Back

openai.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting OpenAI, primarily driven by a massive volume of historical data breaches (67.4%) and active infostealer logs (32.6%) over the period of July 2025 to June 2026. The data breaches affected approximately 5.7 million client records, while infostealer activity targeted over 2.7 million client records. Employee exposure was comparatively lower, with 468 records compromised. The primary malware families associated with these events are LummaC2, Rhadamanthys, and Redline, all known for credential theft. The targeted services are predominantly authentication endpoints, including signup and login pages hosted on auth0.openai.com and auth.openai.com, suggesting a focus on account takeover. Geographically, India, Brazil, and Pakistan show the highest incidence of exposure. This incident presents a high-risk scenario due to the sheer volume of compromised client data and the nature of the infostealer activity, which could lead to widespread account takeovers and further downstream impacts. The prevalence of credential stuffing and phishing-related malware families targeting authentication services necessitates immediate attention to access controls, credential management, and user awareness training. Prioritization should focus on mitigating further data exfiltration, investigating the root cause of the historical data breaches, and enhancing the security posture of authentication infrastructure, particularly for regions with high reported exposure.

Total Events

8,478,303
credential exposure events

Employee Affected Events

468
account email domain = openai.com

Client Affected Events

8,477,835
service target = openai.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
2,000,0001,333,333666,6670
peak month 1,849,188
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events2,765,332
Share33%
Data breaches
Events5,712,971
Share67%
Infostealer logs (33%)
2,765,332events
Data breaches (67%)
5,712,971events

468 compromised employee accounts pose an infrastructure risk, while 8,477,835 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender60,845
Windows Defender.2,745
Windows Defender Reason Cybersecurity718
Windows Defender McAfee708
Avast639
McAfee533
Malwarebytes411
Windows Defender ESET Security354
Kaspersky286

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC2432,437
Rhadamanthys410,057
Redline257,889
Vidar239,105
Acreed191,917
RisePro44,985
StealC40,244
Remus31,161
Millenium21,017

Top Login URLs

Top exposed services found in the event results

  1. 1https://auth0.openai.com/u/signup/password1,825,127
  2. 2https://auth0.openai.com/u/login/password1,335,319
  3. 3auth0.openai.com/u/signup/password867,350
  4. 4https://auth0.openai.com793,423
  5. 5auth0.openai.com748,654
  6. 6auth0.openai.com/u/login/password659,248
  7. 7https://auth.openai.com/log-in/password569,801
  8. 8https://auth.openai.com/create-account/password440,659
  9. 9auth.openai.com/log-in/password176,634
  10. 10https://auth0.openai.com/157,796

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

India
Events221,776
Brazil
Events84,241
Pakistan
Events83,260
United States
Events80,611
Vietnam
Events80,212
Egypt
Events61,358
Bangladesh
Events51,163
Philippines
Events49,285

Country Breakdown

  1. 1India221,776
  2. 2Brazil84,241
  3. 3Pakistan83,260
  4. 4United States80,611
  5. 5Vietnam80,212
  6. 6Egypt61,358
  7. 7Bangladesh51,163
  8. 8Philippines49,285

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

WordPress7

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11200,984
Windows 11 24H2 build 26100 (64 Bit)168,766
Windows 10 22H2 build 19045 (64 Bit)154,094
Windows 10 Pro116,088
Windows 10 Pro (10.0.19045) x6490,248

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
5,703,641
Combolist pools
9,330
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.