Back

wellsfargo.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure affecting Wells Fargo, with over 1.4 million historical data breaches and over 200,000 active infostealer logs observed. The data suggests a broad impact, encompassing 372,496 employees and 1,233,009 clients. The timeline shows a sharp increase in employee and client data compromise starting in January 2026, coinciding with a surge in infostealer activity. Malware families like LummaC2, Rhadamanthys, and Redline are prominent, indicating sophisticated threats targeting credentials and sensitive information. The high volume of historical data breaches and active infostealer logs, coupled with the large number of affected employees and clients, elevates this incident to a critical priority. The primary remediation focus should be on immediate threat hunting to identify and contain active infostealer infections, followed by a comprehensive review of authentication mechanisms and data access controls for both employee and client portals, particularly those related to `connect.secure.wellsfargo.com`. Given the nature of the data and the domain, the closest industry sector is Banking & Finance.

Total Events

1,605,505
credential exposure events

Employee Affected Events

372,496
account email domain = wellsfargo.com

Client Affected Events

1,233,009
service target = wellsfargo.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
400,000266,667133,3330
peak month 317,863
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events201,551
Share13%
Data breaches
Events1,403,954
Share87%
Infostealer logs (13%)
201,551events
Data breaches (87%)
1,403,954events

372,496 compromised employee accounts pose an infrastructure risk, while 1,233,009 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender3,621
McAfee170
Windows Defender.147
Windows Defender McAfee131
Webroot SecureAnywhere87
Avast Norton84
McAfee VirusScan57
Malwarebytes49
Windows Defender Avast Antivirus28

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC229,621
Rhadamanthys29,024
Redline26,727
Acreed15,415
Vidar10,073
X-Files5,060
Millenium2,878
Blank Grabber1,626
RisePro1,034

Top Login URLs

Top exposed services found in the event results

  1. 1https://connect.secure.wellsfargo.com/auth/login/present143,033
  2. 2https://www.wellsfargo.com/114,952
  3. 3connect.secure.wellsfargo.com/auth/login/present87,897
  4. 4wellsfargo.com68,654
  5. 5wellsfargo.com/66,275
  6. 6https://connect.secure.wellsfargo.com65,083
  7. 7connect.secure.wellsfargo.com62,964
  8. 8www.wellsfargo.com/53,256
  9. 9https://www.wellsfargo.com48,116
  10. 10https://wellsfargo.com39,734

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events95,868
Venezuela
Events1,543
Mexico
Events1,528
Nigeria
Events1,508
India
Events1,482
Philippines
Events1,091
Pakistan
Events938
Indonesia
Events869

Country Breakdown

  1. 1United States95,868
  2. 2Venezuela1,543
  3. 3Mexico1,528
  4. 4Nigeria1,508
  5. 5India1,482
  6. 6Philippines1,091
  7. 7Pakistan938
  8. 8Indonesia869

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Okta557
Microsoft84
F569
Citrix44
Pulse Secure29
Git16
FortiNet VPN10

Operating System Distribution

Distribution of compromised endpoint builds

Windows 1121,254
Windows 11 24H2 build 26100 (64 Bit)16,622
Windows 10 Home x6411,529
Windows 10 Enterprise x648,708
Windows 10 22H2 build 19045 (64 Bit)7,086

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
1,096,175
Combolist pools
307,779
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.