Back

ford.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event affecting ford.com, with a total of 401,216 recorded events over the period from July 2025 to June 2026. A substantial portion of these events, 355,448 (88.6%), are classified as historical data breaches, while 45,768 (11.4%) are active infostealer logs. The data suggests a high volume of compromised employee and client credentials, with 149,994 employee events and 251,222 client events. Key malware families involved include Redline, LummaC2, and Rhadamanthys, frequently targeting authentication services like sso.ci.ford.com and login.ford.com. The majority of affected systems are running Windows 11 and Windows 10, with a notable presence of combolist sources and database dumps in leak repositories.

Total Events

401,216
credential exposure events

Employee Affected Events

149,994
account email domain = ford.com

Client Affected Events

251,222
service target = ford.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
80,00053,33326,6670
peak month 77,539
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events45,768
Share11%
Data breaches
Events355,448
Share89%
Infostealer logs (11%)
45,768events
Data breaches (89%)
355,448events

149,994 compromised employee accounts pose an infrastructure risk, while 251,222 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender598
Windows Defender McAfee30
Kaspersky23
McAfee VirusScan17
Windows Defender.17
Webroot SecureAnywhere16
Sentinel Agent14
Windows Defender Webroot SecureAnywhere12
Windows Defender ESET Security12

Malware Families Distribution

Distribution of Active Stealer Strains

Redline8,973
LummaC26,286
Rhadamanthys5,304
Acreed3,662
Vidar2,592
X-Files827
StealC707
RisePro691
Millenium488

Top Login URLs

Top exposed services found in the event results

  1. 1https://sso.ci.ford.com/authsvc/mtfim/sps/authsvc20,905
  2. 2sso.ci.ford.com/authsvc/mtfim/sps/authsvc12,967
  3. 3https://sso.ci.ford.com9,695
  4. 4sso.ci.ford.com9,093
  5. 5https://sso.ci.ford.com/6,770
  6. 6ford.com6,479
  7. 7https://login.ford.com/5,383
  8. 8https://owner.ford.com3,769
  9. 9sso.ci.ford.com/3,723
  10. 10https://www.faust.idp.ford.com/Federation/SAMLSSO3,678

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events11,221
Italy
Events1,640
Mexico
Events1,521
Argentina
Events1,353
India
Events1,309
Brazil
Events1,001
Germany
Events899
Spain
Events809

Country Breakdown

  1. 1United States11,221
  2. 2Italy1,640
  3. 3Mexico1,521
  4. 4Argentina1,353
  5. 5India1,309
  6. 6Brazil1,001
  7. 7Germany899
  8. 8Spain809

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft3,348
Citrix39
Cisco (AnyConnect)33
Git27
FortiNet VPN21
Jira (Atlassian)19
Microsoft Entra ID (External ID / B2C)17

Operating System Distribution

Distribution of compromised endpoint builds

Windows 114,718
Windows 11 24H2 build 26100 (64 Bit)2,646
Windows 10 Enterprise x642,610
Windows 10 Home x641,551
Windows 10 22H2 build 19045 (64 Bit)1,504

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
257,509
Combolist pools
97,939
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.