To experiment with and test our API, we invite you to explore our API Playground.

🎮 API Playground


API Quick Reference
    Last Updated: 05-Jun-2023

Thank you for your interest in XposedOrNot. The goal is to keep our API as accessible and responsive as possible, making it a valuable tool for everyone. Hosted directly on Google Infrastructure and robustly cached by Cloudflare, the XposedOrNot API offers rapid responses for any queries, regardless of their origin point.

The XposedOrNot API adheres to the principles of REST architecture. It returns JSON-encoded responses and utilizes standard HTTP response codes. For the majority of our API routes, there are no authentication requirements, ensuring easy access and simplicity of use. However, please note that our specific API route used for querying domain-related data requires an API key authorization. This measure is in place to ensure that only verified owners or authorities of the specified domains can access this sensitive information.

For experimentation and testing purposes, I warmly invite you to explore our API Playground. Here, you'll have the opportunity to familiarize yourself with the functionality of the XposedOrNot API in a user-friendly environment.

This user-friendly API quickly checks if an email address has been involved in any known data breaches. It searches a comprehensive database of breaches and alerts you if the email is at risk.

This tool is invaluable for maintaining digital security and understanding the breach history of an email. It's a step towards better digital safety and awareness.


API Endpoint: 
https://api.xposedornot.com/v1/check-email/[[email protected]]
Example of Successful Breach Detection: When a breach is detected, you'll receive a JSON response like this: 
 {
  "breaches": [
    [
      "Tesco",
      "KiwiFarms",
      "Vermillion",
      "Verified",
      "LizardSquad",
      "2fast4u",
      "Autotrader",
      "MyRepoSpace",
      "SweClockers"
    ]
  ]
}
The response is in JSON format, making it simple to parse with any scripting language. This lets you easily integrate the data into your applications.
Response When No Breach is Found:
If the email address is not found in any breach database, you will get the following JSON response: 
{"Error":"Not found"}

Our API offers an in-depth analysis of an email address's data breach history. It reveals when and where breaches occurred, providing essential analytics to gauge the impact and severity of these incidents. This tool is key for understanding data exposure levels and enhancing security strategies.


API Endpoint: 
https://api.xposedornot.com/v1/breach-analytics?email=[email-address]

The API responds with two possible outcomes: success or failure. Below are the key components of a successful response:


  • BreachesSummary: Get a quick overview of all breaches tied to the email address, including a list of affected sites. Ideal for a fast check on breach history.

  • ExposedBreaches: Receive detailed information on each breach, including the breached entity's name, description, domain, industry, risk level, references, exposed data types, and the year and number of records exposed. This helps assess the specifics and seriousness of each breach.

  • BreachMetrics: This component offers analytics about the breaches, such as affected industries, password strength, risk score, data types exposed, and a yearly breakdown. This data is crucial for understanding the full impact of the breaches.

  • xposed_data: Gain insight into the specific data types exposed in the breaches, such as names, photos, nationalities, etc. This helps in understanding the nature and extent of personal data exposure.

  • PastesSummary: Provides an overview of 'paste' breaches (data exposures on public pastebin-like services), including a count and the most recent occurrence. It's a quick way to gauge exposure on these platforms.

  • ExposedPastes & PasteMetrics: These components give detailed information and a yearly analysis of paste breaches, allowing for a deeper understanding of exposure trends over time.

This comprehensive suite of analytics tools offers a deep dive into the data breach history of any email, providing the insights needed for better digital security management.


Sample JSON output on successfully finding a matching record: 

