Back

ucla.edu Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event for ucla.edu, with a risk score of 100. Over the reporting period, there were 160,140 historical data breaches and 5,990 infostealer events. The majority of these events, 96.4%, are attributed to historical data breaches, while 3.6% are active infostealer logs. The timeline shows a sharp increase in employee and client events starting in September 2025, with notable peaks in January and February 2026. Malware families like Acreed, Redline, and LummaC2 are prevalent, suggesting active compromise and data exfiltration attempts. Targeted services include core ucla.edu domains and authentication services like shibboleth-idp, indicating potential compromise of identity and access management infrastructure. The data also points to combolist sources and database dumps as significant leak repository classifications, suggesting credential stuffing and large-scale data leakage.

Total Events

166,130
credential exposure events

Employee Affected Events

107,456
account email domain = ucla.edu

Client Affected Events

58,674
service target = ucla.edu

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
30,00020,00010,0000
peak month 29,519
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events5,990
Share4%
Data breaches
Events160,140
Share96%
Infostealer logs (4%)
5,990events
Data breaches (96%)
160,140events

107,456 compromised employee accounts pose an infrastructure risk, while 58,674 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender50
电脑管家系统防护2
McAfee1

Malware Families Distribution

Distribution of Active Stealer Strains

Acreed762
Redline740
LummaC2716
Rhadamanthys633
Vidar259
Cthulhu149
Millenium82
X-Files66
StealC37

Top Login URLs

Top exposed services found in the event results

  1. 1ucla.edu13,755
  2. 2g.ucla.edu7,451
  3. 3https://shb.ais.ucla.edu/shibboleth-idp/profile/SAML2/Redirect/SSO1,848
  4. 4https://shb.ais.ucla.edu1,379
  5. 5shb.ais.ucla.edu/shibboleth-idp/profile/SAML2/Redirect/SSO1,346
  6. 6shb.ais.ucla.edu1,281
  7. 7https://bruins.admission.ucla.edu/myApplication/Login.aspx1,163
  8. 8https://accounts.iam.ucla.edu/register1,151
  9. 9mednet.ucla.edu983
  10. 10accounts.iam.ucla.edu/register868

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events2,055
Switzerland
Events153
India
Events120
Canada
Events87
Indonesia
Events63
Brazil
Events61
Kenya
Events47
South Korea
Events40

Country Breakdown

  1. 1United States2,055
  2. 2Switzerland153
  3. 3India120
  4. 4Canada87
  5. 5Indonesia63
  6. 6Brazil61
  7. 7Kenya47
  8. 8South Korea40

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft341
Jira (Atlassian)101
Citrix88
Paloalto VPN68
WordPress34
NetSuite21
Cisco (AnyConnect)9

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11902
Windows 10 Home x64343
Windows 10 Enterprise x64254
Windows 11 24H2 build 26100 (64 Bit)250
Windows 11 Home161

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
85,990
Combolist pools
74,150
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.