close

Free Data Breach API

Check billions of exposed records with our free RESTful API. No API key needed.

Authentication

Most endpoints are public. Domain endpoints require an API key.

Rate Limit

2 requests per second per IP.

Response Format

All responses return JSON with standard HTTP codes.

Base URL

api.xposedornot.com

Swagger Documentation API Playground

Official SDKs

Use our official libraries to integrate XposedOrNot into your applications with just a few lines of code.

Node.js / JavaScript

Install via npm: 

npm install xposedornot

Quick Example:

const { XposedOrNot } = require('xposedornot');

const xon = new XposedOrNot();

// Check email for breaches
const result = await xon.checkEmail('test@example.com');
console.log(result);

View on npm GitHub

Python

Install via pip: 

pip install xposedornot

Quick Example:

from xposedornot import XposedOrNot

xon = XposedOrNot()

# Check email for breaches
result = xon.check_email('test@example.com')
print(result)

View on PyPI GitHub

Also Available For

Click any card to view the package registry, or the GitHub icon for source code.

Go go get
Ruby gem install
PHP composer require
Rust cargo add
C# / .NET dotnet add
Java Maven Central

Quick Navigation
API Quick Reference Last Updated: 03-Jun-2026

Thank you for your interest in XposedOrNot. The goal is to keep our API as accessible and responsive as possible, making it a valuable tool for everyone. Hosted directly on Google Infrastructure and robustly cached by Cloudflare, the XposedOrNot API offers rapid responses for any queries, regardless of their origin point.

The XposedOrNot API adheres to the principles of REST architecture. It returns JSON-encoded responses and utilizes standard HTTP response codes. For the majority of our API routes, there are no authentication requirements, ensuring easy access and simplicity of use. However, please note that our specific API route used for querying domain-related data requires an API key authorization. This measure is in place to ensure that only verified owners or authorities of the specified domains can access this sensitive information.

To experiment with the endpoints, try the API Playground, where you can explore the XposedOrNot API interactively.

Reading the examples: values shown in {curly braces} are placeholders. Replace each one (including the braces) with your own value. For example, {email} becomes test@example.com.

This API checks if an email address has been involved in any known data breaches. It searches a comprehensive database of breaches and alerts you if the email is at risk.


API Endpoint: 
https://api.xposedornot.com/v1/check-email/{email}
Parameters:
Parameters for the check-email endpoint
Parameter In Required Type Description
email path Yes string Email address to check for breaches.
details query No boolean Include detailed breach information in the response. Defaults to false (accepts true/false, yes/no, 1/0).
Example of Successful Breach Detection: When a breach is detected, you'll receive a JSON response like this: 
 {
  "breaches": [
    [
      "Tesco",
      "KiwiFarms",
      "Vermillion",
      "Verified",
      "LizardSquad",
      "2fast4u",
      "Autotrader",
      "MyRepoSpace",
      "SweClockers"
    ]
  ],
  "email": "[email protected]",
  "status": "success"
}
The response is in JSON format, making it simple to parse with any scripting language. This lets you easily integrate the data into your applications.
Response When No Breach is Found:
If the email address is not found in any breach database, you will get the following JSON response: 
{"Error":"Not found","email":null}

Our API offers an in-depth analysis of an email address's data breach history. It reveals when and where breaches occurred, providing essential analytics to gauge the impact and severity of these incidents. This tool is key for understanding data exposure levels and enhancing security strategies.


API Endpoint: 
https://api.xposedornot.com/v1/breach-analytics?email={email}
Parameters:
Parameters for the breach-analytics endpoint
Parameter In Required Type Description
email query Yes string Email address to analyze.

The API responds with two possible outcomes: success or failure. Below are the key components of a successful response:


  • BreachesSummary: Get a quick overview of all breaches tied to the email address, including a list of affected sites. Ideal for a fast check on breach history.

  • ExposedBreaches: Receive detailed information on each breach, including the breached entity's name, description, domain, industry, risk level, references, exposed data types, and the year and number of records exposed. This helps assess the specifics and seriousness of each breach.

  • BreachMetrics: This component offers analytics about the breaches, such as affected industries, password strength, risk score, data types exposed, and a yearly breakdown. This data is crucial for understanding the full impact of the breaches.

  • xposed_data: Gain insight into the specific data types exposed in the breaches, such as names, photos, nationalities, etc. This helps in understanding the nature and extent of personal data exposure.

