Back

apple.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting apple.com, with over 34 million total events recorded between July 2025 and June 2026. The majority of these events, over 28 million, are classified as historical data breaches, with an additional 6.2 million events linked to active infostealer logs. This suggests a widespread compromise affecting a large number of clients (over 34 million) and a smaller but still substantial number of employees (over 200,000). The primary malware families associated with these events are LummaC2, Redline, and Rhadamanthys, all known for credential theft and data exfiltration. The targeted services are predominantly related to Apple's authentication infrastructure, including idmsa.apple.com and appleid.apple.com, indicating a potential focus on account compromise. The data also shows a high concentration of affected users in the United States, Brazil, and India.

Total Events

34,359,929
credential exposure events

Employee Affected Events

202,086
account email domain = apple.com

Client Affected Events

34,157,843
service target = apple.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
10,000,0006,666,6673,333,3330
peak month 8,871,782
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events6,266,109
Share18%
Data breaches
Events28,093,820
Share82%
Infostealer logs (18%)
6,266,109events
Data breaches (82%)
28,093,820events

202,086 compromised employee accounts pose an infrastructure risk, while 34,157,843 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender77,134
Windows Defender.3,586
360 Total Security915
Windows Defender [ON]726
Windows Defender McAfee703
Avast691
Malwarebytes651
McAfee451
Windows Defender ESET Security417

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC21,086,862
Redline918,462
Rhadamanthys733,972
Vidar482,257
Acreed380,585
StealC112,109
RisePro111,408
Millenium41,909
Remus40,314

Top Login URLs

Top exposed services found in the event results

  1. 1https://idmsa.apple.com/appleauth/auth/authorize/signin4,861,423
  2. 2idmsa.apple.com/appleauth/auth/authorize/signin2,820,072
  3. 3https://idmsa.apple.com2,314,770
  4. 4idmsa.apple.com2,217,176
  5. 5https://idmsa.apple.com/appleauth/auth/signin2,214,466
  6. 6https://appleid.apple.com/auth/authorize1,822,821
  7. 7idmsa.apple.com/appleauth/auth/signin1,446,101
  8. 8https://appleid.apple.com/account1,197,356
  9. 9https://appleid.apple.com1,170,870
  10. 10appleid.apple.com1,136,221

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events420,207
Brazil
Events242,422
India
Events203,097
Mexico
Events136,090
Vietnam
Events109,268
Pakistan
Events108,606
France
Events102,885
Türkiye
Events95,267

Country Breakdown

  1. 1United States420,207
  2. 2Brazil242,422
  3. 3India203,097
  4. 4Mexico136,090
  5. 5Vietnam109,268
  6. 6Pakistan108,606
  7. 7France102,885
  8. 8Türkiye95,267

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix55
NetSuite33
WordPress25
Cisco (AnyConnect)24
FortiNet VPN19
Git18
Pulse Secure17

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11426,199
Windows 10 Enterprise x64370,988
Windows 11 24H2 build 26100 (64 Bit)314,433
Windows 10 Pro280,132
Windows 10 Pro (10.0.19045) x64239,014

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
27,939,770
Combolist pools
154,050
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.