Back

finn.no Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain finn.no has experienced a high volume of security events over the past year, with a significant portion attributed to historical data breaches (63.2%) and active infostealer logs (36.8%). A total of 5405 events were recorded, impacting 467 employees and 4938 clients. The timeline shows a notable increase in client-related events from September 2025 onwards, peaking in April 2026. Malware families such as Rhadamanthys, LummaC2, and Redline are prevalent, suggesting ongoing credential harvesting and data exfiltration attempts. The majority of data exposure originates from "Combolist sources" (94.9%), indicating compromised credential reuse across services. Given the high risk score of 89 and the substantial number of client and employee events linked to infostealer activity and data breaches, this exposure presents a critical risk. The prevalence of infostealers targeting credentials, coupled with the reliance on combolist sources, suggests a high likelihood of account compromise and potential financial or identity fraud impacting users. Prioritization should focus on immediate remediation of exposed credentials, enhanced monitoring for unauthorized access, and user education regarding phishing and credential security, particularly for the Norwegian user base which constitutes the largest geographical segment.

Total Events

5,405
credential exposure events

Employee Affected Events

467
account email domain = finn.no

Client Affected Events

4,938
service target = finn.no

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
1,0006673330
peak month 854
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events1,987
Share37%
Data breaches
Events3,418
Share63%
Infostealer logs (37%)
1,987events
Data breaches (63%)
3,418events

467 compromised employee accounts pose an infrastructure risk, while 4,938 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender52
Windows Defender Avast Antivirus25
Windows Defender.10
Windows Defender 360 Total Security.2
McAfee VirusScan2
ESET Security1
Malwarebytes1
None1

Malware Families Distribution

Distribution of Active Stealer Strains

Rhadamanthys401
LummaC2308
Redline291
Vidar114
Acreed84
StealC36
RisePro20
Millenium18
Blank Grabber7

Top Login URLs

Top exposed services found in the event results

  1. 1android://H3iPNYKy_BOAMWT6RgXYu_TwNP4EbLoggeWyGXGKe_tI63JI-bz_k2J50vITNpGt0IcCGyij51OmL7CTphOR1A==@no.finn.android/3,025
  2. 2finn.no187
  3. 3https://www.finn.no/finn/login154
  4. 4android://h3ipnyky_boamwt6rgxyu_twnp4ebloggewygxgke_ti63ji-bz_k2j50vitnpgt0iccgyij51oml7ctphor1a==@no.finn.android/ :136
  5. 5https://finn.no125
  6. 6android://h3ipnyky_boamwt6rgxyu_twnp4ebloggewygxgke_ti63ji-bz_k2j50vitnpgt0iccgyij51oml7ctphor1a==@no.finn.android/124
  7. 7finn.no/97
  8. 8android://H3iPNKy_BOAMWT6RgXu_TwNP4EbLoggeWyGXGKe_tI63JI-bz_k2J50vITNpGt0IcCGyij51OmL7CTphOR1A==@no.finn.android/87
  9. 9https://www.finn.no73
  10. 10https://www.finn.no/67

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Norway
Events977
Poland
Events41
Türkiye
Events33
Spain
Events22
Egypt
Events21
Germany
Events20
United States
Events19
France
Events17

Country Breakdown

  1. 1Norway977
  2. 2Poland41
  3. 3Türkiye33
  4. 4Spain22
  5. 5Egypt21
  6. 6Germany20
  7. 7United States19
  8. 8France17

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

-
Total

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11 24H2 build 26100 (64 Bit)207
Windows 10 22H2 build 19045 (64 Bit)135
Windows 11125
Windows 10 Enterprise x64114
Windows 10 Home x64103

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
3,242
Combolist pools
176
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.