Back

userscloud.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain userscloud.com is associated with a high-risk score of 98, primarily driven by a significant volume of historical data breaches (87.3%) and active infostealer logs (12.7%). The telemetry indicates that 80,558 client accounts have been compromised, alongside 117 employee accounts. The timeline shows a notable increase in client compromises starting in February 2026, with a peak in March 2026. Malware families such as Redline, LummaC2, and Rhadamanthys are frequently observed, suggesting widespread credential harvesting and data exfiltration activities targeting the domain's users. The primary source of exposure appears to be "Combolist sources," indicating compromised credentials being traded or leaked online. The high volume of data breaches and active infostealer logs, affecting a large number of clients and a smaller number of employees, presents a critical risk. The prevalence of infostealer malware targeting users of this service suggests that credentials and sensitive information are actively being stolen. Remediation efforts should focus on immediate incident response for affected clients and employees, including credential resets and enhanced monitoring. Given the nature of the exposure, a thorough investigation into the root cause of the data breaches and the methods used by infostealers is paramount. The service itself is heavily targeted, with numerous requests to its login and registration pages, indicating it is a prime target for credential stuffing and phishing attacks.

Total Events

80,675
credential exposure events

Employee Affected Events

117
account email domain = userscloud.com

Client Affected Events

80,558
service target = userscloud.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
20,00013,3336,6670
peak month 17,534
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events10,206
Share13%
Data breaches
Events70,469
Share87%
Infostealer logs (13%)
10,206events
Data breaches (87%)
70,469events

117 compromised employee accounts pose an infrastructure risk, while 80,558 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender86
Windows Defender.4
Windows Defender ESET Security4
AhnLab V3 Internet Security 9.02
Malwarebytes [OFF]1
Windows Defender AVG Antivirus.1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline1,943
LummaC21,762
Rhadamanthys816
Acreed717
Vidar665
RisePro334
StealC261
Millenium76
Raccoon68

Top Login URLs

Top exposed services found in the event results

  1. 1https://userscloud.com/18,489
  2. 2userscloud.com15,610
  3. 3https://userscloud.com15,195
  4. 4userscloud.com/13,871
  5. 5https://userscloud.com/register.html1,999
  6. 6userscloud.com/register.html1,431
  7. 7https://userscloud.com/login.html1,177
  8. 8userscloud.com/login.html911
  9. 9http://userscloud.com/652
  10. 10https://userscloud.com/free14271.html561

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Indonesia
Events846
Thailand
Events732
India
Events349
United States
Events340
Türkiye
Events300
Brazil
Events286
Spain
Events262
Egypt
Events225

Country Breakdown

  1. 1Indonesia846
  2. 2Thailand732
  3. 3India349
  4. 4United States340
  5. 5Türkiye300
  6. 6Brazil286
  7. 7Spain262
  8. 8Egypt225

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

WordPress1

Operating System Distribution

Distribution of compromised endpoint builds

Windows 10 Enterprise x64962
Windows 11765
Windows 10 Pro (10.0.19045) x64479
Windows 10 Pro465
Windows 10310

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
70,450
Combolist pools
19
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.