The Breaches API returns structured data related to user credentials. Each response page contains up to 100 unique records, with each record representing an individual set of user credentials.
Root Object [Mandatory]
The Root Object is the top-level structure of the **Breaches API **response. It contains metadata about the query request and an array of matched records entries, each representing a distinct compromised user credentials with its associated data.
| Field Name | Data Type | Nullable | Description |
|---|---|---|---|
| records | Array of Objects | A list of compromised credentials, each representing an individual record. | |
| toatlResults | Integer | No | The total number of compromised records matching your query. |
| moreResultsAvailable | Integer | No | The number of remaining compromised records matching your query. |
| next | String | Yes | A URL to get the next batch of results matching your query. See Pagination in this section. |
| requestLeft | Integer | No | How many more requests are available in your current subscription plan. |
records Array Item [Mandatory]
The records array item provides basic information about the record and the user credentials associated with it,
| Field Name | Data Type | Nullable | Description |
|---|---|---|---|
| uuid | String | No | A unique identifier for the record |
| craweld_date | String [data format: ISO date] | No | The date and time when the original record was fetched by Webz |
| type | String | No | Available types: Infostealer, data_breach |
| sub_type | String | Yes | Available sub type: database_dump, data_breach_combolist, stealers_combolist, stealer_logs, cookies |
| login_url | String [URL] | Yes | The URL linked to the compromised credentials |
| login_domain | String | Yes | The domain or IP extracted from the login_url, or the organization’s domain affected by the data breach |
account_Info Object [Mandatory]
The account_info object provides details about a compromised account.
| Field Name | Data Type | Nullable | Description |
|---|---|---|---|
| String [email] | Yes | Compromised email address | |
| account_name | String | Yes | Compromised account username |
| password | String | Yes | Compromised password |
| password_type | Streing | Yes | Available types: plaintext, unsalted hash, salted hash, encrypted |
device_info Object [Optional]
The device_info object Includes details about the infected device, typically present in infostealer-related events.
| Field Name | Data Type | Nullable | Description |
|---|---|---|---|
| infection_uuid | String | Yes | A unique identifier for the infection |
| exfiltration_date | String [data format: ISO date] | Yes | The date and time when the stealer log data was collected and exfiltrated from the infected device |
| log_file_name | String | Yes | Stealer log file name |
| hwid | String | Yes | Hardware ID of infected device |
| ip_address | String | Yes | IP address of infected device |
| location | Object | Location details of the infected device | |
| country | String | Yes | Country code. e.g. CA |
| city | String | Yes | City name |
| zip_code | String | Yes | Zip code |
| computer_username | String | Yes | Device username |
| os | String | Yes | Operating system |
| antivirus_software | Array [List] | Yes | Installed AVs on the infected device |
| malware_family | String | Yes | Malware family name. e.g. Redline |
| malware_path | String | Yes | Path to malicious file on the infected device |
breach_info Object [Optional]
The breach_info object contains contextual information about the data breach in which the credentials were found, including the breach name, breach date, and compromised assets. This object is available for records whose type is data_breach.
| Field Name | Data Type | Nullable | Description |
|---|---|---|---|
| uuid | String | Yes | A unique identifier for the data breach |
| breach_date | String [data format: ISO date] | Yes | The date and time when the data breach occurred or was first publicly disclosed |
| breach_name | String | Yes | The name of the breach |
| compromised_assets | Array | Yes | List of all affected asset types in the data breach |
publication_source_info Object [Optional]
The publication_source_info object includes metadata about the original breach file, including its filename, publication date, and the source where Webz detected it.
| Field Name | Data Type | Nullable | Description |
|---|---|---|---|
| file_name | String | Yes | The name of original credentials file |
| file_link | String | Yes | The download link of original credentials file |
| post_url | String | Yes | The original post URL where the credentials file was detected |
| site_domain | String | Yes | The site domain where the credentials file was detected |
| is_premium | Boolean String | No | Indicates whether the credentials file was published in a premium channel or not |
JSON Schema
{
"records": [
{
"uuid": "94bd1d9fded1e40b8843f31df97b807eef35f6aa",
"crawled_date": "2025-09-13T20:56:00.000+03:00",
"type": "Infostealer",
"sub_type": "stealer_logs",
"login_url": "https://salc.gov.uk/login/",
"login_domain": "salc.gov.uk",
"account_info": {
"email": "[email protected]",
"account_name": null,
"password": "123qwe!",
"password_type": "plaintext"
},
"device_info": {
"infection_uuid": "94bd1d9fded1e40b8843f31df97b807eef35f6aa",
"exfiltration_date": "2025-09-13T00:00:00.000+03:00",
"log_file_name": "GR[7AFB0CFC3F*****37EB27C90BA] [2025-09-02T12_11_52.1931867]",
"hwid": "2EFD********45ADE0C",
"ip_address": "41.150.***.**",
"location": {
"country": "GR",
"city": "Portaria, Kentriki Makedonia",
"zip_code": "630 87"
},
"computer_username": "admin",
"os": "Windows 10 Home x64",
"antivirus_software": ["Windows Defender", "avast"],
"malware_family": "Redline",
"malware_path": "C:\\Users\\2025\\Pictures\\Minor Policy\\********.exe"
},
"breach_info": {
"uuid": null,
"breach_date": null,
"breach_name": null,
"compromised_assets": null
},
"publication_source_info": {
"file_name": null,
"file_link": null,
"post_url": null,
"site_domain": "t.me",
"is_premium": true
}
}
],
"totalResults": 185,
"moreResultsAvailable": 85,
"next": "/breaches?token=*****&format=json&email_domain=domain.com&data_type=infostealer&order_by=asc&next=AAABmDVlkxAAAACJAAAAJWJmMDhhYjA1ZmIyMzk3OTJkYzU4NmE2MGI0ZDZkZDEwNDhkNTk2MDI",
"requestsLeft": 4590
}
Error Codes
The following are available error responses.
| HTTP Status | Error Code | When it Occurs |
|---|---|---|
| 400 | Invalid Parameter | A required parameter is missing, malformed, or of the wrong type. |
| 400 | Invalid Parameter | A request parameter was provided more times than allowed. |
| 401 | Unauthorized Access | Missing or invalid token. |
| 403 | No Authorized Domains | The account has no authorized domains set. |
| 403 | Unauthorized Domain | An unauthorized domain is used in email_domain or login_domain parameters. |
| 404 | Not Found | The requested endpoint or resource does not exist. |
| 429 | Rate Limit Exceeded | More than allowed requests per second were made. |
| 500 | Internal Error | An unexpected server error occurred. |
| 503 | Service Unavailable | The service is temporarily unavailable (e.g., maintenance or overload) |