  • PastesSummary: Provides an overview of 'paste' breaches (data exposures on public pastebin-like services), including a count and the most recent occurrence. It's a quick way to gauge exposure on these platforms.

  • ExposedPastes & PasteMetrics: These components give detailed information and a yearly analysis of paste breaches, allowing for a deeper understanding of exposure trends over time.

This comprehensive suite of analytics tools offers a deep dive into the data breach history of any email, providing the insights needed for better digital security management.


Sample JSON output on successfully finding a matching record: 

{
  "BreachMetrics": {
    "get_details": [],
    "industry": [
      [
        [          "elec",          1        ],
        [          "misc",          0        ],
        [          "mini",          0        ],
        [          "musi",          0        ],
        [          "manu",          0        ],
        [          "ener",          0        ],
        [          "news",          0        ],
        [          "ente",          0        ],
        [          "hosp",          0        ],
        [          "heal",          0        ],
        [          "food",          0        ],
        [          "phar",          0        ],
        [          "educ",          0        ],
        [          "cons",          0        ],
        [          "agri",          0        ],
        [          "tele",          0        ],
        [          "info",          0        ],
        [          "tran",          0        ],
        [          "aero",          0        ],
        [          "fina",          0        ],
        [          "reta",          0        ],
        [          "nonp",          0        ],
        [          "govt",          0        ],
        [          "spor",          0        ],
        [          "envi",          0        ]
      ]
    ],
    "passwords_strength": [
      {
        "EasyToCrack": 0,
        "PlainText": 0,
        "StrongHash": 1,
        "Unknown": 0
      }
    ],
    "risk": [
      {
        "risk_label": "Low",
        "risk_score": 3
      }
    ],
    "xposed_data": [
      {
        "children": [
          {
            "children": [
              {
                "colname": "level3",
                "group": "A",
                "name": "data_Usernames",
                "value": 1
              }
            ],
            "colname": "level2",
            "name": "👤 Personal Identification"
          },
          {
            "children": [
              {
                "colname": "level3",
                "group": "D",
                "name": "data_Passwords",
                "value": 1
              }
            ],
            "colname": "level2",
            "name": "🔒 Security Practices"
          },
          {
            "children": [
              {
                "colname": "level3",
                "group": "F",
                "name": "data_Email addresses",
                "value": 1
              }
            ],
            "colname": "level2",
            "name": "📞 Communication and Social Interactions"
          }
        ]
      }
    ],
    "yearwise_details": [
      {
        "y2007": 0,
        "y2008": 0,
        "y2009": 0,
        "y2010": 0,
        "y2011": 0,
        "y2012": 0,
        "y2013": 0,
        "y2014": 0,
        "y2015": 1,
        "y2016": 0,
        "y2017": 0,
        "y2018": 0,
        "y2019": 0,
        "y2020": 0,
        "y2021": 0,
        "y2022": 0,
        "y2023": 0
      }
    ]
  },
  "BreachesSummary": {
    "site": "SweClockers"
  },
  "ExposedBreaches": {
    "breaches_details": [
      {
        "breach": "SweClockers",
        "details": "SweClockers experienced a data breach in early 2015, where 255k accounts were exposed. As a result, usernames, email addresses, and salted hashes of passwords, which were stored using a combination of MD5 and SHA512, were disclosed. Exposed data: Usernames, Email addresses, Passwords.",
        "domain": "sweclockers.com",
        "industry": "Electronics",
        "logo": "Sweclockers.png",
        "password_risk": "hardtocrack",
        "references": "",
        "searchable": "Yes",
        "verified": "Yes",
        "xposed_data": "Usernames;Email addresses;Passwords",
        "xposed_date": "2015",
        "xposed_records": 254967
      }
    ]
  },
  "ExposedPastes": null,
  "PasteMetrics": null,
  "PastesSummary": {
    "cnt": 0,
    "domain": "",
    "tmpstmp": ""
  }
}
A few of the data points used in the BreachMetrics are as follows:
  1. Industry wise classification
    2. This gives you the count of the breaches exposed in top-19 industries.
  2. Password strength
    3. This gives you the count of breaches that had passwords that are 1. Easy to Crack, 2. Plain Text passwords & 3. Strong and safe password hashes used.
  3. Year-wise details
    4. This gives you the historical data of data breaches starting from the year 2010 until now.

