Back

visa.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting visa.com, with 186,735 historical data breaches and 24,715 active infostealer logs detected over the reporting period. The majority of these events, 88.3%, are attributed to historical data breaches, while 11.7% are active infostealer logs. The timeline shows a substantial increase in client-related events starting in September 2025 and peaking in March and April 2026, alongside notable employee-related events in January 2026. Key malware families involved include Redline, LummaC2, and Rhadamanthys, all known for credential theft. The primary targeted services are related to secure checkout and commercial payments, with a notable presence of United States and Brazil in the geographical breakdown. The leak repository classification shows a high percentage of data originating from combolist sources (82.9%) and database dumps (17.1%), suggesting compromised credentials and potentially sensitive information. Given the high volume of data breaches and infostealer activity targeting critical payment services, this event poses a severe risk to both employees and clients, potentially leading to widespread financial fraud and identity theft. The prevalence of credential-stealing malware and the nature of the data sources indicate a strong focus on compromising user accounts and payment information. Prioritization should focus on immediate incident response, comprehensive credential compromise analysis, and strengthening authentication mechanisms across all affected services, particularly those related to checkout and commercial payments. A thorough review of data exfiltration channels and the integrity of database dumps is also critical.

Total Events

211,450
credential exposure events

Employee Affected Events

26,045
account email domain = visa.com

Client Affected Events

185,405
service target = visa.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
50,00033,33316,6670
peak month 46,246
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events24,715
Share12%
Data breaches
Events186,735
Share88%
Infostealer logs (12%)
24,715events
Data breaches (88%)
186,735events

26,045 compromised employee accounts pose an infrastructure risk, while 185,405 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender437
Windows Defender.25
Windows Defender McAfee10
Malwarebytes9
Windows Defender Norton Security.7
Windows Defender AVG Antivirus.7
Windows Defender McAfee Anti-Virus and Anti-Spyware.4
Reason Cybersecurity3
Windows Defender 电脑管家系统防护 腾讯电脑管家系统防护3

Malware Families Distribution

Distribution of Active Stealer Strains

Redline3,942
LummaC23,837
Rhadamanthys2,931
Acreed1,882
Vidar1,653
StealC416
RisePro245
Millenium237
Raccoon171

Top Login URLs

Top exposed services found in the event results

  1. 1https://secure.checkout.visa.com19,309
  2. 2secure.checkout.visa.com18,570
  3. 3https://secure.checkout.visa.com/checkout-widget/rxo/signin14,456
  4. 4secure.checkout.visa.com/checkout-widget/rxo/signin10,782
  5. 5https://app.commercialpay.visa.com/7,851
  6. 6https://secure.checkout.visa.com/createAccount6,921
  7. 7https://secure.checkout.visa.com/6,650
  8. 8secure.checkout.visa.com/createAccount5,534
  9. 9secure.checkout.visa.com/5,260
  10. 10app.commercialpay.visa.com/3,712

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events4,334
Brazil
Events1,928
Canada
Events724
India
Events630
United Kingdom
Events556
Mexico
Events432
Poland
Events427
Bangladesh
Events398

Country Breakdown

  1. 1United States4,334
  2. 2Brazil1,928
  3. 3Canada724
  4. 4India630
  5. 5United Kingdom556
  6. 6Mexico432
  7. 7Poland427
  8. 8Bangladesh398

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft87
Microsoft Entra ID (External ID / B2C)6
WordPress5
Okta5
Jira (Atlassian)4
Auth02
Zendesk2

Operating System Distribution

Distribution of compromised endpoint builds

Windows 112,124
Windows 10 Enterprise x641,684
Windows 11 24H2 build 26100 (64 Bit)1,146
Windows 10 22H2 build 19045 (64 Bit)1,031
Windows 10 Home x64896

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
154,724
Combolist pools
32,011
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.