Back

nsw.gov.au Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain nsw.gov.au has experienced a significant number of security events, with 158,674 historical data breaches and 31,660 active infostealer logs recorded over the period from July 2025 to June 2026. The majority of these events, 83.4%, are attributed to historical data breaches, while 16.6% are linked to infostealer activity. A substantial portion of the data breaches, 89.7%, originated from combolist sources, suggesting compromised credentials. Infostealer activity is primarily associated with malware families such as Rhadamanthys, LummaC2, and Redline. The events show a notable spike in employee-related incidents in January 2026, with 4,570 occurrences, and a significant increase in client-related events in March 2026, totaling 42,763. Targeted services include login portals and authorization endpoints for nsw.gov.au services, indicating potential credential harvesting and unauthorized access attempts.

Total Events

190,334
credential exposure events

Employee Affected Events

5,333
account email domain = nsw.gov.au

Client Affected Events

185,001
service target = nsw.gov.au

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
50,00033,33316,6670
peak month 42,763
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events31,660
Share17%
Data breaches
Events158,674
Share83%
Infostealer logs (17%)
31,660events
Data breaches (83%)
158,674events

5,333 compromised employee accounts pose an infrastructure risk, while 185,001 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender674
Windows Defender.52
Webroot SecureAnywhere36
Windows Defender McAfee VirusScan28
Windows Defender McAfee Anti-Virus and Anti-Spyware5
ESET NOD32 Antivirus 8.0.4
Windows Defender Sophos Intercept X4
OpenText™ Core Endpoint Protection4
Windows Defender VirusScan de McAfee McAfee.4

Malware Families Distribution

Distribution of Active Stealer Strains

Rhadamanthys4,383
LummaC23,767
Redline3,687
Acreed3,105
Vidar2,104
Millenium550
X-Files424
StealC241
Remus234

Top Login URLs

Top exposed services found in the event results

  1. 1https://login.service.nsw.gov.au/login10,616
  2. 2https://api.service.nsw.gov.au/as/authorization.oauth28,326
  3. 3https://webident.service.nsw.gov.au/as/authorization.oauth26,451
  4. 4api.service.nsw.gov.au/as/authorization.oauth26,230
  5. 5education.nsw.gov.au5,898
  6. 6login.service.nsw.gov.au/login5,445
  7. 7api.service.nsw.gov.au4,803
  8. 8https://api.service.nsw.gov.au4,716
  9. 9webident.service.nsw.gov.au/as/authorization.oauth23,772
  10. 10https://webident.service.nsw.gov.au3,085

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Australia
Events15,232
United States
Events580
India
Events384
Pakistan
Events236
Philippines
Events153
Singapore
Events146

Country Breakdown

  1. 1Australia15,232
  2. 2United States580
  3. 3India384
  4. 4Pakistan236
  5. 5Côte d’Ivoire164
  6. 6Philippines153
  7. 7Singapore146
  8. 8Palestinian Territories138

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

F5623
Citrix276
Microsoft245
Jira (Atlassian)105
Intranet52
WordPress49
Cisco (AnyConnect)24

Operating System Distribution

Distribution of compromised endpoint builds

Windows 113,490
Windows 11 24H2 build 26100 (64 Bit)2,410
Windows 10 22H2 build 19045 (64 Bit)1,339
Windows 101,062
Windows 11 Home983

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
142,402
Combolist pools
16,272
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.