Every company has admin panels they forgot about. Staging environments that never got decommissioned. Internal tools exposed to the internet without anyone noticing.
Recon tools miss them because they are not indexed. Subdomain enumeration misses them because they are behind obscure subdomains. But stealer logs capture them because employees actually log into them.
Here are three LeakRadar searches that consistently uncover these forgotten assets.
Search 1: Filter URLs containing "admin"
The most direct approach. Search your target domain on LeakRadar and look at the URL column for any result containing admin, /admin/, or admin. as a subdomain.
What shows up: admin panels for CMS platforms, internal dashboards, customer management tools, billing systems, and configuration interfaces.
Why it works: employees bookmark these pages and save passwords in their browsers. When their machine gets infected, the stealer captures the exact URL they use daily.
I have found admin panels on subdomains that returned 404 on direct access but worked perfectly when I added the correct path from the LeakRadar result.
Search 2: Look for internal subdomains
Search results often contain URLs with subdomains like internal., tools., staff., corp., or intranet. These are assets meant for employees only.
What shows up: HR portals, IT ticketing systems, deployment dashboards, monitoring tools, and documentation wikis.
Why it matters: internal tools rarely get the same security attention as public-facing apps. Weaker passwords. No MFA. Outdated software. Sometimes default credentials still work.
One search on a target showed me an internal Jira instance I would never have found through subdomain brute-forcing. The subdomain was 23 characters of random strings. Impossible to guess. But an employee had logged in from an infected machine.
Search 3: Filter for staging and development URLs
Look for staging., dev., test., qa., or uat. in the URL results.
What shows up: pre-production environments with debug modes enabled, test accounts with weak passwords, and sometimes full copies of production data.
Why this is valuable: staging environments often mirror production but without security hardening. Same codebase, same data, none of the protections.
Developers log into these daily. Their browsers save the credentials. Stealers capture them. LeakRadar indexes them.
I have found staging environments with debug endpoints exposed, stack traces visible, and test admin accounts using password123.
How to run these searches
Search your target domain on LeakRadar. Filter to employees only to focus on internal access. Sort by date to prioritize fresh credentials.
Scan the URL column for patterns. Anything that looks like it should not be public probably should not be public.
The credential might be expired. The password might have been changed. But the URL itself is intelligence. You now know this asset exists, and you can investigate further.
Forgotten admin panels are everywhere. Stealer logs remember what security teams forget.