BREACH · SYNTHETIC CASE
From corporate domain to exposed dev credentials
Client asked 'are we in stealer logs?' Automated scanners said no. Manual Hudson + stealer correlation found a contractor Jenkins token in a combo list.
2026-01-18 · 5 min read · Domain stealer search · Contractor footprint · Token rotation advisory
Outcome: Credential rotated within SLA; no production access confirmed.
Investigation log
Step 01 — Automated pass
Aggregate breach APIs returned clean for @company.tld mailboxes.
Step 02 — Stealer pivot
Domain-scoped infostealer index hit contractor laptop dump — not employee SSO.
Step 03 — Validate
Token format matched internal CI; last commit timestamp aligned with dump date.
This case is synthetic and declassified for training purposes. Methodology reflects how WolfEye analysts work; identifiers and locations are fictional.
← All case files