Back

gapinc.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant data breach event affecting over 253,000 clients, with a smaller number of employee records also compromised. The breach occurred primarily in December 2025, with a surge in employee data exposure in January 2026. Infostealer activity is also present, with malware families like LummaC2, Rhadamanthys, and Redline observed. The targeted services include the company's career portal and internal collaboration tools like Confluence, suggesting potential credential harvesting or unauthorized access. The majority of the compromised data appears to originate from database dumps, with a smaller portion from combolist sources.

Total Events

253,894
credential exposure events

Employee Affected Events

23,178
account email domain = gapinc.com

Client Affected Events

230,716
service target = gapinc.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
250,000166,66783,3330
peak month 229,137
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events109
Share0%
Data breaches
Events253,785
Share100%
Infostealer logs (0%)
109events
Data breaches (100%)
253,785events

23,178 compromised employee accounts pose an infrastructure risk, while 230,716 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

No Data Available

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC230
Rhadamanthys17
Redline16
Vidar7
RisePro6
Acreed3

Top Login URLs

Top exposed services found in the event results

  1. 1https://apply.gapinc.com/careersection/iam/accessmanagement/login.jsf224
  2. 2apply.gapinc.com/careersection/iam/accessmanagement/login.jsf201
  3. 3apply.gapinc.com175
  4. 4https://apply.gapinc.com170
  5. 5apply.gapinc.com/careersection/iam/accessmanagement/register.jsf57
  6. 6https://apply.gapinc.com/careersection/iam/accessmanagement/register.jsf55
  7. 7confluence.gapinc.com/login.action22
  8. 8printingpress.phx.gapinc.com21
  9. 9https://confluence.gapinc.com/login.action20
  10. 10https://confluence.gapinc.com19

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events34
Canada
Events15
Vietnam
Events9
Venezuela
Events4
Chile
Events1
Indonesia
Events1

Country Breakdown

  1. 1United States34
  2. 2Canada15
  3. 3Vietnam9
  4. 4Venezuela4
  5. 5Dominican Republic1
  6. 6Chile1
  7. 7Côte d’Ivoire1
  8. 8Indonesia1

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix55
Jira (Atlassian)47
Git38

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11 24H2 build 26100 (64 Bit)8
Windows 11 Pro (10.0.22631) x648
Windows 10 Pro [x64]7
Windows 10 (10.0.22621)6
Windows 10 Pro x646

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
1,481
Combolist pools
252,304
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.