BREACH · SYNTHETIC CASE

From corporate domain to exposed dev credentials

Client asked 'are we in stealer logs?' Automated scanners said no. Manual Hudson + stealer correlation found a contractor Jenkins token in a combo list.

2026-01-18 · 5 min read · Domain stealer search · Contractor footprint · Token rotation advisory

Outcome: Credential rotated within SLA; no production access confirmed.

Investigation log

  1. Step 01Automated pass

    Aggregate breach APIs returned clean for @company.tld mailboxes.

  2. Step 02Stealer pivot

    Domain-scoped infostealer index hit contractor laptop dump — not employee SSO.

  3. Step 03Validate

    Token format matched internal CI; last commit timestamp aligned with dump date.

This case is synthetic and declassified for training purposes. Methodology reflects how WolfEye analysts work; identifiers and locations are fictional.

← All case files