A curated database of documented breach events, credential threat actors, and attack techniques targeting individuals and organisations across North America.
A curated record of significant breach events — credential exposures, ransomware campaigns, and identity theft operations that defined the current threat landscape.
A data broker aggregating public records was breached, exposing 2.9 billion records including Social Security Numbers, names, addresses, and family relationships for nearly every adult in the US and Canada. The data appeared on criminal forums before the company acknowledged the breach.
A ransomware attack on UnitedHealth's payment processing subsidiary disrupted healthcare operations across North America for months. Protected health information for an estimated 190 million patients was exfiltrated. The company paid a $22M ransom that did not prevent data publication.
Complete call and text records for 109 million AT&T customers were exfiltrated from a third-party cloud environment. The data included records of every number contacted by every customer over a 6-month period — enabling social graph mapping and targeted fraud at scale.
A credential-stuffing campaign targeting cloud data warehouses compromised accounts at over 165 organisations including Ticketmaster, Santander Bank, and LendingTree. Attackers used previously stolen credentials to access unprotected Snowflake environments with no MFA enforced.
An education technology provider serving over 18,000 schools was breached via compromised credentials. Attackers accessed a support portal and exfiltrated student and teacher records including names, addresses, Social Security Numbers, and medical information for 62 million individuals.
The organisations and operator types responsible for credential theft, identity fraud, and business compromise targeting North American individuals and organisations.
Organised criminal networks operating ransomware infrastructure for hire. Affiliates gain initial access using stolen credentials from breach databases. Healthcare, legal, and financial services are primary targets due to high data sensitivity and payment willingness.
Business email compromise operators who use publicly available information — executive names, domain structure, employee listings — to construct convincing impersonation attacks. No malware required. Real estate, legal, and financial services lose billions annually to these attacks.
Automated operations that aggregate credentials from breach databases, test them against financial and email platforms using stuffing tools, and sell validated access in bulk. These groups supply the initial access used by ransomware affiliates, BEC operators, and account takeover fraud networks.
Legally operating businesses that aggregate public records and sell detailed personal profiles — addresses, employment history, family connections, financial indicators — to anyone willing to pay. These profiles are directly used by criminals to build targeting packages before an attack.
Nation-state operators who target North American infrastructure, government contractors, and professional services firms for intelligence gathering. The Salt Typhoon telecom campaign and Volt Typhoon infrastructure pre-positioning are recent examples targeting Canadian and US networks.
Continuous automated scanning operations that probe every internet-connected domain for exposed services, default credentials, and known vulnerabilities. These are not targeted attacks — they are industrialised reconnaissance that feeds findings to human operators or sells access to the highest bidder.
An overview of the primary techniques used in credential theft, identity fraud, and business compromise attacks targeting North American individuals and organisations.
Every technique on this page uses data that already exists. LeakTrace finds it before an adversary acts on it.