Back

citrixonline.com Domain Breach Exposure Report

Risk Score

High Risk

Critical asset booster applied - enterprise VPN / gateway credentials exposed.

AI Findings Summary

Critical

The domain citrixonline.com exhibits a critical risk score, primarily driven by a substantial volume of historical data breaches (88.3%) and active infostealer logs (11.7%) over the period of July 2025 to June 2026. A significant portion of these events, totaling 41,202, are attributed to clients, with 7,760 employee-related events also observed. The data indicates a strong correlation with credential stuffing attacks originating from "Combolist sources" (98.6% of leak repository classification), targeting login services associated with Citrix Online, including "https://login.citrixonline.com/login" and "https://secure.citrixonline.com". Malware families such as Redline, LummaC2, and Rhadamanthys are prevalent, suggesting active exploitation of compromised credentials. The high volume of data breaches and infostealer activity, coupled with the critical asset booster, necessitates immediate attention. The primary focus should be on credential hygiene, including mandatory password resets for all affected employees and clients, and enhanced monitoring for suspicious login activity. Investigating the source of the "Combolist sources" and implementing stronger authentication mechanisms, such as multi-factor authentication, are crucial remediation steps to mitigate the risk of further compromise and data exfiltration.

Total Events

41,978
credential exposure events

Employee Affected Events

776
account email domain = citrixonline.com

Client Affected Events

41,202
service target = citrixonline.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
12,0008,0004,0000
peak month 10,100
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events4,905
Share12%
Data breaches
Events37,073
Share88%
Infostealer logs (12%)
4,905events
Data breaches (88%)
37,073events

776 compromised employee accounts pose an infrastructure risk, while 41,202 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender57
Avast Antivirus15
Malwarebytes6
Windows Defender McAfee4
Windows Defender.3
Windows Defender McAfee.1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline857
LummaC2780
Rhadamanthys592
Acreed290
RisePro232
Vidar221
StealC129
X-Files39
Raccoon37

Top Login URLs

Top exposed services found in the event results

  1. 1https://login.citrixonline.com/login7,575
  2. 2login.citrixonline.com/login5,119
  3. 3https://login.citrixonline.com4,208
  4. 4login.citrixonline.com4,024
  5. 5https://secure.citrixonline.com2,948
  6. 6secure.citrixonline.com2,945
  7. 7https://secure.citrixonline.com/secure/gotomeeting/commerce/try/register1,838
  8. 8https://secure.citrixonline.com/secure/gotowebinar/commerce/try/register1,271
  9. 9secure.citrixonline.com/secure/gotomeeting/commerce/try/register1,210
  10. 10secure.citrixonline.com/secure/gotowebinar/commerce/try/register776

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events662
India
Events413
Canada
Events114
Mexico
Events100
United Kingdom
Events98
Spain
Events95
Nigeria
Events90

Country Breakdown

  1. 1United States662
  2. 2India413
  3. 3Palestinian Territories239
  4. 4Canada114
  5. 5Mexico100
  6. 6United Kingdom98
  7. 7Spain95
  8. 8Nigeria90

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

WordPress45
Cisco (AnyConnect)9

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11383
Windows 10 Enterprise x64343
Windows 10 Pro [x64]257
Windows 10 22H2 build 19045 (64 Bit)244
Windows 11 24H2 build 26100 (64 Bit)226

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
36,555
Combolist pools
518
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.