Back

valero.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting approximately 53,038 historical data breaches and 2,555 active infostealer logs, with a total of 55,593 events recorded. The majority of these events, 95.4%, are attributed to historical data breaches, while 4.6% are active infostealer logs. The timeline shows a surge in employee and client-related events, particularly in September 2025 and January 2026, suggesting a period of heightened compromise. The primary malware families identified are Redline (70.8%) and Rhadamanthys (4.9%), both known for credential theft. Targeted services include valero.com and its subdomains like starrewards.valero.com and ccc.valero.com, with a notable presence of F5 and Citrix services, potentially indicating VPN or application access points. The high volume of historical data breaches and active infostealer logs, coupled with the prevalence of credential-stealing malware, presents a critical risk. The exposure of nearly 50,000 employee records and over 5,000 client records, alongside the targeting of critical services like reward programs and payment processing, necessitates immediate attention. Remediation efforts should focus on credential reset for affected employees and clients, enhanced monitoring of the identified targeted services, and a thorough review of security configurations for F5 and Citrix infrastructure to prevent further exploitation.

Total Events

55,593
credential exposure events

Employee Affected Events

49,677
account email domain = valero.com

Client Affected Events

5,916
service target = valero.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
15,00010,0005,0000
peak month 12,530
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events2,555
Share5%
Data breaches
Events53,038
Share95%
Infostealer logs (5%)
2,555events
Data breaches (95%)
53,038events

49,677 compromised employee accounts pose an infrastructure risk, while 5,916 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender28
Windows Defender AVG Antivirus2
Kaspersky1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline1,809
Rhadamanthys126
LummaC2118
Acreed91
Vidar43
Millenium36
Blank Grabber13
Remus9
StealC7

Top Login URLs

Top exposed services found in the event results

  1. 1valero.com691
  2. 2https://starrewards.valero.com289
  3. 3https://ccc.valero.com277
  4. 4https://starrewards.valero.com/register/272
  5. 5ccc.valero.com268
  6. 6starrewards.valero.com249
  7. 7https://ccc.valero.com/mycard/mobile/mSignIn.aspx234
  8. 8starrewards.valero.com/register/212
  9. 9https://starrewards.valero.com/login/196
  10. 10starrewards.valero.com/login/147

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events760
Netherlands
Events399
Germany
Events338
United Kingdom
Events228
Denmark
Events178
France
Events40
Belgium
Events37
Switzerland
Events32

Country Breakdown

  1. 1United States760
  2. 2Netherlands399
  3. 3Germany338
  4. 4United Kingdom228
  5. 5Denmark178
  6. 6France40
  7. 7Belgium37
  8. 8Switzerland32

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

F5181
Citrix98
Pulse Secure26
Git11
GitLab10
FortiNet VPN9
Cisco (AnyConnect)7

Operating System Distribution

Distribution of compromised endpoint builds

Windows 7 x32136
Windows Server 2003 x32125
Windows Server 2012 x32122
Windows Server 2008 x32122
Windows Server 2012 R2 x32121

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
40,043
Combolist pools
12,995
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.