Request method is HTTP GET.
URL Structure
https://api.webz.io/breaches?token=XXXXX-XXXXX&format=json&crawled_from=XXXXXX&crawled_to=XXXXXX&email_domain=[Compromised Email Domain]
HTTP GET Parameters
| Parameter | Description | Example |
|---|---|---|
| token | (Required) Your unique API authentication token, received when you signed up. This token verifies your access to the Webz.io API. | &token=[MY TOKEN] |
| format | The default format is JSON only. | &format=json |
| crawled_from | Returns entities crawled after this Unix timestamp (in milliseconds). Here is a Timestamp/Date converter • If neither • If | &crawled_from=1578504734000 |
| crawled_to | Returns entities crawled before this Unix timestamp (in milliseconds). Here is a Timestamp/Date converter • If neither • If | &crawled_to=1758382842000 |
| breach_from | Returns entities with an official breach date (for data breaches & combo lists) / infection date (for stealer logs) is earlier than this specified Unix timestamp (in milliseconds). | &breach_from=1578504734000 |
| breach_to | Returns entities with an official breach date (for data breaches & combo lists) / infection date (for stealer logs) is later than this specified Unix timestamp (in milliseconds). | &breach_to=1758382842000 |
| Search compromised data by a specific email address. | &email= | |
| *email_domain | Search compromised data by email domain. (*The email_domain can be used with login_domain,) | &email_domain=mydomain.com |
| *login_domain | Search compromised data by login domain. Returns all leaked credentials that were used to log into the specified domain, including credentials linked to that domain through a data breach. • If • If (*The login_domain can be used with email_domain.) | &login_domain=mydomain.com |
| domain | Search compromised data by domain across both email_domain and login_domain. When using domain, the system searches for matches where the specified domain appears either as the email domain of the leaked credential or as the login domain where the credential was used. This parameter simplifies queries when you want coverage across both email and login domains in a single request. | &domain=mydomain.com |
| data_type | Search compromised data by the breach sub type. Accepted values: If | &data_type=data_breach |
| sub_type | Search compromised data by the breach sub type. Accepted values: If | &sub_type=stealer_logs |
| breach_uuid | Search compromised data by the *Relevant only for | &breach_uuid=XXXXXXXXXXX |
| has_password | Filter compromised data by password existence. • If has_password = true, returns only results that include a password. • If has_password = false, returns only results where no password is available. | &has_password=true |
| password_type | Filter compromised data by password type. Accepted values: | &password_type=plaintext |
| is_premium | Filter infostealer data by premium channels. | &is_premium=true |
| sort_by | Defines the field used for sorting results. default is | &sort_by=crawled |
| order_by | Defines the sorting direction. Supported values: • asc → Ascending order, based on the field defined in sort. • desc → Descending order, based on the field defined in sort. | &order_by=asc |
| breach_name | The Note: This search is applied only to records that were already retrieved using one of the other filters, such as email, login domain, or email domain. | &breach_name=linkedin |
| login_url | The login_url parameter lets you run a free-text search against the login URL associated with a data breach or info-stealer, so you can filter results to records whose login pages match the text you provide (e.g. "paypal.com", "accounts.google.com", etc.). Note: This search is applied only to records that were already retrieved using one of the other filters, such as email, login domain, or email domain. | &login_url=paypal.com |
| service_category | Accepted values: • Remote Desktop • CMS • VPN • ADFS (Active Directory) • Project Management • CRM • EDR • User authentication • RMM • Financial Services • Backup platforms • MSP • Development environment • Help Desk • FTP • Business Cloud Solutions • Version Control Systems • Private Network | e.g., VPN, Webmail, Cloud, Database |
| service_name | Accepted values: • Citrix • WordPress • FortiNet VPN • Pulse Secure • Paloalto VPN • Cisco (AnyConnect) • Microsoft • TeamViewer • Jira (Atlassian) • F5 • Anydesk • RemotePC • Zendesk • Hubspot • Comodo • SonicWall • Fortinet SSO • Atera • Connectwise • NetSuite • Synology • SolarWinds • Kaseya • Salesforce • Git • GitLab • Extranet • Intranet | e.g., Fortinet, Outlook, AWS |
| raw | The &raw parameter enables access to records that are older than one year. To retrieve this extended historical data, set:&raw=trueWhen &raw=true is applied, the following restrictions apply:
|
- At least one of
email,email_domain, orlogin_domainmust be provided in the request URL.
