Back

iqiyi.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event affecting approximately 119,286 clients and 91 employees of iqiyi.com. The primary drivers of this exposure are historical data breaches, accounting for 77.6% of events, and active infostealer logs, representing 22.4%. The timeline shows a notable increase in client-related events from September 2025 onwards, peaking in March and April 2026, with employee-related events also appearing during this period. The data breaches appear to originate from "Combolist sources," while infostealer activity is dominated by malware families such as Rhadamanthys, Redline, and LummaC2, targeting services related to iqiyi.com's login and platform access, primarily in China and Taiwan. Given the high volume of client data breaches and active infostealer activity, this situation presents a critical risk. The prevalence of infostealer malware targeting login credentials suggests a high likelihood of account compromise and potential financial or identity fraud for affected individuals. Remediation efforts should focus on immediate incident response to contain the infostealer activity, including network monitoring, endpoint security enhancements, and credential reset campaigns for both employees and clients. Furthermore, a thorough investigation into the "Combolist sources" is crucial to understand the root cause of the historical data breaches and prevent future occurrences.

Total Events

119,377
credential exposure events

Employee Affected Events

91
account email domain = iqiyi.com

Client Affected Events

119,286
service target = iqiyi.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
30,00020,00010,0000
peak month 29,278
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events26,734
Share22%
Data breaches
Events92,643
Share78%
Infostealer logs (22%)
26,734events
Data breaches (78%)
92,643events

91 compromised employee accounts pose an infrastructure risk, while 119,286 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender406
Windows Defender McAfee23
unknown7
Windows Defender Sophos Intercept X6
Windows Defender Trend Micro Apex One 防毒6
Windows Defender.5
Malwarebytes4
Windows Defender 电脑管家系统防护 腾讯电脑管家系统防护3
Windows Defender Avast Antivirus2

Malware Families Distribution

Distribution of Active Stealer Strains

Rhadamanthys5,899
Redline4,809
LummaC23,471
Acreed1,618
Vidar1,026
StealC670
RisePro588
Remus185
Millenium165

Top Login URLs

Top exposed services found in the event results

  1. 1android://WCaHzWiin6CgcbB04kEBz2U2lEcx67R-tCTvBdMaQq6bOMLtDeRsNqmHfs8z6y9hIrh50RNk3n-7YBTZVmgaww==@com.iqiyi.i18n/15,420
  2. 2https://www.iqiyi.com/iframe/loginreg8,998
  3. 3iqiyi.com8,600
  4. 4https://iqiyi.com6,353
  5. 5iqiyi.com/iframe/loginreg6,152
  6. 6https://www.iqiyi.com5,993
  7. 7www.iqiyi.com/iframe/loginreg4,687
  8. 8https://www.iqiyi.com/iframe/loginreg_tw4,519
  9. 9https://www.iqiyi.com/4,364
  10. 10www.iqiyi.com4,199

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

China
Events6,617
Taiwan
Events2,428
Thailand
Events2,356
Malaysia
Events2,001
Indonesia
Events1,770
Philippines
Events458
United States
Events339

Country Breakdown

  1. 1China6,617
  2. 2Taiwan2,428
  3. 3Thailand2,356
  4. 4Malaysia2,001
  5. 5Indonesia1,770
  6. 6Hong Kong SAR China650
  7. 7Philippines458
  8. 8United States339

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Cisco (AnyConnect)3

Operating System Distribution

Distribution of compromised endpoint builds

Windows 10 22H2 build 19045 (64 Bit)1,862
Windows 11 24H2 build 26100 (64 Bit)1,849
Windows 111,584
Windows 11 23H2 build 22631 (64 Bit)1,569
Windows 11 (Build 26200) (64 Bit)1,564

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
92,621
Combolist pools
22
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.