{
  "BreachMetrics": {
    "get_details": [],
    "industry": [
      [
        [          "elec",          1        ],
        [          "misc",          0        ],
        [          "mini",          0        ],
        [          "musi",          0        ],
        [          "manu",          0        ],
        [          "ener",          0        ],
        [          "news",          0        ],
        [          "ente",          0        ],
        [          "hosp",          0        ],
        [          "heal",          0        ],
        [          "food",          0        ],
        [          "phar",          0        ],
        [          "educ",          0        ],
        [          "cons",          0        ],
        [          "agri",          0        ],
        [          "tele",          0        ],
        [          "info",          0        ],
        [          "tran",          0        ],
        [          "aero",          0        ],
        [          "fina",          0        ],
        [          "reta",          0        ],
        [          "nonp",          0        ],
        [          "govt",          0        ],
        [          "spor",          0        ],
        [          "envi",          0        ]
      ]
    ],
    "passwords_strength": [
      {
        "EasyToCrack": 0,
        "PlainText": 0,
        "StrongHash": 1,
        "Unknown": 0
      }
    ],
    "risk": [
      {
        "risk_label": "Low",
        "risk_score": 3
      }
    ],
    "xposed_data": [
      {
        "children": [
          {
            "children": [
              {
                "colname": "level3",
                "group": "A",
                "name": "data_Usernames",
                "value": 1
              }
            ],
            "colname": "level2",
            "name": "👤 Personal Identification"
          },
          {
            "children": [
              {
                "colname": "level3",
                "group": "D",
                "name": "data_Passwords",
                "value": 1
              }
            ],
            "colname": "level2",
            "name": "đź”’ Security Practices"
          },
          {
            "children": [
              {
                "colname": "level3",
                "group": "F",
                "name": "data_Email addresses",
                "value": 1
              }
            ],
            "colname": "level2",
            "name": "đź“ž Communication and Social Interactions"
          }
        ]
      }
    ],
    "yearwise_details": [
      {
        "y2007": 0,
        "y2008": 0,
        "y2009": 0,
        "y2010": 0,
        "y2011": 0,
        "y2012": 0,
        "y2013": 0,
        "y2014": 0,
        "y2015": 1,
        "y2016": 0,
        "y2017": 0,
        "y2018": 0,
        "y2019": 0,
        "y2020": 0,
        "y2021": 0,
        "y2022": 0,
        "y2023": 0
      }
    ]
  },
  "BreachesSummary": {
    "site": "SweClockers"
  },
  "ExposedBreaches": {
    "breaches_details": [
      {
        "breach": "SweClockers",
        "details": "SweClockers experienced a data breach in early 2015, where 255k accounts were exposed. As a result, usernames, email addresses, and salted hashes of passwords—which were stored using a combination of MD5 and SHA512—were disclosed. Exposed data: Usernames, Email addresses, Passwords.",
        "domain": "sweclockers.com",
        "industry": "Electronics",
        "logo": "Sweclockers.png",
        "password_risk": "hardtocrack",
        "references": "",
        "searchable": "Yes",
        "verified": "Yes",
        "xposed_data": "Usernames;Email addresses;Passwords",
        "xposed_date": "2015",
        "xposed_records": 254967
      }
    ]
  },
  "ExposedPastes": null,
  "PasteMetrics": null,
  "PastesSummary": {
    "cnt": 0,
    "domain": "",
    "tmpstmp": ""
  }
}
A few of the data points used in the BreachMetrics are as follows:
  1. Industry wise classification
    2. This gives you the count of the breaches exposed in top-19 industries.
  2. Password strength
    3. This gives you the count of breaches that had passwords that are 1. Easy to Crack, 2. Plain Text passwords & 3. Strong and safe password hashes used.
  3. Year-wise details
    4. This gives you the historical data of data breaches starting from the year 2010 until now.

Sample output on not finding the matching email address: 
{  "Error": "Not found"}

This also means that the email searched is not found in any of the data breaches loaded in XposedOrNot.

If you're interested in checking for exposed passwords, this API is perfect for you. It provides results in two forms: successful or unsuccessful. Imagine you want to check the widely used password "123456" - this API can help.


https://passwords.xposedornot.com/v1/pass/anon/[first 10 characters of SHA3-keccak-512 hash]
Sample JSON output on successfully finding a matching password hash: 
 {
  "SearchPassAnon": {
    "anon": "808d63ba47",
    "char": "D:6;A:0;S:0;L:6",
    "count": "11999477",
    "wordlist": 0
  }
}

The API delivers results in a JSON format, which is more informative than a simple yes/no. This detailed output enables further analysis and enhancement of the extensive list of real-time exposed passwords.


Output Structure Guide:


  • "anon" Element: Every password hash in our database includes the "anon" element. This is to ensure privacy for users who want to search while remaining anonymous.
  • "char" Element: This element provides a breakdown of the password's characteristics, like length, use of letters, numbers, and special characters. This is especially useful for understanding password strength and whether it meets various website requirements.

This API is not only useful for identifying exposed passwords but also helps in developing stronger, more secure password policies.


The following table explains a bit more about the characteristics in simple terms :

Digits Count of numbers
Alphabets Count of alphabets
Special chars Count of special chars
Length Length of the password
The last one "count" denotes the number of times, this password was observed in the collected exposed data breaches. For a comprehensive list of all exposed websites, please visit Xposed websites in XON .

Also, one other point to note is the use of SHA3 Keccak-512 hashing for searching and storing data in XON. Traditional hashing algorithms like MD5 and SHA1 are currently deprecated and also considering the enormous number of records exposed, I have gone ahead with SHA3 Keccak-512 algorithm. Keccak-512 hashes are 128 characters long.

Please check the simple and easy-to-use sample login screen, making use of this API.

