Output

The Data Breach Detection API response returns up to 10 entities along with a root object containing request metadata, including the next URL for pagination (used to retrieve the next batch of results matching your query).

The DBD API response consists of two main objects:

docs Object - Represents compromised entities sourced from data breaches.
It contains the following sub-objects:

  • Root Object: Represents the actual compromised entity.
  • Leaks Object: Contains metadata for all data breaches where the entity was found and associated.
  • Fields Object: Lists the types of entity fields that were compromised along with the main entity.
  • additional_info Object: Provides extended information on the compromised content, such as the password if available.

stealerLogs Object - Represents compromised device-related entities sourced from infostealer malware leaks.
It contains the following sub-objects:

  • Root Object: Represents a single compromised machine infected by infostealer malware.
  • credentials Object: Contains compromised credentials information, including URL, domain, username, and password.
  • infectedComputer Object: Contains details about the infected machine such as computer username, country, operating system, and hardware ID.

Root Object

Field NameDescriptionType
docsRepresents compromised entities sourced from data breaches.Array of Objects
stealerLogsRepresents credentials extracted from devices infected with infostealer malware, as found in related data leaks.Array of Objects
totalDocsThe total number of individual records matching your search query.Integer
totalStealerLogsThe total number of individual records matching your search query that are sourced from stealer logs (out of the totalDocs count).Integer
moreStealerLogsAvailableThe number of remaining stealer log records.Integer
moreDocsAvailableThe number of remaining records of all types available.Integer
nextA URL to get the next batch of records matching your query. See Pagination and Sorting in this section.String
requestsLeftHow many more records are available in your current subscription plan.Integer

docs Array Item

Field Name

Description

Type

value

The compromised entity value. e.g., [email protected]

String

type

Type of compromised entity. Possible Values:

email
account_name
creditcard
phone
ssn
passport

String

uuid

A unique identifier representing the compromised entity.

String

crawled

The date and time when the entity was collected by Webz.io.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date

updated

The date and time when the compromised entity was updated, following detection of new associated data breaches.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date

leaks

An array of data breaches records where the compromised entity was found.

Array of Objects

leaks Array Item

The leaks object provides metadata for the data breach where the entity was found.

A data breach can be associated with one of the following formats:

File - Refers to a database file published in underground dark web forums and marketplaces.
Snippet - Refers to a chatter published in the dark web.

Field Name

Description

Type

uuid

A unique identifier for the data breach.

String

name

The name of the breach.

String

filename

The name of the data breach file.

String

login_url

The URL linked to the compromised credentials.

String

breach_date

The date we believe the data breach occurred.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date

fields

List of compromised fields detected in the data breach file.

Array[String]

network

The network where the data breach file was found.
Possible Values:

tor
openweb
i2p
telegram
public_chat

String

domain

The domain of the site where the data breach file was found.

String

cyber_doc_ref

• For files - refers to the downloadable file link of the data breach
• For snippets - refers to the post URL where the compromised asset was leaked.

String

additional_info

An extended object providing more information on the compromised asset.

Object

additional_info Object

The additional_info object refers to additional leaked data associated with the compromised asset.

Field Name

Description

Type

password

The sanitized password relevant to the compromised entity. Relevant for the following values: email, account_name

String

is_hashed

Indicates if the password is hashed. Relevant for the following values: email, account_name

Boolean

expy

Expiration Year of the compromised credit card. This field is presented only for the following value: creditcard

String

expm

Expiration Month of compromised credit card. This field is presented only for the following value: creditcard

String


stealerLogs Array Item

The stealerLogs object provides data about the compromised machine infected by the infostealer malware.

Field Name

Description

Type

id

A unique ID representing the stealer log.

String

crawled

The date and time when the compromised entity was collected by Webz.io.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date

infectionDate

The official date when the machine was infected with the infostealer malware.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date

logFileName

The name of the leaked file associated with the stealer log.

String

infostealerFamily

The family of the infostealer malware that infected the machine.

String

malwarePath

The file path where the infostealer malware was installed on the infected machine.

String

ipAddress

The IP address of the infected machine.

String

credentials Object

The credentials object contains the compromised credentials information, including URL, domain, username, and password.

Field NameDescriptionType
urlThe URL linked to the compromised credentials.String
domainThe domain extracted from the URL.String
credsAn object containing both the username and password.Object
• usernameThe leaked username used for logging into the URL.String
• passwordThe leaked password used for logging into the URL.String

infectedComputer Object

The infectedComputer object contains additional details about the infected machine.

Field NameDescriptionType
computerUsernameThe username of the infected machine (device/computer).String
countryThe country of the infected machine.String
operationSystemThe operating system installed on the infected machine.String
hardwareIdThe unique hardware identifier of the infected machine.String

JSON Output Example:

{

"docs": [

{

"value": "gabrielleg@****.com",

"type": "email",

"uuid": "50ecd14646cac54c88c885e0bf0928625bb11e53",

"crawled": "2024-02-01T13:50:54.711+02:00",

"updated": "2024-02-01T13:50:54.711+02:00",

"leaks": [

{

"uuid": "ee5074e8b0821710b6a0e4d12776c25ce43b4a12",

"name": "Nada.org 300K",

"filename": "nada.org 300K.csv",

"breach_date": "2023-12-08T02:00:00.000+02:00",

fields: [

"email",

"phone",

"password"

],

"network": null,

"domain": breachforums.is,

"cyber_doc_ref": "https://qu.ax/gjag.zip",

"crawled": "2020-06-10T11:31:08.000+03:00",

additional_info: [

{

"password": "a****fi",

"is_hashed": false,

}

]

}

]

}

],

"stealerLogs": [

{

"id": "bf7b74abe56526c6fc0d89f5217c41f1",,

"infectionDate": "2024-03-11T13:50:54.711+02:00",,

"logFileName": "[BR]179.254.43",,

"infostealerFamily": "LummaC2",,

"malwarePath": null,,

"ipAddress": "179.254.43.83",,

"credentials": [ ,

{

"url": "https://www.netflix.com/Login",,

"domain": "www.netflix.com",,

"creds": [ ,

{

"username": "revirtech@****.com",,

"password": "111111111",

}

]

}

],

"infectedComputer":,

{

"computerUsername": "KILLORRAN",,

"country": "BR",,

"operationSystem": "Windows 10 (10.0.19045) x64",,

"hardwareId": "ACA807A4FE70F947A7382236C33E52A1",,

}

},

],

"totalDocs": 25811,

"totalStealerLogs": 42,

"moreStealerLogsAvailable": 32,

"moreDocsAvailable": 25801

"next": "/dbdocFilter?token=xxxxx&ts=1705527140892&since=0&email_domain=fb.com&snxt=ZG9uZSUlJTE3MTAxNjA2ODM2MzMlJSU0MiUlJTQy",,

"requestsLeft": 8914

}