Output

The Data Breach Detection API response returns up to 10 entities along with a root object containing request metadata, including the next URL for pagination (used to retrieve the next batch of results matching your query).

The DBD API response consists of two main objects:

docs Object - Represents compromised entities sourced from data breaches.
It contains the following sub-objects:

  • Root Object: Represents the actual compromised entity.
  • Leaks Object: Contains metadata for all data breaches where the entity was found and associated.
  • Fields Object: Lists the types of entity fields that were compromised along with the main entity.
  • additional_info Object: Provides extended information on the compromised content, such as the password if available.

stealerLogs Object - Represents compromised device-related entities sourced from infostealer malware leaks.
It contains the following sub-objects:

  • Root Object: Represents a single compromised machine infected by infostealer malware.
  • credentials Object: Contains compromised credentials information, including URL, domain, username, and password.
  • infectedComputer Object: Contains details about the infected machine such as computer username, country, operating system, and hardware ID.

Root Object

Field NameDescriptionType
docsRepresents compromised entities sourced from data breaches.Array of Objects
stealerLogsRepresents credentials extracted from devices infected with infostealer malware, as found in related data leaks.Array of Objects
totalDocsThe total number of individual records matching your search query.Integer
totalStealerLogsThe total number of individual records matching your search query that are sourced from stealer logs (out of the totalDocs count).Integer
moreStealerLogsAvailableThe number of remaining stealer log records.Integer
moreDocsAvailableThe number of remaining records of all types available.Integer
nextA URL to get the next batch of records matching your query. See Pagination and Sorting in this section.String
requestsLeftHow many more requests are available in your current subscription plan.Integer

docs Array Item

Field NameDescriptionType
value

The compromised entity value.
e.g.,

[email protected]

String
typeType of compromised entity. Possible Values:

email
account_name
creditcard
phone
ssn
passport
String
uuidA unique identifier representing the compromised entity.String
crawled

The date and time when the entity was collected by Webz.io.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date
updated

The date and time when the compromised entity was updated, following detection of new associated data breaches.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date
leaksAn array of data breaches records where the compromised entity was found.Array of Objects

leaks Array Item

The leaks object provides metadata for the data breach where the entity was found.

A data breach can be associated with one of the following formats:

File - Refers to a database file published in underground dark web forums and marketplaces.
Snippet - Refers to a chatter published in the dark web.

Field NameDescriptionType
uuidA unique identifier for the data breach.String
nameThe name of the breach.String
filenameThe name of the data breach file.String
login_urlThe URL linked to the compromised credentials.String
breach_date

The date we believe the data breach occurred.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date
fieldsList of compromised fields detected in the data breach file.Array[String]
networkThe network where the data breach file was found.
Possible Values:

tor
openweb
i2p
telegram
public_chat
String
domainThe domain of the site where the data breach file was found.String
cyber_doc_ref• For files - refers to the downloadable file link of the data breach
• For snippets - refers to the post URL where the compromised asset was leaked.
String
additional_infoAn extended object providing more information on the compromised asset.Object

additional_info Object

The additional_info object refers to additional leaked data associated with the compromised asset.

Field NameDescriptionType
passwordThe sanitized password relevant to the compromised entity.
Relevant for the following values: email, account_name
String
is_hashedIndicates if the password is hashed.
Relevant for the following values: email, account_name
Boolean
expyExpiration Year of the compromised credit card.
This field is presented only for the following value: creditcard
String
expmExpiration Month of compromised credit card.
This field is presented only for the following value: creditcard
String

stealerLogs Array Item

The stealerLogs object provides data about the compromised machine infected by the infostealer malware.

Field NameDescriptionType
idA unique ID representing the stealer log.String
crawled

The date and time when the compromised entity was collected by Webz.io.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date
infectionDate

The official date when the machine was infected with the infostealer malware.

Format: yyyy-MM-dd'T'HH:mm:ss.SSSXXX

Date
logFileNameThe name of the leaked file associated with the stealer log.String
infostealerFamilyThe family of the infostealer malware that infected the machine.String
malwarePathThe file path where the infostealer malware was installed on the infected machine.String
ipAddressThe IP address of the infected machine.String

credentials Object

The credentials object contains the compromised credentials information, including URL, domain, username, and password.

Field NameDescriptionType
urlThe URL linked to the compromised credentials.String
domainThe domain extracted from the URL.String
credsAn object containing both the username and password.Object
• usernameThe leaked username used for logging into the URL.String
• passwordThe leaked password used for logging into the URL.String

infectedComputer Object

The infectedComputer object contains additional details about the infected machine.

Field NameDescriptionType
computerUsernameThe username of the infected machine (device/computer).String
countryThe country of the infected machine.String
operationSystemThe operating system installed on the infected machine.String
hardwareIdThe unique hardware identifier of the infected machine.String

JSON Output Example:

{

"docs": [

{

"value": "gabrielleg@****.com",

"type": "email",

"uuid": "50ecd14646cac54c88c885e0bf0928625bb11e53",

"crawled": "2024-02-01T13:50:54.711+02:00",

"updated": "2024-02-01T13:50:54.711+02:00",

"leaks": [

{

"uuid": "ee5074e8b0821710b6a0e4d12776c25ce43b4a12",

"name": "Nada.org 300K",

"filename": "nada.org 300K.csv",

"breach_date": "2023-12-08T02:00:00.000+02:00",

fields: [

"email",

"phone",

"password"

],

"network": null,

"domain": breachforums.is,

"cyber_doc_ref": "https://qu.ax/gjag.zip",

"crawled": "2020-06-10T11:31:08.000+03:00",

additional_info: [

{

"password": "a****fi",

"is_hashed": false,

}

]

}

]

}

],

"stealerLogs": [

{

"id": "bf7b74abe56526c6fc0d89f5217c41f1",,

"infectionDate": "2024-03-11T13:50:54.711+02:00",,

"logFileName": "[BR]179.254.43",,

"infostealerFamily": "LummaC2",,

"malwarePath": null,,

"ipAddress": "179.254.43.83",,

"credentials": [ ,

{

"url": "https://www.netflix.com/Login",,

"domain": "www.netflix.com",,

"creds": [ ,

{

"username": "revirtech@****.com",,

"password": "111111111",

}

]

}

],

"infectedComputer":,

{

"computerUsername": "KILLORRAN",,

"country": "BR",,

"operationSystem": "Windows 10 (10.0.19045) x64",,

"hardwareId": "ACA807A4FE70F947A7382236C33E52A1",,

}

},

],

"totalDocs": 25811,

"totalStealerLogs": 42,

"moreStealerLogsAvailable": 32,

"moreDocsAvailable": 25801

"next": "/dbdocFilter?token=xxxxx&ts=1705527140892&since=0&email_domain=fb.com&snxt=ZG9uZSUlJTE3MTAxNjA2ODM2MzMlJSU0MiUlJTQy",,

"requestsLeft": 8914

}