Back

servicenow.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event affecting ServiceNow users, with over 42,000 total events recorded between July 2025 and June 2026. A substantial portion of these events, over 32,000, are classified as historical data breaches, and over 9,000 are active infostealer logs. The timeline shows a sharp increase in employee-related events in January 2026, coinciding with a peak in client-related events in March and June 2026. The primary malware families observed are Vidar, LummaC2, and Rhadamanthys, all known for credential harvesting and data exfiltration. The most targeted services are authentication endpoints on servicenow.com, suggesting attackers are attempting to compromise user accounts. The data originates primarily from India and the United States, with a significant portion of leaked data coming from combolist sources and database dumps.

Total Events

42,296
credential exposure events

Employee Affected Events

16,650
account email domain = servicenow.com

Client Affected Events

25,646
service target = servicenow.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
15,00010,0005,0000
peak month 13,151
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events9,331
Share22%
Data breaches
Events32,965
Share78%
Infostealer logs (22%)
9,331events
Data breaches (78%)
32,965events

16,650 compromised employee accounts pose an infrastructure risk, while 25,646 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender671
Avast2
Windows Defender.1
Malwarebytes1

Malware Families Distribution

Distribution of Active Stealer Strains

Vidar1,278
LummaC2771
Rhadamanthys544
Acreed528
Remus345
Redline272
Millenium42
StealC38
X-Files38

Top Login URLs

Top exposed services found in the event results

  1. 1https://signon.servicenow.com/x_snc_sso_auth.do5,349
  2. 2https://account.servicenow.com/sign-in2,304
  3. 3servicenow.com1,550
  4. 4https://servicenow.com1,025
  5. 5signon.servicenow.com/x_snc_sso_auth.do740
  6. 6https://www.servicenow.com734
  7. 7account.servicenow.com/sign-in725
  8. 8https://account.servicenow.com/sign-up570
  9. 9www.servicenow.com535
  10. 10https://account.servicenow.com491

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

India
Events3,540
United States
Events679
Pakistan
Events143
Brazil
Events116
United Kingdom
Events70
Thailand
Events58
Canada
Events55
Bangladesh
Events50

Country Breakdown

  1. 1India3,540
  2. 2United States679
  3. 3Pakistan143
  4. 4Brazil116
  5. 5United Kingdom70
  6. 6Thailand58
  7. 7Canada55
  8. 8Bangladesh50

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Okta278
Microsoft23
Citrix21
WordPress5
Cisco (AnyConnect)2

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11 Home Single Language 25H2 (Build 26200)921
Windows 11717
Windows 11 Home Single Language473
Windows 11 Pro 25H2 (Build 26200)465
Windows 11 Enterprise377

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
18,383
Combolist pools
14,582
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.