Back

express.co.uk Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain express.co.uk has experienced a significant number of data breaches, totaling 6,390 events, which constitute 89.7% of all observed events. Additionally, there were 735 infostealer events, representing 10.3% of the total. The timeline indicates a surge in employee and client-related events starting in September 2025 and peaking in March and April 2026, with a notable increase in client events during March 2026. The primary sources of exposure appear to be combolist sources (90.1%) and database dumps (9.9%). Malware families associated with these events include Rhadamanthys, Redline, and LummaC2, all of which are known infostealers. The majority of affected operating systems are Windows 11 and Windows 10 variants. The primary geographical origin of these events is the United Kingdom, followed by Thailand and the United States. The targeted services are predominantly related to the express.co.uk domain, including login and user registration pages.

Total Events

7,125
credential exposure events

Employee Affected Events

1,951
account email domain = express.co.uk

Client Affected Events

5,174
service target = express.co.uk

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
2,0001,3336670
peak month 1,653
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events735
Share10%
Data breaches
Events6,390
Share90%
Infostealer logs (10%)
735events
Data breaches (90%)
6,390events

1,951 compromised employee accounts pose an infrastructure risk, while 5,174 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender2

Malware Families Distribution

Distribution of Active Stealer Strains

Rhadamanthys147
Redline137
LummaC2108
Vidar27
Acreed26
Remus13
StealC9
Millenium6
X-Files3

Top Login URLs

Top exposed services found in the event results

  1. 1express.co.uk633
  2. 2https://www.express.co.uk467
  3. 3https://express.co.uk406
  4. 4https://www.express.co.uk/324
  5. 5www.express.co.uk254
  6. 6https://www.express.co.uk/users/login214
  7. 7express.co.uk/users/login179
  8. 8express.co.uk/147
  9. 9www.express.co.uk/users/login128
  10. 10https://www.express.co.uk/users/register112

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United Kingdom
Events183
Thailand
Events62
United States
Events51
Netherlands
Events28
Pakistan
Events27
India
Events12
Venezuela
Events12

Country Breakdown

  1. 1United Kingdom183
  2. 2Thailand62
  3. 3United States51
  4. 4Netherlands28
  5. 5Pakistan27
  6. 6Somalia12
  7. 7India12
  8. 8Venezuela12

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

FortiNet VPN4

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11 24H2 build 26100 (64 Bit)84
Windows 1169
Windows 11 24H2 build 27954 (64 Bit)64
Windows 10 20H1 build 19041 (64 Bit)44
Windows 10 Enterprise x6433

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
5,760
Combolist pools
630
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.