number 10. This one is dangerous because it feels boring. No malware, no phishing email, no suspicious link, just a phone call. It happened late morning and the details matter. Late morning is when people are busy and not rushed enough, but not rushed enough to panic. A finance employee picks up the phone. Call ID shows an internal number. Already the brain relaxes a little. The voice of the other end sounds familiar. Not dramatic, not urgent, just confident. Hey, I need you to push through a transfer. The eagle already reviewed it, I'll take responsibility. Now pause right there. This is where in class I stop and ask, what security control was just bypass? And the answer is none, because this wasn't a technical attack. This was a trust attack. Let me say this slowly because this is one of the biggest lessons of 2025. Security training spent years telling people don't click links. It did not train people to say, let me challenge authority, and that's the gap. By 2025, AI voice cloning didn't need to be perfect, it just needed to be believable. A few minutes of public audio, some internal language patterns, a calm delivery, and suddenly the attacker isn't guessing passwords, they're boring identity. Now, here's the scary part. From the assistant point of view, nothing went wrong. Legitimate user, legitimate request, legitimate process. No alerts fired, no logs look suspicious. And that's when the organization starts realizing if your security depends on humans, just knowing you don't actually have security. Remember earlier when I said attackers in 2025 didn't break in? That's what I meant. They didn't fight security controls, they used them correctly. And once you see that pattern, you start seeing it everywhere. Which brings us back to hack number nine. And this one surprised a lot of people. Let me ask you a question. When was the last time your cybersecurity team audited the HVAC system? Exactly. This is where the attackers went. Alright, before I go further, let me ask you something. And I want an answer, and I want you to answer it honestly, even if it's in your head. Who manages security for your building systems? Not the server, not the laptop, the building, the badge readers, the doors, the elevators, the HVAC. Because this is where a lot of organizations get very comfortable very fast. This didn't begin with alarms going off. It never does. It started with a facility manager noticing the temperature felt wrong. The dashboard said everything was fine, but people were complaining. That's important. Because in modern environments, when you feel what you feel and what the systems report don't always match. Then a badge reader failed. Not all of them, just one side entrance. Someone shrugged it off. Probably a glitch. And this is where I want you to notice something about human behavior. When technology fails partially, we assume it's broken. When it fails completely, we assume it's under attack. Partial failure buys attackers' time. Let me slow this down. In your Comptea brain, especially if you're a network of security plus, what's the first thing we asked during troubleshooting? Is it isolated or widespread? Attackers love isolated because isolated doesn't trigger escalation. By mid morning, IT was in was looped in. They checked network connectivities, authentication servers, badge system logs. Everything looked normal. That's the word that keeps coming up. Normal. But elevators weren't responding to floor requests, conference rooms couldn't unlock, and then facilities did something critical. They logged into the vendor portal. Not an internal server, a cloud dashboard. And that's when they saw it. Configuration changes made overnight. From an IP address no one recognized. Now here's the part everybody hates hearing. They didn't bypass the firewall. They logged in using credentials that have been sent by the vendor, shared with contractors, never rotated, never monitored. And here's the quiet failure. Those credentials worked everywhere. HVAC, badge, access, elevators, lighting. Why? Because the building was designed for convenience, not defense. Let me say this clearly because this shows up on exams and in real life. If a system has an IP address, it is part of your attack surface. Facility systems get ignored because they feel physical, but they're not. They're computers that control physical things. And the attackers figured out something in 2025 that changed the game. You don't have to steal data to win, you just have to stop work. The ransom note didn't threaten leaks, it didn't mention files. It simply said payment restore access. And suddenly leadership understood the leverage. You can operate without email. You can operate without doors. This wasn't ransomware as we knew it. This was physical denial of service. Remember Hack 10? The voice call? That worked because people trusted authority. This works because organizations trusted vendors. Different target, same weakness. Unquestioned trust. Let me be blunt here, and this is the professor talking. Security teams didn't miss this because they were bad. They missed it because this wasn't even considered their problem. No SOC dashboard monitor the building telemetry. No semi-correlated HVAC logins. No alerts existed for badge system configuration changes. Because no one thought attackers would go there. In 2025, attackers went there where defenders weren't looking. If I turned this into a Compte question, it wouldn't ask what malware was used. It would ask which system was most vulnerable to the lack of monitoring and segmentation. And the answer wouldn't be the server, it would