Sample output on not finding the matching email address: 
{
  "BreachMetrics": null,
  "BreachesSummary": {
    "site": ""
  },
  "ExposedBreaches": null,
  "ExposedPastes": null,
  "PasteMetrics": null,
  "PastesSummary": {
    "cnt": 0,
    "domain": "",
    "tmpstmp": ""
  }
}

An all-null response like the above (returned with HTTP 200) means the email was not found in any of the data breaches loaded in XposedOrNot.

This endpoint checks whether a password has appeared in known breaches without revealing the password itself. You compute the SHA3 Keccak-512 hash of the password locally and send only its first 10 characters, so the password and the full hash never leave your machine. The response indicates a match or no match. 


https://passwords.xposedornot.com/v1/pass/anon/{hash_prefix}
Here {hash_prefix} is the first 10 characters of the SHA3 Keccak-512 hash of the password you want to check.

Parameters:
Parameters for the anonymous password-check endpoint
Parameter In Required Type Description
hash_prefix path Yes string First 10 characters of the SHA3 Keccak-512 hash of the password to check.
Sample JSON output on successfully finding a matching password hash: 
 {
  "SearchPassAnon": {
    "anon": "808d63ba47",
    "char": "D:6;A:0;S:0;L:6",
    "count": "11999477",
    "wordlist": 0
  }
}

The API delivers results in a JSON format, which is more informative than a simple yes/no. This detailed output enables further analysis and enhancement of the extensive list of real-time exposed passwords.


Output Structure Guide:


  • anon: the hash prefix you queried, echoed back. Nothing that could reveal your password is stored or transmitted.
  • char: a breakdown of the password's composition, in the format D:<digits>;A:<alphabets>;S:<special>;L:<length> (see the table below).
  • count: the number of times this password was observed across the collected exposed data breaches.
  • wordlist: whether the password was found in a known wordlist (1 = yes, 0 = no).

This API is not only useful for identifying exposed passwords but also helps in developing stronger, more secure password policies.


The following table explains a bit more about the characteristics in simple terms :

Password characteristics breakdown
Code Characteristic Description
D Digits Count of numbers
A Alphabets Count of alphabets
S Special chars Count of special chars
L Length Length of the password
For a comprehensive list of all exposed websites, please visit Xposed websites in XON .

Also, one other point to note is the use of SHA3 Keccak-512 hashing for searching and storing data in XON. Traditional hashing algorithms like MD5 and SHA1 are currently deprecated and also considering the enormous number of records exposed, I have gone ahead with SHA3 Keccak-512 algorithm. Keccak-512 hashes are 128 characters long.

Please check the simple and easy-to-use sample login screen, making use of this API.

Two sample Keccak-512 hashes given for easy reference:

Keccak-512("test") 
1e2e9fc2002b002d75198b7503210c05a1baac4560916a3c6d93bcce3a50d7f00fd395bf1647b9abb8d1afcc9c76c289b0c9383ba386a956da4b38934417789e
Keccak-512("pass") 
adf34f3e63a8e0bd2938f3e09ddc161125a031c3c86d06ec59574a5c723e7fdbe04c2c15d9171e05e90a9c822936185f12b9d7384b2bedb02e75c4c5fe89e4d4
Sample output on not finding the matching password hash: 
            {  "Error": "Not found"}
        
https://api.xposedornot.com/v1/breaches
Parameters: all optional. With no parameters the endpoint returns every loaded breach.
Parameters for the breaches endpoint
Parameter In Required Type Description
domain query No string Filter the results to a single domain.
breach_id query No string Filter the results to a single breach by its ID.
The API returns a successful response in the format of JSON only.

