Back

so-net.ne.jp Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting the so-net.ne.jp domain, with a high risk score of 98. The primary concern stems from a large volume of historical data breaches (37,935 events) and active infostealer logs (3,657 events) observed between July 2025 and June 2026. These events are strongly correlated with "Combolist sources" (81.8%) and "Database dumps" (18.2%) within leak repositories, suggesting compromised credentials are a major vector. The timeline shows a notable increase in client-related events from August 2025 onwards, peaking in March 2026, alongside fluctuating but consistent employee-related events throughout the period. The prevalence of infostealer malware families like LummaC2, Redline, and Rhadamanthys, coupled with the sheer volume of data breach events, elevates the risk to critical. The primary focus for remediation should be on credential hygiene, including mandatory password resets for all users, enhanced multi-factor authentication deployment, and a thorough review of access controls for services like the so-net.ne.jp login portal and mypage. Investigating the source of the "Combolist sources" and "Database dumps" is also crucial to understand the initial compromise and prevent recurrence.

Total Events

41,592
credential exposure events

Employee Affected Events

949
account email domain = so-net.ne.jp

Client Affected Events

40,643
service target = so-net.ne.jp

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
10,0006,6673,3330
peak month 9,621
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events3,657
Share9%
Data breaches
Events37,935
Share91%
Infostealer logs (9%)
3,657events
Data breaches (91%)
37,935events

949 compromised employee accounts pose an infrastructure risk, while 40,643 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender108
Windows Defender ウイルスバスター クラウド54
Windows Defender [ON]4
ノートン 3603
Windows Defender マカフィー ウイルススキャン ノートン 3602
Windows Defender ノートン 3601
ノートン セキュリティ1
None1

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC2515
Redline490
Rhadamanthys467
Acreed281
Vidar141
Raccoon82
RisePro59
StealC44
Millenium42

Top Login URLs

Top exposed services found in the event results

  1. 1so-net.ne.jp2,008
  2. 2https://id.so-net.ne.jp/iam/auth/realms/so-net/login-actions/authenticate1,896
  3. 3https://www.so-net.ne.jp1,684
  4. 4https://so-net.ne.jp1,406
  5. 5id.so-net.ne.jp/iam/auth/realms/so-net/login-actions/authenticate1,180
  6. 6www.so-net.ne.jp1,052
  7. 7https://www.so-net.ne.jp/1,005
  8. 8https://www.so-net.ne.jp/mypage/968
  9. 9https://www.so-net.ne.jp/sso/portal/cgi-bin/login.cgi800
  10. 10so-net.ne.jp/mypage/748

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Japan
Events2,075
United States
Events34
Taiwan
Events16
Nigeria
Events11
Germany
Events11
Thailand
Events10
India
Events10
Finland
Events10

Country Breakdown

  1. 1Japan2,075
  2. 2United States34
  3. 3Taiwan16
  4. 4Nigeria11
  5. 5Germany11
  6. 6Thailand10
  7. 7India10
  8. 8Finland10

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

-
Total

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11431
Windows 10 22H2 build 19045 (64 Bit)206
Windows 10 Enterprise x64167
Windows 11 24H2 build 26100 (64 Bit)158
Windows 10 Pro (10.0.19045) x64123

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
31,012
Combolist pools
6,923
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.