Back

who.int Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The domain who.int has experienced a significant number of data breaches and infostealer events, with over 132,000 historical data breaches and over 27,000 active infostealer logs recorded between July 2025 and June 2026. These events primarily involve client data, with a notable increase in employee-related events in September 2025 and March 2026. The most prevalent malware families are LummaC2, Redline, and Rhadamanthys, often associated with combolist sources and database dumps, suggesting credential stuffing or account takeover attempts. The targeted services are predominantly related to the careers portal, indicating a focus on compromising user credentials for recruitment or employment-related platforms. Geographically, India, Ethiopia, and Egypt show the highest incidence of related events. Given the high volume of data breaches and infostealer activity, coupled with the targeting of client and employee data, this exposure presents a critical risk. The prevalence of LummaC2 and Redline, known for credential harvesting, combined with the use of combolists, points to a high likelihood of compromised accounts being exploited. Prioritization should focus on immediate remediation of vulnerabilities on the careers portal, enhanced credential security measures, and comprehensive incident response to address the ongoing data breach and infostealer activity. The primary risk is the potential for widespread account compromise and sensitive data exfiltration affecting both individuals and the organization.

Total Events

159,997
credential exposure events

Employee Affected Events

12,861
account email domain = who.int

Client Affected Events

147,136
service target = who.int

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
40,00026,66713,3330
peak month 39,244
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events27,165
Share17%
Data breaches
Events132,832
Share83%
Infostealer logs (17%)
27,165events
Data breaches (83%)
132,832events

12,861 compromised employee accounts pose an infrastructure risk, while 147,136 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender235
ESET25
Windows Defender.13
Windows Defender McAfee12
Kaspersky7
Windows Defender [ON]4
Windows Defender Reason Cybersecurity3
Reason Cybersecurity3
Malwarebytes2

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC25,603
Redline4,149
Rhadamanthys2,415
Vidar1,805
Acreed1,414
StealC764
RisePro690
Millenium171
Remus158

Top Login URLs

Top exposed services found in the event results

  1. 1https://careers.who.int/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf16,651
  2. 2careers.who.int14,991
  3. 3https://careers.who.int14,645
  4. 4https://careers.who.int/careersection/iam/accessmanagement/register.jsf12,735
  5. 5https://careers.who.int/careersection/iam/accessmanagement/login.jsf9,373
  6. 6careers.who.int/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf9,341
  7. 7careers.who.int/careersection/iam/accessmanagement/register.jsf7,561
  8. 8careers.who.int/careersection/iam/accessmanagement/login.jsf5,516
  9. 9https://careers.who.int/careersection/careersection/privacyagreement/statementbeforeauthentification.jsf4,189
  10. 10careers.who.int/careersection/careersection/privacyagreement/statementbeforeauthentification.jsf3,885

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

India
Events1,314
Ethiopia
Events1,253
Egypt
Events1,211
Kenya
Events1,078
Nigeria
Events1,027
Pakistan
Events1,000
Bangladesh
Events874

Country Breakdown

  1. 1India1,314
  2. 2Ethiopia1,253
  3. 3Egypt1,211
  4. 4Kenya1,078
  5. 5Nigeria1,027
  6. 6Pakistan1,000
  7. 7Bangladesh874
  8. 8Burkina Faso630

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Microsoft3,965
Extranet3,956
Intranet258
Cisco (AnyConnect)56
Comodo26
TeamViewer19
Microsoft Entra ID (External ID / B2C)18

Operating System Distribution

Distribution of compromised endpoint builds

Windows 10 Enterprise x641,857
Windows 111,852
Windows 10 Pro1,481
Windows 10 22H2 build 19045 (64 Bit)1,101
Windows 10 Pro (10.0.19045) x64963

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
129,902
Combolist pools
2,930
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.