Back

pg.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant historical data breach event affecting approximately 154,167 records, alongside 14,193 active infostealer logs. The primary impact appears to be on employees, with 118,023 affected, followed by clients at 50,337. Malware families such as Vidar, Redline, and LummaC2 are prevalent, suggesting a focus on credential harvesting. The timeline shows a surge in employee and client-related events in September 2025 and January 2026, correlating with periods of increased infostealer activity. The data also points to targeted services including the pg.com domain and various Android applications, with a notable concentration of events originating from the United Arab Emirates and Türkiye. Given the high volume of historical data breaches and active infostealer logs, this exposure presents a critical risk. The prevalence of infostealer malware targeting employee and client credentials necessitates immediate attention to credential hygiene, multi-factor authentication enforcement, and endpoint security. Remediation should focus on identifying the root cause of the historical data breaches, enhancing monitoring for ongoing infostealer activity, and securing targeted services and applications, particularly those identified in the United Arab Emirates and Türkiye.

Total Events

168,360
credential exposure events

Employee Affected Events

118,023
account email domain = pg.com

Client Affected Events

50,337
service target = pg.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
60,00040,00020,0000
peak month 57,403
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events14,193
Share8%
Data breaches
Events154,167
Share92%
Infostealer logs (8%)
14,193events
Data breaches (92%)
154,167events

118,023 compromised employee accounts pose an infrastructure risk, while 50,337 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender94
Windows Defender Avast Antivirus3
Windows Defender [ON]2
Reason Cybersecurity1
Avast1
Avast Antivirus1

Malware Families Distribution

Distribution of Active Stealer Strains

Vidar2,868
Redline1,794
LummaC21,690
Rhadamanthys1,271
Acreed597
Cthulhu402
Remus367
StealC238
RisePro188

Top Login URLs

Top exposed services found in the event results

  1. 1pg.com6,517
  2. 2android://M8eipvaph1fXTLfgaMkImRnGKrQJVZj32rUyDPUA-shKvSN-JZbruf5M33sd3QkU9g7XuxqEKw7S_G9Ro-g7JQ==@com.pg.pampersbabyworld/4,092
  3. 3android://gRbIuNjBREmAgyvzi9Aidk4x-ABB2PKAvG-0przyHenHWiWOJLBhtSnJD7Y1ieVGbwomIbIFlds90SuVHLqWzA==@com.pg.banabak/3,668
  4. 4android://GzD0MQtKbv-iD5-OIEB6Y-Wdi2lmHzSY4nPkWMJDPIRrowvNKisPtXENQH1tUE8GK1m0geNfpnpWwMv1U-Qkog==@com.pg.oralb.oralbapp/2,995
  5. 5android://HDEEc4FOveEnInPdLbRmp9_VX2zBxihszxadl4QKTNZXVTSQK3Dtdh7nRG3CY9Pgow4VPii9_SE1Y1qxLFHiqw==@com.pg.clubpampers.tier2.android.es/695
  6. 6https://fedauth.pg.com/idp/SSO.saml2646
  7. 7android://p01PII26WI-ci-P-mL-H26wOOzrTVdluklmsMfUt-qbGmzM_8aeLPKZ--oDt0iYeakK4OQ29TfNPL5An6GdAvw==@com.pg.pampers.primakulubu/639
  8. 8https://fedauth.pg.com574
  9. 9fedauth.pg.com554
  10. 10fedauth.pg.com/idp/SSO.saml2489

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United Arab Emirates
Events2,385
Türkiye
Events1,747
India
Events633
United States
Events614
Spain
Events609
Argentina
Events424
Italy
Events323
Philippines
Events296

Country Breakdown

  1. 1United Arab Emirates2,385
  2. 2Türkiye1,747
  3. 3India633
  4. 4United States614
  5. 5Spain609
  6. 6Argentina424
  7. 7Italy323
  8. 8Philippines296

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft1,688
Pulse Secure446
Auth022
Salesforce18
Microsoft Entra ID (External ID / B2C)14
Jira (Atlassian)10
WordPress8

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11 Pro1,567
Windows 11708
Windows 10 Enterprise x64669
Windows 10 22H2 build 19045 (64 Bit)531
Windows 11 24H2 build 26100 (64 Bit)525

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
60,551
Combolist pools
93,616
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.