Back

nih.gov Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting nih.gov, with 95,372 total events recorded between July 2025 and June 2026. The majority of these events, 87,427 (91.7%), are classified as historical data breaches, while 7,945 (8.3%) are active infostealer logs. The data breach events suggest a large-scale compromise of sensitive information, potentially affecting a substantial number of employees and clients, as evidenced by the 24,251 employee and 71,121 client events. The timeline shows a notable surge in employee-related events in January 2026, with 17,987 occurrences, and a peak in client-related events in March 2026, with 18,158 occurrences. The presence of infostealer logs, particularly LummaC2, Redline, and Acreed malware families, indicates ongoing attempts to exfiltrate credentials and sensitive data. The leak repository classification shows a high percentage of data originating from combolist sources (75.7%) and database dumps (24.3%), suggesting credential stuffing or data aggregation from previous breaches. Given the nature of the data breaches and the active infostealer logs, this exposure poses a critical risk to NIH.gov. The primary focus for remediation should be on identifying the root cause of the historical data breaches, enhancing data security measures to prevent future breaches, and actively monitoring for and mitigating the impact of ongoing infostealer activity. The prevalence of LummaC2 and Redline malware families suggests a need for enhanced endpoint detection and response capabilities, as well as user education on phishing and credential security. The targeted services, primarily related to NCBI, highlight specific areas requiring immediate security review and hardening.

Total Events

95,372
credential exposure events

Employee Affected Events

24,251
account email domain = nih.gov

Client Affected Events

71,121
service target = nih.gov

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
20,00013,3336,6670
peak month 18,158
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events7,945
Share8%
Data breaches
Events87,427
Share92%
Infostealer logs (8%)
7,945events
Data breaches (92%)
87,427events

24,251 compromised employee accounts pose an infrastructure risk, while 71,121 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

360 Total Security160
Windows Defender106
Windows Defender.56
Windows Defender McAfee.6
Windows Defender Avast Antivirus5
Trend Micro2
Windows Defender Avast Antivirus.2
Windows Defender McAfee Reason Cybersecurity2
Windows Defender ESET Security2

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC21,379
Redline1,116
Acreed863
Rhadamanthys721
Vidar394
Blank Grabber207
StealC176
Millenium139
RisePro101

Top Login URLs

Top exposed services found in the event results

  1. 1ncbi.nlm.nih.gov5,144
  2. 2https://ncbi.nlm.nih.gov4,154
  3. 3https://www.ncbi.nlm.nih.gov/account/register/3,643
  4. 4https://www.ncbi.nlm.nih.gov/account/signin/3,412
  5. 5https://www.ncbi.nlm.nih.gov3,293
  6. 6ncbi.nlm.nih.gov/account/register/2,457
  7. 7www.ncbi.nlm.nih.gov2,361
  8. 8ncbi.nlm.nih.gov/account/signin/2,186
  9. 9www.ncbi.nlm.nih.gov/account/register/1,897
  10. 10www.ncbi.nlm.nih.gov/account/signin/1,752

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events1,145
India
Events520
Egypt
Events334
Ethiopia
Events249
China
Events166
Peru
Events161
Brazil
Events154
Pakistan
Events142

Country Breakdown

  1. 1United States1,145
  2. 2India520
  3. 3Egypt334
  4. 4Ethiopia249
  5. 5China166
  6. 6Peru161
  7. 7Brazil154
  8. 8Pakistan142

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft72
Citrix18
Jira (Atlassian)17
WordPress8
Microsoft Entra ID (External ID / B2C)4
Auth02

Operating System Distribution

Distribution of compromised endpoint builds

Windows 111,067
Windows 10 Enterprise x64458
Windows 11 24H2 build 26100 (64 Bit)344
Windows 10 Home x64274
Windows 10 Pro262

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
66,145
Combolist pools
21,282
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.