Critical

Breach-exposure report for

tunnelbear.android

We found 158,080 compromised user-accounts linked to this domain.

Total leaked credentials

0

credentials exposed

Breakdown by Category

0

Employees leaked

0

Third-parties leaked

100%

0

Customers leaked

Recommended Actions

Reset Compromised Credentials

Force password reset for all exposed accounts and revoke active sessions.

Audit Access Logs

Review security logs for suspicious activity on affected accounts.

Enable MFA

Enforce multi-factor authentication on all critical systems.

Notify Affected Users

Inform employees and customers about the exposure and required actions.

Ready to see real leaks in action?

Run a free, instant search in our 75B+ record database to check your own email, domain or password.

Start Free Search

Frequently Asked Questions

Learn more about data breaches and how to respond

1
Did these leaks come from a breach of our systems?

The leaks shown here do not mean that your infrastructure was breached. In almost all cases they come from endpoints infected by info stealer malware on the user side (customers, employees or partners).

The malware runs on the user device, extracts saved credentials, cookies and session tokens from the browser, and the resulting dumps are later published by third parties in public underground channels.

Attackers then reuse these credentials to access your portals, VPN or admin tools, sometimes bypassing multi factor authentication with stolen cookies. So even if the initial compromise happened outside your perimeter, the impact for your organisation can be real in terms of security and reputation.

2
What does this view represent for our organisation?

The Domain view focuses on leaks that relate to your organisation and already groups them by segment in the interface:

Customers: accounts of your clients on your public websites and applications.
Employees: corporate identities that belong to your organisation.
Third parties: agencies, suppliers and partners that access your tools on your behalf.

Each row in these sections is a leaked credential record referencing your brand or domains, already mapped to the corresponding category so your security and fraud teams can work on each population separately.

3
How should we handle exposed customer accounts?

From a legal perspective, obligations depend on your jurisdiction and on whether the situation is considered a breach of your systems. When the compromise happened on the customer device because of malware, you are often not legally required to protect customers from their own device infections, but this must be validated with your legal and compliance teams.

You can decide to ignore leaks that affect only customer accounts if your legal team confirms that you have no obligation in your jurisdiction, but this does not remove the risk for your brand or for these users.

From a security and fraud perspective, many organisations still choose to act once they become aware of exposed customers:

Export leaked username and password pairs that match your login portals or domains.
Re hash leaked passwords with the same hashing algorithm used in your production systems to identify customers who reused the same password.
Force a password reset for these accounts, revoke existing sessions and monitor them for unusual activity or fraud.
In customer communication, make it clear that the compromise happened on their side due to malware, not because of a vulnerability in your systems, and that you are taking action to protect them.

4
How should we handle exposed employees?

Employee credentials in stealer logs are highly sensitive and should be treated as an incident.

Check whether the leaked credentials are or were valid on corporate services such as VPN, email, SSO, backoffice or admin panels.
Immediately reset the password, revoke active sessions and invalidate tokens or app passwords linked to the exposed account.
Coordinate with your SOC or IT team so the employee device is checked for malware and cleaned with EDR or antivirus if needed.
Review security logs around the affected identity to detect any suspicious access that may already have occurred.

5
What about third-party vendors and partners?

Third party access is a common entry point for attackers, especially when shared accounts or weak authentication are used.

Identify which leaks relate to vendors, agencies and other external partners that connect to your tools.
Reduce or review the permissions of exposed accounts and phase out shared credentials in favour of named accounts protected with strong authentication.
Share the relevant evidence with the vendor security contact and ask them to reset credentials and check their own endpoints for malware.
Where possible, enforce MFA, IP restrictions and least privilege on all third party access paths to your systems.

6
Where does this data come from?

LeakRadar indexes leaks that have already been published publicly by third parties. The credentials you see here are not collected from your systems and do not come from us exploiting vulnerabilities on your infrastructure.

In practice, most of the dataset comes from:

Telegram channels where threat actors publicly share info stealer logs and credential dumps.
Dark web and underground forums where leak archives are posted publicly.

When you use Raw Search, file names often include hints about the original Telegram channel or forum where the archive was first shared. We only index content after it has been made public by third parties.