The Data Breach Detection API response includes up to 10 entities and a Meta Info area with reference to API consumption and the request itself, such as the "next" URL to get the next batch of entities matching your query.

The Data Breach Detection (DBD) API response consists of two main objects:

  • docs Object: Represents compromised entities sourced from data breaches
    Contains three sub-objects:

    • Document Object: Represents a single compromised entity.
    • Leaked Record Object: Represents a mention of the compromised entity as part of a breach, including a list of leaked records.
    • Additional_Info Object: Provides extended information on the compromised content.
  • stealerLogs Object: Represents compromised computer-related entities sourced from infostealer malware leaks.
    Contains three sub-objects:

    • stealerLogs Document Object: Represents a single compromised machine by an infostealer malware.
    • Credentials:_ Contains information about the compromised credentials, including URL, domain, username, and password.
    • Infected Computer: _Contains details about the infected machine, such as computer username, country, operating system, and hardware ID.

docs Object

Document Object

Field NameDescriptionType
valueCompromised entity value.
e.g. [email protected]
typeType of compromised entity.
Possible Values:

  • "email"
  • "Creditcard"
  • "SSN"
  • "PHONE"
uuidA unique ID representing the compromised entityString
crawledThe date/time when the compromised entity was first leaked.Date
updated (See the note below)The date/time the compromised entity was updated, when a crawler detects a change in the breachDate
leaksAn array of leaked records of the compromised entityObject

Leaked Record Object

A breach can be retrieved, in one of the following formats:

  • File - breached database or file found in a file hosting by Webz.io platform.
  • Snippet - part of a post in the dark networks, either a discussion threat or blog or paste.
Field NameDescriptionType
uuidA unique ID representing the breachString
nameThe name of the breachString
filenameThe name of the compromised fileString
breach_dateThe official date of the breachDate
fieldsList of compromised fields detected as part of the breachArray[Strings]
networkThe name of the dark network , where the breach was found.
Possible Values:

  • "tor"
  • "openweb"
  • "zeronet"
  • "i2p"
  • "openbazaar"
  • "telegram"
domainThe domain of the site where the breach was found.String
cyber_doc_refThe official URL of the leaked mentionString
updatedThe latest time the entity was identified and crawled.
Format is date/time
additional_infoAn extended object providing more information on the compromised contentObject

Additional_Info Object

Field NameDescriptionRelevant to ParameterType
passwordThe sanitized password relevant to the compromised entityemail, account_nameString
is_hashedIs the password was hashedemail, account_nameBoolean
expyExpiration Year of the compromised cardCreditcard, bin6, bin8String
expmExpiration Month of compromised CardCreditcard, bin6, bin8String

stealerLogs Object

stealerLogs Document Object

Field NameDescriptionType
idA unique ID representing the stealer logString
infectionDateThe official date when the machine was infected with the infostealer malware.Date
logFileNameThe name of the leaked file associated with the stealer log.String
infostealerFamilyThe family of the infostealer malware that infected the machine.String
malwarePathThe file path where the infostealer malware was installed on the infected machine.String
ipAddressThe IP address of the infected machine.String


Field NameDescriptionType
urlThe URL that refers to the compromised credentials.String
domainThe domain extracted from the URL.String
credsArray of objects, with each object containing both the username and password.array/list
creds.usernameThe leaked username used for logging into the URL.String
creds.passwordThe leaked password used for logging into the URL.String

Infected Computer

Field NameDescriptionType
computerUsernameThe username of the infected computer's user.String
countryThe country of the infected machine.String
operationSystemThe operating system installed on the infected machine.String
hardwareIdThe unique hardware identifier of the infected machine.String

Meta Info

Field NameDescriptionType
totalDocsThe total number of documents matching your query sourced from data breaches.Integer
totalStealerLogsThe total number of documents matching your query sourced from stealer logs.Integer
moreStealerLogsAvailableThe number of additional stealer logs documents available.Integer
moreDocsAvailableThe number of additional data breach documents available.Integer
nextA URL to get the next batch of documents matching your queryString
requestsLeftHow many more records are available in your current subscription planInteger
JSON Output Example:


"docs": [


"value": "gabrielleg@****.com",

"type": "email",

"uuid": "50ecd14646cac54c88c885e0bf0928625bb11e53",

"crawled": "2024-02-01T13:50:54.711+02:00",

"updated": "2024-02-01T13:50:54.711+02:00",

"leaks": [


"uuid": "ee5074e8b0821710b6a0e4d12776c25ce43b4a12",

"name": "Nada.org 300K",

"filename": "nada.org 300K.csv",

"breach_date": "2023-12-08T02:00:00.000+02:00",

fields: [





"network": null,

"domain": breachforums.is,

"cyber_doc_ref": "https://qu.ax/gjag.zip",

"crawled": "2020-06-10T11:31:08.000+03:00",

additional_info: [


"password": "a****fi",

"is_hashed": false,







"stealerLogs": [


"id": "bf7b74abe56526c6fc0d89f5217c41f1",,

"infectionDate": "2024-03-11T13:50:54.711+02:00",,

"logFileName": "[BR]179.254.43",,

"infostealerFamily": "LummaC2",,

"malwarePath": null,,

"ipAddress": "",,

"credentials": [ ,


"url": "https://www.netflix.com/Login",,

"domain": "www.netflix.com",,

"creds": [ ,


"username": "revirtech@****.com",,

"password": "111111111",







"computerUsername": "KILLORRAN",,

"country": "BR",,

"operationSystem": "Windows 10 (10.0.19045) x64",,

"hardwareId": "ACA807A4FE70F947A7382236C33E52A1",,




"totalDocs": 25811,

"totalStealerLogs": 42,

"moreStealerLogsAvailable": 0,

"moreDocsAvailable": 25803

"next": "/dbdocFilter?token=xxxxx&ts=1705527140892&since=0&email_domain=fb.com&snxt=ZG9uZSUlJTE3MTAxNjA2ODM2MzMlJSU0MiUlJTQy",,

"requestsLeft": 8914