Back

thomsonreuters.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting thomsonreuters.com, with a total of 172,652 recorded events over the period. The majority of these events are categorized as historical data breaches (84.6%) and active infostealer logs (15.4%). A substantial number of employee (62,923) and client (109,729) records are associated with these events. The timeline shows a sharp increase in employee and client-related events in September 2025 and January 2026, suggesting potential targeted campaigns or widespread compromise during those periods. Malware families commonly associated with these events include LummaC2, Redline, and Rhadamanthys, all known for credential harvesting and data exfiltration. The high volume of historical data breaches and active infostealer logs, coupled with the large number of affected employee and client records, elevates the risk to a critical level. The prevalence of credential-harvesting malware targeting authentication services like "https://auth.thomsonreuters.com/u/login/password" and "https://signon.thomsonreuters.com/" indicates a strong focus on compromising user accounts. Remediation efforts should prioritize incident response for ongoing infostealer activity, thorough investigation of all historical data breaches, and immediate enhancement of authentication security controls, including multi-factor authentication and credential rotation for all affected users.

Total Events

172,652
credential exposure events

Employee Affected Events

62,923
account email domain = thomsonreuters.com

Client Affected Events

109,729
service target = thomsonreuters.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
40,00026,66713,3330
peak month 33,340
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events26,597
Share15%
Data breaches
Events146,055
Share85%
Infostealer logs (15%)
26,597events
Data breaches (85%)
146,055events

62,923 compromised employee accounts pose an infrastructure risk, while 109,729 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender744
Windows Defender Webroot SecureAnywhere153
Avast Antivirus99
McAfee23
Windows Defender.17
Windows Defender McAfee12
Windows Defender ESET Security11
McAfee VirusScan6
Avast4

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC23,886
Redline3,028
Rhadamanthys3,000
Acreed2,413
Vidar1,375
X-Files625
Millenium311
StealC285
RisePro240

Top Login URLs

Top exposed services found in the event results

  1. 1https://auth.thomsonreuters.com/u/login/password13,579
  2. 2https://signon.thomsonreuters.com/8,753
  3. 3auth.thomsonreuters.com/u/login/password6,305
  4. 4signon.thomsonreuters.com/5,153
  5. 5https://signon.thomsonreuters.com4,809
  6. 6signon.thomsonreuters.com4,686
  7. 7thomsonreuters.com3,505
  8. 8https://auth.thomsonreuters.com3,078
  9. 9auth.thomsonreuters.com2,930
  10. 10https://onepass.thomsonreuters.com/v3/new/create/6/security2,277

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Brazil
Events6,335
United States
Events2,647
India
Events1,349
Argentina
Events1,194
Spain
Events424
Pakistan
Events377
Thailand
Events256
Canada
Events225

Country Breakdown

  1. 1Brazil6,335
  2. 2United States2,647
  3. 3India1,349
  4. 4Argentina1,194
  5. 5Spain424
  6. 6Pakistan377
  7. 7Thailand256
  8. 8Canada225

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft727
Git178
Jira (Atlassian)111
Cisco (AnyConnect)92
Zendesk77
Citrix58
Salesforce44

Operating System Distribution

Distribution of compromised endpoint builds

Windows 112,836
Windows 10 Home x641,507
Windows 11 24H2 build 26100 (64 Bit)1,298
Windows 10 22H2 build 19045 (64 Bit)1,228
Windows 101,094

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
100,697
Combolist pools
45,358
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.