Back

rockwellautomation.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting Rockwell Automation, with over 111,000 historical data breaches and nearly 19,000 active infostealer logs detected within the reporting period. The majority of these events are linked to "Combolist sources" and "Database dumps," suggesting credential stuffing or account takeover attempts. Malware families such as Redline, LummaC2, and Rhadamanthys are prevalent, indicating active compromise and data exfiltration. The targeted services include identity providers and account creation portals, highlighting a focus on gaining unauthorized access to user accounts and potentially sensitive systems. The geographical distribution shows a notable concentration of activity originating from India, Mexico, and the United States. The high volume of data breaches and infostealer activity, coupled with the presence of multiple malware families, warrants immediate attention and a thorough investigation into the root cause and extent of the compromise.

Total Events

129,932
credential exposure events

Employee Affected Events

42,767
account email domain = rockwellautomation.com

Client Affected Events

87,165
service target = rockwellautomation.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
25,00016,6678,3330
peak month 21,026
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events18,376
Share14%
Data breaches
Events111,556
Share86%
Infostealer logs (14%)
18,376events
Data breaches (86%)
111,556events

42,767 compromised employee accounts pose an infrastructure risk, while 87,165 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender165
McAfee VirusScan18
Windows Defender.16
McAfee7
Windows Defender Avast Antivirus.4
Bitdefender2
Reason Cybersecurity2
Windows Defender ESET Security2
Windows Defender Sophos Intercept X Sophos Intercept X.2

Malware Families Distribution

Distribution of Active Stealer Strains

Redline5,572
LummaC22,362
Rhadamanthys1,432
Vidar1,283
Acreed700
RisePro512
StealC493
Remus130
Millenium90

Top Login URLs

Top exposed services found in the event results

  1. 1https://idp.rockwellautomation.com/adfs/oauth2/authorize11,595
  2. 2https://idp.rockwellautomation.com6,755
  3. 3idp.rockwellautomation.com/adfs/oauth2/authorize6,739
  4. 4idp.rockwellautomation.com6,286
  5. 5https://www.rockwellautomation.com/account/create-account5,663
  6. 6https://idp.rockwellautomation.com/adfs/oauth2/authorize/5,419
  7. 7idp.rockwellautomation.com/adfs/oauth2/authorize/3,008
  8. 8https://login.rockwellautomation.com/login2,880
  9. 9rockwellautomation.com/account/create-account2,527
  10. 10https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx2,517

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

India
Events1,489
Mexico
Events1,244
United States
Events1,060
Brazil
Events921
Netherlands
Events459
Germany
Events417
Peru
Events369
Thailand
Events340

Country Breakdown

  1. 1India1,489
  2. 2Mexico1,244
  3. 3United States1,060
  4. 4Brazil921
  5. 5Netherlands459
  6. 6Germany417
  7. 7Peru369
  8. 8Thailand340

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft700
Citrix59
Cisco (AnyConnect)25
Pulse Secure24
Microsoft Entra ID (External ID / B2C)15
FortiNet VPN12
Git7

Operating System Distribution

Distribution of compromised endpoint builds

Windows 10 Enterprise x641,780
Windows 111,129
Windows 10 Pro711
Windows 10 Home x64555
Windows 11 24H2 build 26100 (64 Bit)532

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
100,843
Combolist pools
10,713
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.