Back

iqvia.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting IQVIA, with 59,081 historical data breaches and 3,972 active infostealer logs observed between July 2025 and June 2026. The majority of these events, 93.7%, are attributed to historical data breaches, while 6.3% are active infostealer logs. Employee accounts are the most frequently targeted, with 53,280 instances, followed by client accounts at 9,773. The primary malware families associated with these infostealer logs are Redline (55%), LummaC2 (9.1%), and Rhadamanthys (4.9%). The data suggests a high volume of compromised credentials originating from combolist sources (72.5%) and database dumps (27.5%), with targeted services including customer portals and virtual trial platforms. The United States, Netherlands, and Germany are the most affected geographies. Given the high volume of historical data breaches and active infostealer logs, coupled with the targeting of employee and client accounts, this situation presents a critical risk. The prevalence of Redline and LummaC2 suggests a focus on credential harvesting. Remediation efforts should prioritize incident response to contain active infostealer threats, thorough credential hygiene for employees and clients, and a review of security controls for customer-facing portals and virtual trial platforms. Investigating the source of the combolist and database dump exposures is also crucial.

Total Events

63,053
credential exposure events

Employee Affected Events

53,280
account email domain = iqvia.com

Client Affected Events

9,773
service target = iqvia.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
20,00013,3336,6670
peak month 18,155
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events3,972
Share6%
Data breaches
Events59,081
Share94%
Infostealer logs (6%)
3,972events
Data breaches (94%)
59,081events

53,280 compromised employee accounts pose an infrastructure risk, while 9,773 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender51
Avast6
Windows Defender Kaspersky Total Security3
Windows Defender McAfee1
Kaspersky1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline2,186
LummaC2363
Rhadamanthys196
Vidar153
Acreed149
StealC97
X-Files51
Millenium19
Remus11

Top Login URLs

Top exposed services found in the event results

  1. 1https://login.customerportal.iqvia.com/EB2/User/CustomerLogin.aspx556
  2. 2iqvia.com419
  3. 3https://virtualtrials-patient.solutions.iqvia.com/s/login/323
  4. 4virtualtrials-patient.solutions.iqvia.com/s/login/253
  5. 5https://docnet.solutions.iqvia.com/survey/landingpageDetail.aspx249
  6. 6login.customerportal.iqvia.com/EB2/User/CustomerLogin.aspx210
  7. 7https://login.customerportal.iqvia.com172
  8. 8https://virtualtrials-patient.solutions.iqvia.com169
  9. 9login.customerportal.iqvia.com153
  10. 10https://docnet.solutions.iqvia.com152

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events584
Netherlands
Events466
Germany
Events391
Denmark
Events177
Egypt
Events167
India
Events141
Brazil
Events124
Pakistan
Events115

Country Breakdown

  1. 1United States584
  2. 2Netherlands466
  3. 3Germany391
  4. 4Denmark177
  5. 5Egypt167
  6. 6India141
  7. 7Brazil124
  8. 8Pakistan115

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft312
Citrix73
Cisco (AnyConnect)22
Pulse Secure19
FortiNet VPN17
Salesforce14
Okta10

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11272
Windows Server 2012 x32147
Windows 7 x32136
Windows 8.1 x32136
Windows Server 2008 R2 x32135

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
42,839
Combolist pools
16,242
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.