Back

tollbrothers.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain tollbrothers.com has experienced a significant number of security events over the past year, with a total of 41,032 events recorded. A substantial portion of these events, 39,203 (95.5%), are classified as historical data breaches, indicating past compromises. Additionally, 1,829 events (4.5%) are identified as active infostealer logs, suggesting ongoing threats. The infostealer activity is heavily dominated by the Redline malware family, accounting for 95.3% of identified malware. Employee-related events are also high, with 40,009 instances, while client-related events number 1,023. The timeline shows a peak in employee-related events in September 2025 and March 2026, and a general increase in both employee and client events from February to June 2026. The high volume of historical data breaches and active infostealer logs, particularly those associated with Redline malware, presents a critical risk. The prevalence of Redline suggests a focus on credential harvesting, potentially impacting both employees and clients. The extensive number of employee-related events, coupled with the presence of data breaches and infostealers, indicates a high likelihood of compromised employee credentials being exfiltrated or misused. Remediation efforts should prioritize securing authentication mechanisms, enhancing endpoint detection and response to counter Redline malware, and conducting thorough investigations into the historical data breaches to understand the full scope of compromised data and affected individuals.

Total Events

41,032
credential exposure events

Employee Affected Events

40,009
account email domain = tollbrothers.com

Client Affected Events

1,023
service target = tollbrothers.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
10,0006,6673,3330
peak month 9,275
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events1,829
Share5%
Data breaches
Events39,203
Share96%
Infostealer logs (5%)
1,829events
Data breaches (96%)
39,203events

40,009 compromised employee accounts pose an infrastructure risk, while 1,023 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Bitdefender1
Avira1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline1,743
LummaC225
Rhadamanthys21
X-Files9
Acreed6
Vidar5
StealC2
Aurora1

Top Login URLs

Top exposed services found in the event results

  1. 1tollbrothers.com487
  2. 2https://web1.tollbrothers.com/formpostdir/securereader35
  3. 3https://tollbrothers.com24
  4. 4https://www.tollbrothers.com24
  5. 5www.tollbrothers.com18
  6. 6web1.tollbrothers.com18
  7. 7tollbrothers.com/my-favorites/sign-up17
  8. 8https://login.tollbrothers.com/oauth2/default/v1/authorize16
  9. 9https://www.tollbrothers.com/my-favorites/sign-up15
  10. 10https://login.tollbrothers.com/app/tollbros_homebuyerquestionnaire_1/exkb8dt4kMpfQQMbL696/sso/saml13

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events475
Netherlands
Events434
Germany
Events357
Denmark
Events145
United Kingdom
Events45
France
Events38
Belgium
Events31

Country Breakdown

  1. 1United States475
  2. 2Netherlands434
  3. 3Germany357
  4. 4Denmark145
  5. 5United Kingdom45
  6. 6Luxembourg41
  7. 7France38
  8. 8Belgium31

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix39
Git20
FortiNet VPN15
Pulse Secure13
Microsoft9
Cisco (AnyConnect)7
Okta3

Operating System Distribution

Distribution of compromised endpoint builds

Windows Server 2008 x32137
Windows Server 2003 R2 x32136
Windows Server 2003 x32128
Windows Server 2008 R2 x32124
Windows 8 x32124

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
32,495
Combolist pools
6,708
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.