Two sample Keccak-512 hashes given for easy reference:

Keccak-512("test") 
1e2e9fc2002b002d75198b7503210c05a1baac4560916a3c6d93bcce3a50d7f00fd395bf1647b9abb8d1afcc9c76c289b0c9383ba386a956da4b38934417789e
Keccak-512("pass") 
adf34f3e63a8e0bd2938f3e09ddc161125a031c3c86d06ec59574a5c723e7fdbe04c2c15d9171e05e90a9c822936185f12b9d7384b2bedb02e75c4c5fe89e4d4
Sample output on not finding the matching password hash: 
            {  "Error": "Not found"}
        
https://api.xposedornot.com/v1/breaches
The API returns a successful response in the format of JSON only.

This JSON can be easily parsed by all scripting languages for easy interpretation and to extract data elements to be used in your respective applications. 
   {
  "exposedBreaches": [
    {
      "breachID": "APK.TW",
      "breachedDate": "2022-09-01T00:00:00+00:00",
      "domain": "apk.tw",
      "exposedData": [
        "Email addresses",
        "Usernames",
        "Passwords",
        "IP addresses"
      ],
      "exposedRecords": 2457094,
      "exposureDescription": "APK.TW, a Taiwanese Android forum, experienced a data breach in September 2022, affecting 3.7 million members. This incident exposed usernames, email addresses, IP addresses, and passwords encrypted with salted MD5 hashes.",
      "industry": "Information Technology",
      "logo": "https://xposedornot.com/static/logos/APKTW.png",
      "passwordRisk": "easytocrack",
      "referenceURL": "",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },
    {
      "breachID": "Habibs",
      "breachedDate": "2021-08-01T00:00:00+00:00",
      "domain": "habibs.com.br",
      "exposedData": [
        "Email addresses",
        "Names",
        "Phone numbers",
        "Dates of birth",
        "IP addresses"
      ],
      "exposedRecords": 3519666,
      "exposureDescription": "Habib's, a Brazilian fast food restaurant, experienced a significant data breach in August 2021,  that impacted 3.5 million users, revealing personal information like email addresses, IP addresses, names, phone numbers, and dates of birth, along with CPF numbers and social media profile links. ",
      "industry": "Food",
      "logo": "https://xposedornot.com/static/logos/Habibs.png",
      "passwordRisk": "unknown",
      "referenceURL": "",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },
    {
      "breachID": "GreenGaming",
      "breachedDate": "2024-03-01T00:00:00+00:00",
      "domain": "mrgreengaming.com",
      "exposedData": [
        "Email addresses",
        "IP addresses",
        "Geographic locations",
        "Usernames",
        "Dates of birth"
      ],
      "exposedRecords": 27142,
      "exposureDescription": "MrGreenGaming announced on their community forum reported a security breach due to unauthorized access via an inactive administrator account leading to a data breach on 01-Mar-2024. The intrusion led to vandalism and the potential exposure of user data, including usernames, email addresses, IP addresses at account creation, and birthdays.",
      "industry": "Entertainment",
      "logo": "https://xposedornot.com/static/logos/GreenGaming.png",
      "passwordRisk": "unknown",
      "referenceURL": "https://forums.mrgreengaming.com/topic/30151-%E2%9A%A0%EF%B8%8Fdata-breach%E2%9A%A0%EF%B8%8F/#comment-536079",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },
    {
      "breachID": "CutoutPro",
      "breachedDate": "2024-02-01T00:00:00+00:00",
      "domain": "cutout.pro",
      "exposedData": [
        "Names",
        "Passwords",
        "Email addresses",
        "IP addresses"
      ],
      "exposedRecords": 20021813,
      "exposureDescription": "Cutout.Pro, an AI-powered photo editing platform, experienced a data breach affecting 20 million users. Information exposed includes email addresses, hashed passwords, IP addresses, and names. A cybercriminal posted 5.93 GB of data on hacker forum, including a 41.4 million record database dump with unique email addresses.",
      "industry": "Information Technology",
      "logo": "https://xposedornot.com/static/logos/Cutout.pro.png",
      "passwordRisk": "easytocrack",
      "referenceURL": "https://www.bleepingcomputer.com/news/security/20-million-cutoutpro-user-records-leaked-on-data-breach-forum/",
      "searchable": true,
      "sensitive": false,
      "verified": true
    },

    and so on...