This JSON can be easily parsed by all scripting languages for easy interpretation and to extract data elements to be used in your respective applications. 
   {
  "exposedBreaches": [
    {
      "breachID": "APK.TW",
      "breachedDate": "2022-09-01T00:00:00+00:00",
      "addedDate": "2023-11-08T06:30:35+00:00",
      "domain": "apk.tw",
      "exposedData": [
        "Email addresses",
        "Usernames",
        "Passwords",
        "IP addresses"
      ],
      "exposedRecords": 2457094,
      "exposureDescription": "APK.TW, a Taiwanese Android forum, experienced a data breach in September 2022, affecting 3.7 million members. This incident exposed usernames, email addresses, IP addresses, and passwords encrypted with salted MD5 hashes.",
      "industry": "Information Technology",
      "logo": "https://xposedornot.com/static/logos/APKTW.png",
      "passwordRisk": "easytocrack",
      "referenceURL": "",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },
    {
      "breachID": "Habibs",
      "breachedDate": "2021-08-01T00:00:00+00:00",
      "addedDate": "2023-11-08T06:30:35+00:00",
      "domain": "habibs.com.br",
      "exposedData": [
        "Email addresses",
        "Names",
        "Phone numbers",
        "Dates of birth",
        "IP addresses"
      ],
      "exposedRecords": 3519666,
      "exposureDescription": "Habib's, a Brazilian fast food restaurant, experienced a significant data breach in August 2021,  that impacted 3.5 million users, revealing personal information like email addresses, IP addresses, names, phone numbers, and dates of birth, along with CPF numbers and social media profile links. ",
      "industry": "Food",
      "logo": "https://xposedornot.com/static/logos/Habibs.png",
      "passwordRisk": "unknown",
      "referenceURL": "",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },
    {
      "breachID": "GreenGaming",
      "breachedDate": "2024-03-01T00:00:00+00:00",
      "addedDate": "2024-04-15T10:22:18+00:00",
      "domain": "mrgreengaming.com",
      "exposedData": [
        "Email addresses",
        "IP addresses",
        "Geographic locations",
        "Usernames",
        "Dates of birth"
      ],
      "exposedRecords": 27142,
      "exposureDescription": "MrGreenGaming announced on their community forum reported a security breach due to unauthorized access via an inactive administrator account leading to a data breach on 01-Mar-2024. The intrusion led to vandalism and the potential exposure of user data, including usernames, email addresses, IP addresses at account creation, and birthdays.",
      "industry": "Entertainment",
      "logo": "https://xposedornot.com/static/logos/GreenGaming.png",
      "passwordRisk": "unknown",
      "referenceURL": "https://forums.mrgreengaming.com/topic/30151-%E2%9A%A0%EF%B8%8Fdata-breach%E2%9A%A0%EF%B8%8F/#comment-536079",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },
    {
      "breachID": "CutoutPro",
      "breachedDate": "2024-02-01T00:00:00+00:00",
      "addedDate": "2024-03-10T08:15:42+00:00",
      "domain": "cutout.pro",
      "exposedData": [
        "Names",
        "Passwords",
        "Email addresses",
        "IP addresses"
      ],
      "exposedRecords": 20021813,
      "exposureDescription": "Cutout.Pro, an AI-powered photo editing platform, experienced a data breach affecting 20 million users. Information exposed includes email addresses, hashed passwords, IP addresses, and names. A cybercriminal posted 5.93 GB of data on hacker forum, including a 41.4 million record database dump with unique email addresses.",
      "industry": "Information Technology",
      "logo": "https://xposedornot.com/static/logos/Cutout.pro.png",
      "passwordRisk": "easytocrack",
      "referenceURL": "https://www.bleepingcomputer.com/news/security/20-million-cutoutpro-user-records-leaked-on-data-breach-forum/",
      "searchable": true,
      "sensitive": false,
      "verified": true
    }
… response truncated for brevity; the full list continues.

Furthermore you can also send a parameter like a domain and filter the results to display content specific to that breach. 
https://api.xposedornot.com/v1/breaches?domain={domain}

{
  "exposedBreaches": [
    {
      "breachID": "Twitter-Scraped",
      "breachedDate": "2021-01-01T00:00:00+00:00",
      "addedDate": "2023-11-08T06:30:35+00:00",
      "domain": "twitter.com",
      "industry": "Information Technology",
      "logo": "https://xposedornot.com/static/logos/Twitter.png",
      "passwordRisk": "unknown",
      "searchable": true,
      "sensitive": false,
      "verified": true,
      "exposedData": [
        "Usernames",
        "Names",
        "Email addresses",
        "Phone numbers",
        "Geographic locations"
      ],
      "exposedRecords": 208918735,
      "exposureDescription": "The Twitter Email Addresses Leak involves a data leak of over 200 million Twitter user profiles around 2021. The leak includes email addresses, names, screen names, follow counts, and account creation dates. The data was obtained through a Twitter API vulnerability that allowed the input of email addresses and phone numbers to confirm their association with Twitter IDs.",
      "referenceURL": ""
    }
  ],
  "status": "success"
}
The API returns a successful response in the format of JSON only.
https://api.xposedornot.com/v1/domain-breaches/
Parameters:
Headers for the domain-breaches endpoint
Parameter In Required Type Description
x-api-key header Yes string Your domain API key. The domain is derived from the key.
Content-Length header Yes 0 This endpoint accepts no request body, so set the content length to 0.
This is a POST request and requires the valid API key to be included in the header with the key 'x-api-key'. The domain is derived from the API key, so this endpoint does not accept any request body and the content length header should be set to '0'.
** Don't have a key yet? See how to get an API key for domain breach data. It covers domain verification and retrieving the key from your dashboard.

