Q1 2025: Product Updates and Highlights

April 17, 2025

Read on for highlights from DarkOwl’s Product Team for Q1 that kicked off a strong 2025, including new exciting product features.

Major Vision UI Updates

Teaming

DarkOwl Vision UI now supports team management by an organization administrator. The organization administrator can arrange users into teams and assign team owners. Teams can be assigned to work together on Cases, including all related alerts, saved searches, and search blocks. Users will see a new My Teams page within the Settings section, which will display their teams and assigned Cases.

Case Findings

The Cases feature was updated with a new section—Findings. Vision UI users can save important search results and alerts into their Cases as Findings, to research and dive into later. Findings capture the original result, and then provide annotation capabilities to create Snippets, add Notes, or organize by Criticality or Tag. The Note element increases collaboration opportunities with teammates.

Leak Visualizations

Leak Explore visualizations give clients more insight into the composition of each leak. Clients can now see a graphic of the top file extensions within each leak, with an option to view the full list of extensions. This feature is also available in our API.

Alert Timeline Visualization + Delete Alert Flow

A new visualization to view Alerts on a timeline is now available in both Case Alerts and Personal Alerts. This summarizes Alerts generated by criticality, over time.

Another client request was to make bulk actions more easily accessible and readily available. Now, when you start selecting Alerts, an “Actions” button will appear and give bulk options for creating Case Findings or deleting a subset of alerts.

Collection Stats

Highlights

Quarter after quarter, our data collection team continues to astonish us with the quantity of data made available across DarkOwl products.

The team had overall astounding growth of 44% in data leak records. To break it down, the tea, had 4% growth in email addresses, 12% growth in credit card numbers, 27% increase in total collected I2P documents, 10% growth in total collected paste documents, and another 12% growth in total collected records from Telegram – just to highlight a few.

Leaks of Interest Collected

When your search results are from data leaks, users can review additional information curated by DarkOwl analysts, giving you enrichment on the data leak. The descriptions below are all available in our Leak Explore UI feature, or Leak Context API endpoint.

TXTLOG Alien

A batch of infostealer logs, associated to the Alien TXTLOG Stealer Logs, was made freely available on TXT LOG ALIEN, a Telegram Channel, between March 4, 2025 and March 18, 2025. Data exposed includes rows of URL:LOGIN:PASSWORD combinations that may include websites, IP addresses, usernames, email addresses, plaintext passwords and various other sensitive information.

Oracle Cloud Sample

Data purported to be from Oracle Cloud servers was posted for sale on BreachForums, a hacking forum, on March 20, 2025. According to the post, Oracle’s traditional servers were hacked, exposing over 6 million user customer records. Data exfiltrated is reported to include usernames, names, company names, keys, locations, passwords, email addresses, countries, employee information, phone numbers and mobile numbers. A sample database was posted as proof of the claim.The threat actor alleged that data was stolen from Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, including Java KeyStore (JKS) files, passwords, key files, and Enterprise Manager Java Policy Store (JPS) keys. The threat actor noted the SSO passwords are encrypted but sought support to decrypt the LDAP hashed passwords from the threat community. The threat actor revealed, via a file, around 140,000 domains of companies impacted and demanded payment to prevent the sale of employee information, noting the individual companies could contact him directly about removing their specific data prior to the sale. Further, the threat actor issued a 72-hour ultimatum for Oracle to respond via official company channels.

Zacks.com

Data purported to be from Zacks was posted on BreachForums, a hacking forum, on January 24, 2025. According to the post, in June 2024 Zach Investment Research experienced a data breach exposing their source code and their databases containing 15 million lines of customer and client data. Data exposed includes user identification (UID), company names, names, email addresses, phone numbers, usernames, passwords, and physical addresses.

Ticketmaster

Data purported to be from TicketMaster was posted on LeakBase, a hacking forum, on July 9, 2024. According to the post, the breach is from 2024, contains 55 million rows and was was formatted by threat actor TimeBit. Data exposed includes customer IDs, IP addresses, purchase details, full names, genders, dates of birth, language, physical addresses, email addresses, and partial credit card numbers.

bankofamerica.com

Data purported to be from Bank of America was posted on BreachForums, a hacking forum, on December 2, 2024. According to the post, the leak is from May 31, 2023 and is attributed to the Ransomware group Cl0p and the MOVEit vulnerability. Data exposed includes account information, names, company names, usernames, expiration dates, dates of birth, bank account numbers, financial data, phone numbers, physical addresses, email addresses, vendor information, and IP addresses.