Back

mayoclinic.org Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting mayoclinic.org, with a total of 33,573 recorded events over the period from July 2025 to June 2026. The majority of these events, 89.2%, are historical data breaches, while 10.8% are active infostealer logs. A notable surge in employee-related events occurred in January 2026, coinciding with a substantial increase in client-related events in March 2026. The data suggests that infostealer activity, particularly from malware families like Rhadamanthys, Redline, and LummaC2, is targeting credentials associated with account and signup services for mayoclinic.org. The primary source of leaked data appears to be combolist sources and database dumps, with a significant portion of the affected activity originating from the United States.

Total Events

33,573
credential exposure events

Employee Affected Events

13,648
account email domain = mayoclinic.org

Client Affected Events

19,925
service target = mayoclinic.org

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
15,00010,0005,0000
peak month 13,312
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events3,633
Share11%
Data breaches
Events29,940
Share89%
Infostealer logs (11%)
3,633events
Data breaches (89%)
29,940events

13,648 compromised employee accounts pose an infrastructure risk, while 19,925 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender59
Avast AVG1

Malware Families Distribution

Distribution of Active Stealer Strains

Rhadamanthys535
Redline417
LummaC2417
Acreed360
Vidar194
X-Files126
StealC98
Millenium31
Blank Grabber29

Top Login URLs

Top exposed services found in the event results

  1. 1https://account.mayoclinic.org/account.mayoclinic.org/b2c_1a_patient_signup_signin/oauth2/v2.0/authorize1,497
  2. 2account.mayoclinic.org898
  3. 3https://account.mayoclinic.org897
  4. 4account.mayoclinic.org/account.mayoclinic.org/b2c_1a_patient_signup_signin/oauth2/v2.0/authorize871
  5. 5https://signup.mayoclinic.org/professional/register/register552
  6. 6https://signup.mayoclinic.org518
  7. 7https://signup.mayoclinic.org/register/registerpatient515
  8. 8signup.mayoclinic.org498
  9. 9https://apply.mayoclinic.org/TGnewUI/Search/home/HomeWithPreLoad474
  10. 10login.mayoclinic.org/adfs/ls/448

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events1,346
India
Events164
Pakistan
Events67
Argentina
Events40
Venezuela
Events40
Spain
Events39
Mexico
Events34
Philippines
Events32

Country Breakdown

  1. 1United States1,346
  2. 2India164
  3. 3Pakistan67
  4. 4Argentina40
  5. 5Venezuela40
  6. 6Spain39
  7. 7Mexico34
  8. 8Philippines32

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft1,521

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11537
Windows 11 24H2 build 26100 (64 Bit)338
Windows 10 Home x64171
Windows 10145
Windows 10 22H2 build 19045 (64 Bit)139

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
16,361
Combolist pools
13,579
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.