CRITICAL: Compromised Account Report

DESCRIPTION LAST UPDATED: 2025-11-27

DEFAULT SEVERITY LEVEL: CRITICAL

This report is a list of compromised accounts we or our collaborative partners have uncovered (i.e. for which we believe attackers have obtained the credentials).

These accounts may have been compromised through a malware infection, site breach, phishing or other types of malicious activities.

This is currently not in the form of a daily report, but is sent as a one-off report run whenever we obtain access to new lists of compromised accounts.

On 2025-11-26, a report was shared with e-mail address related to findings described by watchTowr in https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/. These have been tagged jsonformatter-codebeautify-leak and severity set to CRITICAL (10,449 entries shared).

On 2023-08-30, the report contained e-mail addresses that were obtained as part of the Qakbot botnet disruption by the FBI and international law enforcement partners.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename(s): compromised_account

Fields

  • timestamp
    Date or timestamp the compromise was detected, in UTC+0
  • email
    Compromised e-mail address
  • infection
    Associated malware, if any (for example, Qakbot)
  • source_url
    URL with more information
  • public_source
    Source of data (may not be disclosed)
  • status
    Status of the account (if known)
  • tag
    Features of the incident
  • severity
    Report severity
  • service
    Associated service (may be empty)
  • username
    Associated username (may be empty)
  • detail
    Any additional details for contextualization

Sample

"timestamp","email","infection","source_url","public_source","status","tag","severity","service","username","detail"
"2010-02-10 00:00:00",user0001@example.com,qakbot,https://192.168.0.1/news/qakbot-botnet-disruption/,,,,critical,,,
"2010-02-10 00:00:01",user0002@example.com,qakbot,https://192.168.0.2/news/qakbot-botnet-disruption/,,,,critical,,,
"2010-02-10 00:00:02",user0003@example.com,qakbot,https://192.168.0.3/news/qakbot-botnet-disruption/,,,,critical,,,

Our 140 Report Types

« Back to Network Reporting