Not SOCRadar 2024 Data Breach

SOCRadar Misattributed Email Exposure (2024): 282 Million Email Addresses — Falsely Attributed, Not Sourced from SOCRadar | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

USDoD (collected via Telegram channels) + Dominatrix (republished on Breach Forums)Social EngineeringHacking ForumEmail Address
Moderate SeverityWebsite / service breach

SOCRadar Misattributed Email Exposure (2024): 282 Million Email Addresses — Falsely Attributed, Not Sourced from SOCRadar

Aggregated dataset of publicly sourced email addresses misattributed to SOCRadar.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
25Data Value
25Market Recency
626dSince Breach

Breach Intelligence Summary

Entity: Not SOCRadar · Actor: USDoD (collected via Telegram channels) + Dominatrix (republished on Breach Forums) · Sources: 3 references
Attack: Social Engineering
Profile: Synthetic / Scraped Dataset · Publicly sourced email aggregation · Public-source email corpus misattributed to SOCRadar · Global
Timeline: Breach (2024-08-03) · Indexed (Aug 09, 2024) · Year (2024)
Exposure: 282.5M records · 1 fields: Email Address
Status: Confirmed

Executive Summary

The 'Not SOCRadar' dataset is a compilation of approximately 282 million unique email addresses posted to Breach Forums in August 2024 by the threat actor Dominatrix, with the dataset advertised as having been scraped from cybersecurity firm SOCRadar.io by the threat actor USDoD. SOCRadar's subsequent investigation concluded that the dataset was not the result of a SOCRadar breach. According to SOCRadar Chief Security Officer Ensar Seker, the threat actor USDoD subscribed to SOCRadar's platform under the impersonation of a legitimate company and then used SOCRadar's standard platform features to identify the names of public Telegram channels distributing scraped email addresses. The threat actor then collected the emails directly from those Telegram channels rather than from SOCRadar. SOCRadar provided detailed logs of the threat actor's platform activity to support this conclusion. Have I Been Pwned indexed the dataset on August 9, 2024 under the placeholder name 'Not SOCRadar' specifically to disambiguate the dataset from a genuine SOCRadar breach. The dataset contained approximately 332 million rows of email addresses with approximately 282 million unique addresses in valid email format, distributed as a 14-gigabyte CSV file. The compilation contained only email addresses with no associated passwords, names, or other personal information, although individual addresses could potentially be cross-referenced with other breach datasets to enrich the records. The original sources of the email addresses are public and semi-public Telegram channels that aggregate addresses from various breaches, scrapes, and stealer-malware logs (so-called 'combolists' that aggregate credentials from infostealer malware infections). For email-address holders whose addresses appear in the compilation, the practical risk profile is moderate and consistent with other public-source email aggregation datasets. The exposure does not by itself enable account takeover or identity theft because no associated passwords or other identifying information are included. However, the compilation operationally lowers the cost of mass phishing campaigns, spam, and credential stuffing attempts when combined with credentials from other breach datasets. Affected users should remain alert to phishing emails, particularly emails referencing services or contexts the user has actually engaged with (suggesting that the original source of the address was a service breach now appearing in this compilation). Users should ensure two-factor authentication on important accounts including email, financial services, and social media. The compilation does not warrant specific account-level remediation actions beyond the user's standard email-hygiene practices because the underlying email exposures are typically not new and many addresses in the compilation were already present in earlier breach datasets and prior public Telegram channels.

ObscureIQ assessment: High risk of spam, phishing, and contact-targeting abuse. Even when publicly sourced, normalization at scale makes the dataset much more operational for attackers.

Breach Impact

n/a (compilation/scraped dataset; not a breach of an identifiable victim entity).

About Not SOCRadar

Not SOCRadar' is the colloquial designation used by Have I Been Pwned and DataBreach.com to describe a compilation of approximately 282 million unique email addresses posted to Breach Forums (the prominent cybercrime hacking forum) in August 2024. The compilation was advertised by the threat actor as having been scraped from SOCRadar.io, a Turkish-American cybersecurity threat intelligence firm operating threat-monitoring and dark-web-monitoring services for enterprise customers. SOCRadar's subsequent investigation concluded that the compilation was not the result of a SOCRadar breach, with SOCRadar Chief Security Officer Ensar Seker explaining that the threat actor (using the alias USDoD) had subscribed to SOCRadar's platform under the impersonation of a legitimate company, then used SOCRadar's standard platform features to identify the names of public Telegram channels that distribute scraped email addresses, and then collected the emails directly from those Telegram channels rather than from SOCRadar. The compilation was republished on Breach Forums by a separate threat actor using the alias Dominatrix.

Why They Hold Your Data

Public-source email corpora aggregate scraped email addresses and related contact signals collected from public or semi-public sources into large lookup datasets.

Recent Developments

SOCRadar continues to operate as a major threat intelligence platform. SOCRadar publicly disputed the breach attribution and explained that 'the actor merely utilised functionalities inherent in the platform's standard offerings, designed to gather information from publicly available sources' and that there was no suggestion that the incident compromised SOCRadar's security or posed any risk to SOCRadar's customers. The case has been formally cited in cybersecurity industry coverage as an example of attribution-laundering, where threat actors deliberately misattribute compilation datasets to high-profile cybersecurity firms in order to maximize the apparent significance of the dataset and to harm the reputation of the named firm. A similar attribution-laundering pattern was applied by USDoD to a separate dataset misattributed to CrowdStrike. Have I Been Pwned indexed the dataset on August 9, 2024 under the placeholder name 'Not SOCRadar' specifically to disambiguate the dataset from a genuine SOCRadar breach.

Data Points Exposed

1 verified field types
Email Address

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover

Threat Actor: USDoD (collected via Telegram channels) + Dominatrix (republished on Breach Forums)

USDoD (collected via Telegram channels) + Dominatrix (republished on Breach Forums)
Social Engineering

Attribution and method are based on available breach intelligence. Reported attack vector: Social Engineering.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Not SOCRadar breach?

The 'Not SOCRadar' dataset is a compilation of approximately 282 million unique email addresses posted to Breach Forums in August 2024 by the threat actor Dominatrix, with the dataset advertised as having been scraped from cybersecurity firm SOCRadar.io by the threat actor USDoD. SOCRadar's…

What data was exposed?

Verified fields include Email Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation