Quick Summary
AllegedExecutive Summary
Service IT, a business services organization based in Brazil, has been listed as a victim on the WorldLeaks group’s dark web portal, with the entry published on July 2, 2026. The listing was identified through SOCRadar’s Dark Web Monitoring service. WorldLeaks has shown a strong targeting pattern in the manufacturing, business services, and healthcare sectors, primarily in the United States, India, and Pakistan. Service IT’s inclusion extends WorldLeaks’ geographic reach into Brazil within the business services sector.
Technical Analysis
Initial-access correlation against SOCRadar’s stealer-log telemetry surfaced a severe exposure for the service.com.br domain. The queried sample carried approximately ten sets of employee credentials on organization-owned systems, a similar number of external users (customers, suppliers, or third parties) appearing on internal systems, and a handful of corporate users surfacing on third-party services. High-value endpoints included an internal ADFS identity provider, a ServiceNow sign-on tenant, and internal mail infrastructure, all carrying corporate credentials, alongside third-party SSO and login portals. The exposure window spanned July 1 to July 2, 2026. For ransomware groups like WorldLeaks, infostealer-harvested credentials are a documented initial access vector. While this evidence doesn’t confirm WorldLeaks’ direct use of these credentials, the exposure on internal identity infrastructure aligns with typical ransomware kill chains. Recommended actions include immediate password resets on affected identity systems, enforced multi-factor authentication, and endpoint investigation for compromised accounts.