Back

crowncork.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain crowncork.com has experienced a significant number of security events, with over 40,000 total events recorded between July 2025 and June 2026. The vast majority of these events, over 95%, are classified as historical data breaches, impacting approximately 38,980 distinct records. Additionally, there are 1,752 active infostealer logs, primarily associated with the Redline malware family, which suggests ongoing compromise and data exfiltration attempts. The timeline indicates a surge in employee-related events in September 2025 and January 2026, with a notable increase in client-related events also occurring in September 2025. The presence of Redline malware, a known infostealer, targeting services like Citrix and Microsoft, and the high volume of data breaches and infostealer logs indicate a critical exposure. The primary risk stems from the extensive historical data breaches and the active infostealer campaigns, which could lead to further credential compromise, financial loss, and reputational damage. The prevalence of Redline malware suggests a need to focus remediation efforts on endpoint security, credential hygiene, and network monitoring for suspicious outbound traffic. Given the nature of the data breaches and infostealer activity, prioritizing the protection of employee and client data is paramount. The observed targeting of VPN and authentication services like Citrix and Microsoft further emphasizes the need for robust access controls and multi-factor authentication.

Total Events

40,732
credential exposure events

Employee Affected Events

40,081
account email domain = crowncork.com

Client Affected Events

651
service target = crowncork.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
10,0006,6673,3330
peak month 9,338
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events1,752
Share4%
Data breaches
Events38,980
Share96%
Infostealer logs (4%)
1,752events
Data breaches (96%)
38,980events

40,081 compromised employee accounts pose an infrastructure risk, while 651 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender2
Bitdefender1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline1,732
StealC9
LummaC23
Aurora2

Top Login URLs

Top exposed services found in the event results

  1. 1crowncork.com431
  2. 2eur.crowncork.com103
  3. 3https://sts.eur.crowncork.com/12
  4. 4sts.eur.crowncork.com/adfs/ls11
  5. 5https://sts.eur.crowncork.com/adfs/ls10
  6. 6https://webmail.crowncork.com/owa/auth/logon.aspx8
  7. 7https://sts.eur.crowncork.com/adfs/ls/8
  8. 8https://sts.eur.crowncork.com7
  9. 9webmail.crowncork.com/owa/auth/logon.aspx6
  10. 10sts.eur.crowncork.com/adfs/ls/6

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events404
Netherlands
Events398
Germany
Events385
Denmark
Events163
United Kingdom
Events54
France
Events36
Romania
Events30

Country Breakdown

  1. 1United States404
  2. 2Netherlands398
  3. 3Germany385
  4. 4Denmark163
  5. 5United Kingdom54
  6. 6France36
  7. 7Romania30
  8. 8Luxembourg28

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix66
Microsoft45
FortiNet VPN21
Git21
Pulse Secure18
Cisco (AnyConnect)16

Operating System Distribution

Distribution of compromised endpoint builds

Windows Server 2012 x32152
Windows Server 2019 x32142
Windows 10 Home x32133
Windows Server 2012 R2 x32132
Windows 8.1 x32131

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
32,998
Combolist pools
5,982
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.