CRITICAL: Compromised Account Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: CRITICAL

This report is a list of compromised accounts we or our collaborative partners have uncovered (i.e. for which we believe attackers have obtained the credentials).

These accounts may have been compromised through a malware infection, site breach, phishing or other types of malicious activities.

This is currently not in the form of a daily report, but is sent as a one-off report run whenever we obtain access to new lists of compromised accounts.

As of 2023-08-30, the report contains e-mail addresses that were obtained as part of the Qakbot botnet disruption by the FBI and international law enforcement partners.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename(s): compromised_account

Fields

timestamp

Date or timestamp the compromise was detected, in UTC+0
email

Compromised e-mail address
infection

Associated malware, if any (for example, Qakbot)
source_url

URL with more information
public_source

Source of data (may not be disclosed)
status

Status of the account (if known)
tag

Features of the incident
severity

Report severity
service

Associated service (may be empty)
username

Associated username (may be empty)
detail

Any additional details for contextualization

Sample

"timestamp","email","infection","source_url","public_source","status","tag","severity","service","username","detail"
"2010-02-10 00:00:00",user0001@example.com,qakbot,https://192.168.0.1/news/qakbot-botnet-disruption/,,,,critical,,,
"2010-02-10 00:00:01",user0002@example.com,qakbot,https://192.168.0.2/news/qakbot-botnet-disruption/,,,,critical,,,
"2010-02-10 00:00:02",user0003@example.com,qakbot,https://192.168.0.3/news/qakbot-botnet-disruption/,,,,critical,,,

Our 126 Report Types

« Back to Network Reporting