The Data Breach Detection API response returns up to 10 entities along with a root object containing request metadata, including the next URL for pagination (used to retrieve the next batch of results matching your query).
The DBD API response consists of two main objects:
docs Object - Represents compromised entities sourced from data breaches.
It contains the following sub-objects:
- Root Object: Represents the actual compromised entity.
- Leaks Object: Contains metadata for all data breaches where the entity was found and associated.
- Fields Object: Lists the types of entity fields that were compromised along with the main entity.
- additional_info Object: Provides extended information on the compromised content, such as the password if available.
stealerLogs Object - Represents compromised device-related entities sourced from infostealer malware leaks.
It contains the following sub-objects:
- Root Object: Represents a single compromised machine infected by infostealer malware.
- credentials Object: Contains compromised credentials information, including URL, domain, username, and password.
- infectedComputer Object: Contains details about the infected machine such as computer username, country, operating system, and hardware ID.
Root Object
| Field Name | Description | Type |
|---|---|---|
| docs | Represents compromised entities sourced from data breaches. | Array of Objects |
| stealerLogs | Represents credentials extracted from devices infected with infostealer malware, as found in related data leaks. | Array of Objects |
| totalDocs | The total number of individual records matching your search query. | Integer |
| totalStealerLogs | The total number of individual records matching your search query that are sourced from stealer logs (out of the totalDocs count). | Integer |
| moreStealerLogsAvailable | The number of remaining stealer log records. | Integer |
| moreDocsAvailable | The number of remaining records of all types available. | Integer |
| next | A URL to get the next batch of records matching your query. See Pagination and Sorting in this section. | String |
| requestsLeft | How many more records are available in your current subscription plan. | Integer |
docs Array Item
Field Name | Description | Type |
|---|---|---|
value | The compromised entity value. e.g., [email protected] | String |
type | Type of compromised entity. Possible Values: | String |
uuid | A unique identifier representing the compromised entity. | String |
crawled | The date and time when the entity was collected by Webz.io. Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX | Date |
updated | The date and time when the compromised entity was updated, following detection of new associated data breaches. Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX | Date |
leaks | An array of data breaches records where the compromised entity was found. | Array of Objects |
leaks Array Item
The leaks object provides metadata for the data breach where the entity was found.
A data breach can be associated with one of the following formats:
• File - Refers to a database file published in underground dark web forums and marketplaces.
• Snippet - Refers to a chatter published in the dark web.
Field Name | Description | Type |
|---|---|---|
uuid | A unique identifier for the data breach. | String |
name | The name of the breach. | String |
filename | The name of the data breach file. | String |
login_url | The URL linked to the compromised credentials. | String |
breach_date | The date we believe the data breach occurred. Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX | Date |
fields | List of compromised fields detected in the data breach file. | Array[String] |
network | The network where the data breach file was found. | String |
domain | The domain of the site where the data breach file was found. | String |
cyber_doc_ref | • For files - refers to the downloadable file link of the data breach | String |
additional_info | An extended object providing more information on the compromised asset. | Object |
additional_info Object
The additional_info object refers to additional leaked data associated with the compromised asset.
Field Name | Description | Type |
|---|---|---|
password | The sanitized password relevant to the compromised entity.
Relevant for the following values: | String |
is_hashed | Indicates if the password is hashed.
Relevant for the following values: | Boolean |
expy | Expiration Year of the compromised credit card.
This field is presented only for the following value: | String |
expm | Expiration Month of compromised credit card.
This field is presented only for the following value: | String |
stealerLogs Array Item
The stealerLogs object provides data about the compromised machine infected by the infostealer malware.
Field Name | Description | Type |
|---|---|---|
id | A unique ID representing the stealer log. | String |
crawled | The date and time when the compromised entity was collected by Webz.io. Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX | Date |
infectionDate | The official date when the machine was infected with the infostealer malware. Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX | Date |
logFileName | The name of the leaked file associated with the stealer log. | String |
infostealerFamily | The family of the infostealer malware that infected the machine. | String |
malwarePath | The file path where the infostealer malware was installed on the infected machine. | String |
ipAddress | The IP address of the infected machine. | String |
credentials Object
The credentials object contains the compromised credentials information, including URL, domain, username, and password.
| Field Name | Description | Type |
|---|---|---|
| url | The URL linked to the compromised credentials. | String |
| domain | The domain extracted from the URL. | String |
| creds | An object containing both the username and password. | Object |
| • username | The leaked username used for logging into the URL. | String |
| • password | The leaked password used for logging into the URL. | String |
infectedComputer Object
The infectedComputer object contains additional details about the infected machine.
| Field Name | Description | Type |
|---|---|---|
| computerUsername | The username of the infected machine (device/computer). | String |
| country | The country of the infected machine. | String |
| operationSystem | The operating system installed on the infected machine. | String |
| hardwareId | The unique hardware identifier of the infected machine. | String |
{
"docs": [
{
"value": "gabrielleg@****.com",
"type": "email",
"uuid": "50ecd14646cac54c88c885e0bf0928625bb11e53",
"crawled": "2024-02-01T13:50:54.711+02:00",
"updated": "2024-02-01T13:50:54.711+02:00",
"leaks": [
{
"uuid": "ee5074e8b0821710b6a0e4d12776c25ce43b4a12",
"name": "Nada.org 300K",
"filename": "nada.org 300K.csv",
"breach_date": "2023-12-08T02:00:00.000+02:00",
fields: [
"email",
"phone",
"password"
],
"network": null,
"domain": breachforums.is,
"cyber_doc_ref": "https://qu.ax/gjag.zip",
"crawled": "2020-06-10T11:31:08.000+03:00",
additional_info: [
{
"password": "a****fi",
"is_hashed": false,
}
]
}
]
}
],
"stealerLogs": [
{
"id": "bf7b74abe56526c6fc0d89f5217c41f1",,
"infectionDate": "2024-03-11T13:50:54.711+02:00",,
"logFileName": "[BR]179.254.43",,
"infostealerFamily": "LummaC2",,
"malwarePath": null,,
"ipAddress": "179.254.43.83",,
"credentials": [ ,
{
"url": "https://www.netflix.com/Login",,
"domain": "www.netflix.com",,
"creds": [ ,
{
"username": "revirtech@****.com",,
"password": "111111111",
}
]
}
],
"infectedComputer":,
{
"computerUsername": "KILLORRAN",,
"country": "BR",,
"operationSystem": "Windows 10 (10.0.19045) x64",,
"hardwareId": "ACA807A4FE70F947A7382236C33E52A1",,
}
},
],
"totalDocs": 25811,
"totalStealerLogs": 42,
"moreStealerLogsAvailable": 32,
"moreDocsAvailable": 25801
"next": "/dbdocFilter?token=xxxxx&ts=1705527140892&since=0&email_domain=fb.com&snxt=ZG9uZSUlJTE3MTAxNjA2ODM2MzMlJSU0MiUlJTQy",,
"requestsLeft": 8914
}