Back

centene.com Domain Breach Exposure Report

Risk Score

High Risk

Critical asset booster applied - enterprise VPN / gateway credentials exposed.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting centene.com, with a total of 68,340 recorded events over the period from July 2025 to June 2026. The majority of these events, 96.9%, are classified as historical data breaches, totaling 66,242 instances. Additionally, there are 2,098 active infostealer logs, representing 3.1% of the total events. The timeline shows a substantial increase in employee-related events in January 2026, with 30,821 occurrences, and a peak in client-related events in September 2025, with 787 instances. Malware analysis reveals Redline as the predominant family, accounting for 80.6% of identified malware, followed by LummaC2 at 5%. Targeted services include centene.com itself and its single sign-on (SSO) and VPN portals, with the United States being the most frequently observed country in the breakdown. The high volume of historical data breaches and active infostealer logs, coupled with the critical risk score of 100 and the critical asset booster being enabled, signifies a severe and immediate threat. The prevalence of Redline infostealer suggests a focus on credential harvesting, potentially leading to further account compromise and unauthorized access. Remediation efforts should prioritize strengthening access controls for SSO and VPN services, enhancing endpoint security to detect and mitigate infostealer activity, and conducting thorough investigations into the root causes of the historical data breaches to prevent recurrence. Given the nature of the domain and the services targeted, the primary focus should be on protecting sensitive employee and client data.

Total Events

68,340
credential exposure events

Employee Affected Events

65,707
account email domain = centene.com

Client Affected Events

2,633
service target = centene.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
40,00026,66713,3330
peak month 30,821
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events2,098
Share3%
Data breaches
Events66,242
Share97%
Infostealer logs (3%)
2,098events
Data breaches (97%)
66,242events

65,707 compromised employee accounts pose an infrastructure risk, while 2,633 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Bitdefender1
Kaspersky1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline1,691
LummaC2104
Rhadamanthys92
Vidar18
Aurora13
Acreed10
RisePro8
Remus6
Blank Grabber4

Top Login URLs

Top exposed services found in the event results

  1. 1centene.com617
  2. 2https://sso.centene.com/idp/SSO.saml2158
  3. 3https://connect.centene.com/vpn/index.html139
  4. 4connect.centene.com/vpn/index.html98
  5. 5sso.centene.com/idp/SSO.saml282
  6. 6https://sso.centene.com81
  7. 7https://connect.centene.com74
  8. 8connect.centene.com69
  9. 9sso.centene.com67
  10. 10https://sso.centene.com/52

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events587
Netherlands
Events411
Germany
Events328
Denmark
Events164
Philippines
Events50
United Kingdom
Events43
France
Events37
Mexico
Events32

Country Breakdown

  1. 1United States587
  2. 2Netherlands411
  3. 3Germany328
  4. 4Denmark164
  5. 5Philippines50
  6. 6United Kingdom43
  7. 7France37
  8. 8Mexico32

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix330
Microsoft15
FortiNet VPN14
Cisco (AnyConnect)12
Git10
Jira (Atlassian)10
Pulse Secure9

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11 24H2 build 26100 (64 Bit)125
Windows Server 2012 R2 x32125
Windows Server 2019 x32121
Windows Server 2008 R2 x32121
Windows Server 2012 x32121

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
35,474
Combolist pools
30,768
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.