Furthermore you can also send a parameter like a domain and filter the results to dispay content specific to that breach. 
https://api.xposedornot.com/v1/breaches?domain=[twitter.com]

{
  "Exposed Breaches": [
    {
      "Breach ID": "Twitter-Scraped",
      "Breached Date": "2021-01-01T00:00:00+00:00",
      "Domain": "twitter.com",
      "Exposed Data": "Usernames;Email addresses;Names;Geographic locations;Profile photos;Phone numbers",
      "Exposed Records": 208918735,
      "Exposure Description": "\"The \"\"Twitter Email Addresses Leak\"\" involves a data leak of over 200 million Twitter user profiles around 2021. The leak includes email addresses, names, screen names, follow counts, and account creation dates. The data was obtained through a Twitter API vulnerability that allowed the input of email addresses and phone numbers to confirm their association with Twitter IDs.\"",
      "Industry": "Information Technology",
      "Logo": "Twitter.png",
      "Password Risk": "unknown",
      "Searchable": "Yes",
      "Sensitive": "No",
      "Verified": "Yes"
    }
  ],
  "status": "success"
}
The API returns a successful response in the format of JSON only.
https://api.xposedornot.com/v1/domain-breaches/
This is a POST request and requires the valid API key to be included in the header with the key 'x-api-key'. This endpoint does not accept any request body, hence, the content length header should be set to '0'.
** For validated domains, API key is available in the dashboard.

Sample API request using curl: 
curl -L -X POST -H "x-api-key: 2a447449965fe2b3f1729b65ee94197d" -H "Content-Length: 0" https://api.xposedornot.com/v1/domain-breaches/
The response of the API is in JSON format. The main key 'metrics' contains details about the breach. Below are the description of each sub-key in 'metrics':

1.Breach_Summary: This field provides a summary of the number of breaches per organization.
2.Breaches_Details: This is an array containing detailed information about each individual breach, including the name of the breached organization, the domain, and the email address associated with the breach.
3.Detailed_Breach_Info: This field contains a detailed summary of the breaches, including the date of the breach, the logo of the organization, whether or not the password was at risk, whether the breach is searchable, the type of data exposed, the total number of records exposed, and a description of the breach.
4.Domain_Summary: This provides a summary of the number of breaches per domain.
5.Top10_Breaches: This field provides a list of the top 10 breaches.
6.Yearly_Metrics: This field provides a yearly breakdown of the number of breaches from 2010 to the present year.

Sample output is given for easy reference.
{
  "metrics": {
    "Breach_Summary": {
      "AerServ": 1
    },
    "Breaches_Details": [
      {
        "breach": "AerServ",
        "domain": "xposedornot.com",
        "email": "[email protected]"
      }
    ],
    "Detailed_Breach_Info": {
      "AerServ": {
        "breached_date": "Tue, 01 Apr 2014 00:00:00 GMT",
        "logo": "Aerserv.png",
        "password_risk": "plaintext",
        "searchable": "Yes",
        "xposed_data": "Email Addresses",
        "xposed_records": 64777,
        "xposure_desc": "AerServ, an ad management platform, experienced a data breach in April 2018. This incident occurred after its acquisition by InMobi and affected more than 64,000 unique email addresses. The exposed data included contact information and passwords, which were stored as salted SHA-512 hashes. Later in 2018, the breached data was publicly posted on Twitter, prompting InMobi to acknowledge the incident "
      }
    },
    "Domain_Summary": {
      "xposedornot.com": 1
    },
    "Top10_Breaches": {
      "AerServ": 1
    },
    "Yearly_Metrics": {
      "2010": 0,
      "2011": 0,
      "2012": 0,
      "2013": 0,
      "2014": 1,
      "2015": 0,
      "2016": 0,
      "2017": 0,
      "2018": 0,
      "2019": 0,
      "2020": 0,
      "2021": 0,
      "2022": 0,
      "2023": 0
    }
  },
  "status": "success"
}
Error Handling: In case of an invalid or missing API key, the response would be as follows: 
{
  "message":"Invalid or missing API key",
  "status":"error"
}
The message field will contain a description of the error, and the status field will contain the string "error" to indicate that an error has occurred.

Remember to replace "YOUR_API_KEY" with your actual API key when making a request to the endpoint.
XposedOrNot API uses conventional HTTP response codes to indicate the success or failure of an API request. In general: Codes in the 2xx range indicate success. Codes in the 4xx range indicate an error that failed given the information provided (e.g., wrong parameters, insufficient query options, wrong url etc). Codes in the 5xx range indicate an error with XposedOrNot's server.

In other words, codes in the 4xx range indicate an user error(You) and 5xx indicates a server error(Me).

Code Description
200 Success will output JSON response
401 Invalid/un-authorised API key
404 Error in input ( no data found )
429 Speed throttle hit - time to slow down
502/503 Server fault - Totally my problem to fix. Please shout across, if you see this ;)