be the building. Now here's where the episode starts getting uncomfortable. Because once attacker realized they can control spaces, they start asking a bigger question. What other trusted places do people stop paying attention to? And that's when they found the quietest targets of all. And that feeling, that assumption, is exactly what made them dangerous in 2025. When people talk about cybersecurity risk, libraries never come up. Banks come up, hospitals come up, schools come up, libraries don't. Because in our heads, libraries are about books. But in reality, libraries are about identity. They verify residency, they issue library cards tied to personal data, they provide access to job portals, government services, student systems, public computers. And here's the key thing, and learn learn in learn from this. Libraries sit at an intersection of multiple systems without owning any of them. That makes them perfect pivot points. This breach didn't begin with a dramatic attack. It began with outdated software. A library management system that kind of has been running just fine for years. But it hasn't been patched. Why? Because it wasn't considered critical. And the attackers love the phrase not critical. They didn't rush, they didn't drop ransomware, they logged in, they explored, they learned how the systems talked to other systems, and then they did something very patient. They stayed quiet. Let me stop here and say something I tell students every semester. The most dangerous attackers are the ones who don't rush. If nothing breaks, no one looks. If no one looks, no one notices. And the libraries are places where nothing's broken is the norm. The attackers didn't steal books, they didn't deface systems, they started mapping connections, shared credentials between them, the library system, the city HR portals, and the school district access point. Because years ago, someone said, let's reuse this account, it's easier. That sentence has probably caused more breaches than any malware ever written. Here's what makes this hack especially uncertain. There were no alarms, tracker traffic volumes looked normal. Logins came from expected locations. Why? Because library systems were ready use, public usage, varied IP address, and unpredictable access time. So nothing stood out. The attackers blended into the noise. That's not hacking, that's camouflage. Remember hack number nine, the building systems? That worked because no one else was watching. This works for the same reason, but at a social level. Libraries are trusted. Trusted spaces get fewer questions. Trusted systems get fewer audits. And the attackers understand trust better than most offenders. The first sign that something was wrong didn't come from the library, it came from somewhere else. A city department noticed unusual account behavior. Then a school district flagged accessed. Then HR saw records accessed at odd hours. Only later did someone connect the dots. The library wasn't the victim, it was the doorway. Let me reframe the way I would say I would do it in class. This wasn't a failure of encryption, this wasn't a failure of authentication, this was a failure of scope. Security teams protected what they thought mattered. Attackers went where security wasn't looking. If this showed up on an exam, the question wouldn't ask what system would breach. It would ask which system was most likely exploited due to implicit trust and lack of monitoring. And the correct answer will be the one everyone ignores. Attackers don't need the crown jewels if they can get the master key. Libraries weren't the prize, they were just the access. And once the attacker proved they can sit quietly inside trusted systems, they ask new questions. What happens if we don't steal credentials at all? What happens if we steal sessions? That's where hack number seven comes in. Learning management systems, single sign-on. And the day login stopped mattering. Alright, let me start this with one question I ask my students. What does authentication actually mean? Most people answer with something like typing your username and password or using MFA. And that's wrong. And that's not wrong, but it's not complete, it's incomplete. Authentication is not a moment, it's a decision that the system makes. And in 2025, attackers figured out how to steal the decision after it was made. From a student, from the student perspective, nothing felt wrong. They logged into the LMS, the dashboard loaded, assignments were there, grades were there. From the professor's perspective, same thing. Courses open normally, materials were accessible, nothing looked hacked. And that's the most important detail of the entire hack. Nothing looked broken because nothing was broken. Let me slow this down because this is one of the most misunderstood attacks of 2025. This was not credentialed death. No password was guessed, no MFA prompts for bypass. Instead, attackers went up to something went after something more powerful. Sessions. When you log into the system, the system doesn't want to ask you every five seconds your username and password. So it gives you a token. Think of it like a wristband at a concert. You show your ID once, and after that, the wristband says, this person is already proving who they are. And in most systems, that wristband lasts a long time, sometimes hours, sometimes days, sometimes longer than it ever should. In this case, the attackers didn't go after users, they went after the LMS infrastructure, a third-party plugin, a misconfigured backend service, a system component no one looked at closely in years. From there, they