GET Parameters

Request method is HTTP GET.

URL Structure

https://api.webz.io/breaches?token=XXXXX-XXXXX&format=json&crawled_from=XXXXXX&crawled_to=XXXXXX&email_domain=[Compromised Email Domain]

HTTP GET Parameters

ParameterDescriptionExample
token(Required) Your unique API authentication token, received when you signed up. This token verifies your access to the Webz.io API.&token=[MY TOKEN]
formatThe default format is JSON only.&format=json
crawled_from

Returns entities crawled after this Unix timestamp (in milliseconds). Here is a Timestamp/Date converter

• If neither crawled_from nor crawled_to is provided, the default range is all time.

• If crawled_from is provided but crawled_to is not, the default is all data available from crawled_from until now.

&crawled_from=1578504734000
crawled_to

Returns entities crawled before this Unix timestamp (in milliseconds). Here is a Timestamp/Date converter

• If neither crawled_to nor crawled_from is provided, the default range is all time.

• If crawled_to is provided but crawled_from is not, the default is all data available up to crawled_to.

&crawled_to=1758382842000
breach_from

Returns entities with an official breach date (for data breaches & combo lists) / infection date (for stealer logs) is earlier than this specified Unix timestamp (in milliseconds).

Timestamp/Date converter

&breach_from=1578504734000
breach_to

Returns entities with an official breach date (for data breaches & combo lists) / infection date (for stealer logs) is later than this specified Unix timestamp (in milliseconds).

Timestamp/Date converter

&breach_to=1758382842000
*emailSearch compromised data by a specific email address.

&email=

[email protected]

*email_domain

Search compromised data by email domain.

(*The email_domain can be used with login_domain,)

&email_domain=mydomain.com
*login_domain

Search compromised data by login domain. Returns all leaked credentials that were used to log into the specified domain, including credentials linked to that domain through a data breach.

• If login_domain is a root domain, results include both the root domain and all of its subdomains.

• If login_domain is a subdomain, results are limited to that specific subdomain.

(*The login_domain can be used with email_domain.)

&login_domain=mydomain.com
domain

Search compromised data by domain across both email_domain and login_domain.

When using domain, the system searches for matches where the specified domain appears either as the email domain of the leaked credential or as the login domain where the credential was used.

This parameter simplifies queries when you want coverage across both email and login domains in a single request.

&domain=mydomain.com
data_type

Search compromised data by the breach sub type.

Accepted values:

infostealer - credentials obtained from stealer logs files.
data_breach - credentials obtained from database files.

Ifdata_type is used twice in the request URL - it means OR relation. Without using this parameter - the default is all.

&data_type=data_breach
sub_type

Search compromised data by the breach sub type.

Accepted values:

• database_dump
• data_breach_combo_list
• stealer_logs
• stealers_combo_list

If sub_type is used twice in the request URL - it means OR relation. Without using this parameter - the default is all.

&sub_type=stealer_logs
breach_uuid

Search compromised data by the breach_uuid they are associated with.

*Relevant only for data_type=data_breach

&breach_uuid=XXXXXXXXXXX
has_passwordFilter compromised data by password existence.

• If has_password = true, returns only results that include a password.
• If has_password = false, returns only results where no password is available.

&has_password=true
password_type

Filter compromised data by password type.

Accepted values:

• plaintext
• unsalted_hash
• salted_hash
• encrypted

&password_type=plaintext
is_premiumFilter infostealer data by premium channels.&is_premium=true
sort_by

Defines the field used for sorting results.

Supported values:
crawled → Sort by crawled_date.
breached → Sort by breach_time.

default is sort=crawled&order=asc

&sort_by=crawled
order_byDefines the sorting direction.

Supported values:
asc → Ascending order, based on the field defined in sort.
desc → Descending order, based on the field defined in sort.

&order_by=asc
breach_name

The breach_name parameter lets you run a free-text search against the name of a data breach, so you can filter results to breaches whose names match the text you provide (e.g. "Collection #1", "LinkedIn", etc.).

Note: This search is applied only to records that were already retrieved using one of the other filters, such as email, login domain, or email domain.

&breach_name=linkedin
login_url

The login_url parameter lets you run a free-text search against the login URL associated with a data breach or info-stealer, so you can filter results to records whose login pages match the text you provide (e.g. "paypal.com", "accounts.google.com", etc.).

Note: This search is applied only to records that were already retrieved using one of the other filters, such as email, login domain, or email domain.

&login_url=paypal.com
service_categoryAccepted values: • Remote Desktop
• CMS
• VPN
• ADFS (Active Directory)
• Project Management
• CRM
• EDR
• User authentication
• RMM
• Financial Services
• Backup platforms
• MSP
• Email
• Development environment
• Help Desk
• FTP
• Business Cloud Solutions
• Version Control Systems
• Private Network
e.g., VPN, Webmail, Cloud, Database
service_nameAccepted values: • Citrix
• WordPress
• FortiNet VPN
• Pulse Secure
• Paloalto VPN
• Cisco (AnyConnect)
• Microsoft
• TeamViewer
• Jira (Atlassian)
• F5
• Anydesk
• RemotePC
• Zendesk
• Hubspot
• Comodo
• SonicWall
• Fortinet SSO
• Atera
• Connectwise
• NetSuite
• Synology
• SolarWinds
• Kaseya
• Salesforce
• Git
• GitLab
• Extranet
• Intranet
e.g., Fortinet, Outlook, AWS
rawThe &raw parameter enables access to records that are older than one year. To retrieve this extended historical data, set:
&raw=true
When &raw=true is applied, the following restrictions apply:
  • You must specify exactly one of the following: login_domain or email_domain. Using both in the same query is not allowed.

  • You may use parameters from either the breach_ group or the crawled_ group, but not both together.

  • No additional query parameters are permitted.

  • Results are always returned in ascending order:

    If using crawled_from, sorting is by the crawled field.
    If using breached_from, sorting is by the breached field.

  • At least one of email, email_domain, or login_domain must be provided in the request URL.