CRITICAL: Compromised Account Report



This report is a list of compromised accounts we or our collaborative partners have uncovered (i.e. for which we believe attackers have obtained the credentials).

These accounts may have been compromised through a malware infection, site breach, phishing or other types of malicious activities.

This is currently not in the form of a daily report, but is sent as a one-off report run whenever we obtain access to new lists of compromised accounts.

As of 2023-08-30, the report contains e-mail addresses that were obtained as part of the Qakbot botnet disruption by the FBI and international law enforcement partners.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename(s): compromised_account


  • timestamp
    Date or timestamp the compromise was detected, in UTC+0
  • email
    Compromised e-mail address
  • infection
    Associated malware, if any (for example, Qakbot)
  • source_url
    URL with more information
  • public_source
    Source of data (may not be disclosed)
  • status
    Status of the account (if known)
  • tag
    Features of the incident
  • severity
    Report severity
  • service
    Associated service (may be empty)
  • username
    Associated username (may be empty)
  • detail
    Any additional details for contextualization


"2010-02-10 00:00:00",,qakbot,,,,,critical,,,
"2010-02-10 00:00:01",,qakbot,,,,,critical,,,
"2010-02-10 00:00:02",,qakbot,,,,,critical,,,

Our 128 Report Types