access memory. And inside memory, active session tokens. Hundreds of them, thousands. And here's the part that makes the security team wince. Those tokens were valid. Still trusted, still accepted. This is where a lot of people get frustrated. But we had MFA, yes. And MFA did its job once. After that, the system assumed trust. The attackers didn't log in, they continued. And security teams are terrible at detecting continuation. Let me tell you what the logs looked like. Valid sessions, normal access patterns, no failed logins, no brute forced attempts. Everything looked legitimate. Because from the system point of view, it was. The attacker wasn't impersonating a person. They were the users. Remember the library breach? How attackers blended into normal traffic? Same idea. Noise is camouflage. If your system already expects students logging in at odd hours, access from multiple locations, and inconsistent behavior, then the abnormal becomes invisible. The first red flags didn't come from IT, they came from instructors. Grades changed unexpectedly. Assignment appeared, submitted twice. Discussion posts showed activity from students who swore they weren't logged in. And even then the assumption was an attack. It was probably a system glitch. That assumption costs weeks. This hack forced organizations to confront something uncomfortable. Authentication without continuous validation is fragile. We build systems that say you proving who you are once, that's enough. Attackers say, Great, that's all we need. If this was the Comstia style question, it wouldn't ask what attack stole the passwords. It would ask which weakness allowed attackers to reuse legitimate access without triggering alerts. And the answer would be over trusted sessions. If your systems trust yesterday's login forever, attackers only need yesterday. Say that again because that's the lesson. Now, here's where the episode takes a turn. Because after the attackers learned they didn't need credentials, after they learned they did any malware, they started asking a new question. What if we don't even pretend to be? Users, what if we just talk directly to the system? That's hack number six APIs. And the moment the organizations realized their back ends were more exposed than their front doors. Alright, let me start this one with something I say all the time in class. Most attacks don't hit what users see, they hit what users don't see. And in 2025, that meant APIs. When organizations think about security, they picture login pages, websites, firewalls, maybe email. APIs don't usually make that mental list. They're considered internal. Behind the scenes, just plumbing. And that mindset is exactly why this hack worked. From a customer point of view, nothing was wrong. The website loaded, the mobile app worked, prices looked normal, no outages, no errors. But behind the scene, something was wrong. Quietly, relentlessly. Request, thousands of them, perfectly formed, exactly the way the system expected. Let me stop right here and say this slowly. An API doesn't know intent. It only knows structure. If the request is valid, the API answers. And the attackers understood that better than the defenders. This part isn't glamorous and that's important. They didn't scan aggressively. They didn't brute force. They opened the mobile app, they watched traffic. Because every modern app is just a front end talking to an API. Once you see the endpoints, you start asking questions. What happens if I call this directly? What happens if I call it faster? What happens if I call it a thousand times? And the system kept answering. This wasn't about stealing credit cards. That would trigger alarms. Instead, attackers went after logic. Pricing rules, inventory accounts, loyalty point balances, coupon behavior. They mapped the business itself. And that data, that's gold. You can resell it, exploit it, undercut competitors. All without ever breaking in. Here's the uncomfortable truth. From a technical standpoint, nothing was wrong. No malformed requests, no authentication failures, no errors. Everything looked healthy, and security teams are trained to look for failure, not overuse. Remember how the session theft blended into normal behavior? Same pattern here. If your systems already expect heavy traffic, global access, and unpredictable spikes, then abuse looks like success. Let me reframe this in plain terms. This wasn't hacking. This was automation. The system did exactly what it was designed to do. It answered questions over and over without asking why. If this showed up on an exam, the question wouldn't say what malware was installed. It would ask what security control was missing that allowed excessive legitimate requests to cause data exposure. And the answer wouldn't be antivirus. It would be things like rate limiting, monitoring, behavior analysis, the boring stuff, the stuff no one prioritized. This breach wasn't discovered by IT, it was discovered by finance. Margins didn't make sense. Competitors knew things they shouldn't. Inventory behavior felt predicted. Only later does someone trace it back to the API, the quietest part of the system. APIs don't get hacked, they get used. Say it again. Demystify it. Because once you understand that, you start looking at systems very differently. Alright, those are the top 10 to 6 hacks of 2025. Coming up next, we'll do finish the countdown on the next episode 5 to 1. And have you guessed which companies are involved in these hacks? I hope you have. You can follow me at TikTok at Professor J Rod at J R O D, or you can email me at Professor J Rod Jr. at gmail.com.