Sample API request using curl. Store your key in an environment variable rather than hard-coding it, so it stays out of your shell history and source control: 
export XON_API_KEY="your_api_key_here"

curl -L -X POST \
  -H "x-api-key: $XON_API_KEY" \
  -H "Content-Length: 0" \
  https://api.xposedornot.com/v1/domain-breaches/
The response of the API is in JSON format. The main key 'metrics' contains details about the breach. Below are the description of each sub-key in 'metrics':

1.Breach_Summary: This field provides a summary of the number of breaches per organization.
2.Breaches_Details: This is an array containing detailed information about each individual breach, including the name of the breached organization, the domain, and the email address associated with the breach.
3.Detailed_Breach_Info: This field contains a detailed summary of the breaches, including the date of the breach, the logo of the organization, whether or not the password was at risk, whether the breach is searchable, the type of data exposed, the total number of records exposed, and a description of the breach.
4.Domain_Summary: This provides a summary of the number of breaches per domain.
5.Top10_Breaches: This field provides a list of the top 10 breaches.
6.Yearly_Metrics: This field provides a yearly breakdown of the number of breaches from 2010 to the present year.

Sample output is given for easy reference.
{
  "metrics": {
    "Breach_Summary": {
      "AerServ": 1
    },
    "Breaches_Details": [
      {
        "breach": "AerServ",
        "domain": "xposedornot.com",
        "email": "deva[@]xposedornot.com"
      }
    ],
    "Detailed_Breach_Info": {
      "AerServ": {
        "breached_date": "Tue, 01 Apr 2014 00:00:00 GMT",
        "logo": "Aerserv.png",
        "password_risk": "plaintext",
        "searchable": "Yes",
        "xposed_data": "Email Addresses",
        "xposed_records": 64777,
        "xposure_desc": "AerServ, an ad management platform, experienced a data breach in April 2018. This incident occurred after its acquisition by InMobi and affected more than 64,000 unique email addresses. The exposed data included contact information and passwords, which were stored as salted SHA-512 hashes. Later in 2018, the breached data was publicly posted on Twitter, prompting InMobi to acknowledge the incident "
      }
    },
    "Domain_Summary": {
      "xposedornot.com": 1
    },
    "Top10_Breaches": {
      "AerServ": 1
    },
    "Yearly_Metrics": {
      "2010": 0,
      "2011": 0,
      "2012": 0,
      "2013": 0,
      "2014": 1,
      "2015": 0,
      "2016": 0,
      "2017": 0,
      "2018": 0,
      "2019": 0,
      "2020": 0,
      "2021": 0,
      "2022": 0,
      "2023": 0
    }
  },
  "status": "success"
}
Error Handling: If the API key is invalid, the endpoint responds with HTTP 401 and the following JSON: 
{
  "detail": "Invalid or missing API key"
}
The detail field contains a description of the error.

Remember to set XON_API_KEY to your actual API key before making a request to the endpoint.
XposedOrNot API uses conventional HTTP response codes to indicate the success or failure of an API request. In general: Codes in the 2xx range indicate success. Codes in the 4xx range indicate an error that failed given the information provided (e.g., wrong parameters, insufficient query options, wrong url etc). Codes in the 5xx range indicate an error with XposedOrNot's server.

In other words, codes in the 4xx range indicate a client-side error (your request) and 5xx codes indicate a server-side error (on our end).

HTTP response codes and their meanings
Code Description
200 Success will output JSON response
401 Invalid/un-authorised API key
404 Error in input ( no data found )
429 Speed throttle hit - time to slow down
502/503 Server-side error. Please report it if you encounter this.

Join us in shaping this fully open source site! Contributions welcome ❤️ at our GitHub.

Legal
Privacy Policy Terms
Community
Blog Our Repository
Trust
Status Transparency Responsible Disclosure
Follow Us
Twitter (X) Facebook Mastodon
AI Summary
ChatGPT ChatGPT Perplexity Perplexity Gemini Gemini