Frequently Asked Questions (FAQ)

XposedOrNot (XON) is a practical and resourceful tool designed to enable you to verify 🔍 if your personal data has been implicated in a data breach. Originally, this initiative was born out of my deep interest in forensics and the analysis of data breaches. The realization of the sheer volume of sensitive information exposed and the potential harm it could cause quickly led me to transform this interest into a public service. I was motivated to offer this service to everyone for free, making it accessible to all who want to protect their personal data and privacy.

The XposedOrNot platform aids people in discovering whether their email or personal details have been compromised in a data breach. This knowledge can propel users to safeguard their accounts with measures such as password changes and vigilant account monitoring.

Aside from just checking emails and passwords, the website also facilitates users in scrutinizing data breach information at a domain or sub-domain level. For those who can confirm their domain ownership, they gain access to a detailed analysis of the data breaches that have affected their users.

An exciting addition to our suite of tools is the CXO Dashboard. This feature is particularly helpful for companies and corporations managing multiple domains. The CXO Dashboard offers a unified view of data breaches and all associated analytics. This consolidated perspective can significantly simplify the complex task of breach monitoring across various domains, empowering organizations to understand and respond to security incidents more efficiently and effectively.

Xposed (single page repository) comprises of details about all the data breaches loaded onto XposedOrNot. This repository is designed to be visually engaging, simplifying the understanding of each breach's unique aspects.For folks who prefer a simple list of rows in a table, you may refer to breaches page.

We have also created a useful utility, a Privacy Shield feature for individuals who do not wish to have their emails publicly searched on our platform. This is particularly useful for those who value their privacy and want to protect their data.

You may wonder why you should choose XposedOrNot over other breach monitoring services. The answer lies in our goal to raise awareness about data breaches and provide support to reduce the effects of such breaches. Every bit of help is a light in the darkness, and we aim to add to that illumination.

Unlike traditional monitoring services that merely inform you of your exposure and the volume of leaked records, XposedOrNot takes an extra step. We give each email a risk score, notify if the password was exposed in plaintext, and provide information on the top breaches where the email was compromised, among other details.

Data breaches are classified by industry on our platform, offering an insightful perspective into the most affected sectors. Our aim is to foster transparency and enable individuals to guard against data breaches effectively.

I've also incorporated an alerting feature that can be activated for individual websites and domains whenever they appear in data breaches. This service is totally free and is beneficial for everyone – from individual email users to corporations seeking to comprehend their users' vulnerability to data breaches better.

Furthermore, our entire data set can be queried and integrated into your custom applications via our XposedOrNot API. Detailed instructions on using the XposedOrNot API in your projects can be found on our API playground. Keeping with our ethos of free and open access to data, our API will continue to remain completely free of charge.

Lastly, I'd like to highlight that our application, API, and related files are all open source and hosted in GitHub. This open-source approach helps improve the security posture of the platform and invites contributions from the public. I believe in the power of collective wisdom and encourage security enthusiasts, web developers, designers, and data-breach researchers to share their ideas and collaborate to make XposedOrNot even more robust,secure and effective. Your contributions can help further strengthen this free public utility. Let's work together to make XposedOrNot even better!

At XposedOrNot, I source most of our exposed data from breaches that are available on the internet. These breaches are typically found on various websites, and with proper searching techniques, can be relatively easy for someone to access. Additionally, I also source some data breaches through technologies such as torrents.

XON only uses data breaches that have been made publicly available. Our goal is to make it easy for individuals and organizations to check whether their personal information has been exposed in any known data breaches, and to take steps to protect themselves against potential harm.

The entire list of data breaches loaded in XposedOrNot is documented in detail for easy reference on Xposed Page .

XposedOrNot is a data breach monitoring service that allows users to check whether personal information has been exposed in any known data breaches. I want to be transparent with our users about what is and what is not stored in our service.

To answer that question, we do not store any user passwords or personal identifiable information (PII) in XON. When a user enters their email address or domain name into our search engine, we check our database of known data breaches to see if that email or domain has been involved in any past breaches. If there is a match, we provide the user with information on the specific breach(es) that their email or domain was involved in, along with any additional details we have on the incident.

We do not store information about user searches, such as the email or domain name searched and the date of the search, and we take measures to ensure the privacy and security of our users' data.

In summary, XON does not store any user passwords or PII, but we do store some basic information about user searches for the purpose of improving our service.

XON also has the ability to check exposed passwords . This service makes use of the SHA3-keccack 512 hashing algorithm for converting the collected passwords into one-way hashes in storage. With the current technologies available, it is highly unlikely someone can reverse these SHA-3 Keccak hashes easily. This ensures the highest level of safety for stored hashes.

Please check the sample login page, making use of XON Passwords API. This can help a lot of users, preventing them from reusing old and exposed passwords inline with NIST guidelines.

When we report on data breaches, we aim to provide a comprehensive overview of the types of data that have been exposed. This helps users understand the potential impact and risks associated with a particular breach.

To make it easier for our readers, I've logically grouped the exposed data into categories. Below is a breakdown of these categories and the types of data they encompass:

Note: The data presented reflects significant exposed details only; not all data types from breaches are included. Due to manual compilation, errors may occur. For corrections, please contact me.

Usually, it's not a good idea to reveal where data breaches come from because of how much sensitive information is at stake. However, in XON, all the data that's been collected is uploaded and can be easily searched through the website or API for any email you input.

Absolutely! We offer an AlertMe Service that you can use to stay informed about any exposed data. You can use the AlertMe service while searching for emails or verifying passwords on our website. Simply activate the service, and we'll send you alerts if we detect any breaches involving your email address. This is a great way to stay on top of potential security threats and protect your sensitive information.

I don't intend to make this community edition a chargeable one. You're free to make use of this service and if you find it useful, please share it and spread the usage of XposedOrNot (XON). Every word of sharing and recommendation is always welcome for me as a researcher, as it will benefit the general population more and more.

You're welcome to check your emails/passwords, as well as those of your family, friends, or immediate circle, without any limit on the number of checks.

All the breaches exposed here are acknowledged by the website owners or online media and available as references . At XposedOrNot, we make sure that all the exposed exposed breaches uploaded on our website are acknowledged by the respective website owners or online media, and we provide references for each one. In rare cases where a breach is not acknowledged by the website owner, we mark it as such and take steps to notify them through defined processes. We believe in transparency and post all such communication on our XposedOrNot Twitter account as well as in the references.

Please note that verification of individual data breaches impacting a website and its users is currently a manual process, and we take utmost care to ensure accuracy.

Data breaches are currently classified as follows:

Data Breach: A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Websites or online applications which have their data breached by external or internal resources and exposed/breached on the web for unauthorized access.

ComboList: A combo list is a text file containing a list of usernames and passwords in a consistent format. Combolists are meant to be machine-readable so they can be used as input to tools that will automate authentication requests to a website or API.

Tags used in exposed breaches :
Verified: Breaches that are verified individually and confirmed as authentic data breaches.
Untrustworthy: Breaches that are not verified and not confirmed.
Searchable: Breaches or ComboLists that can be publicly searched with an email address.
Sensitive-Site: Breaches that cannot be publicly searched considering the sensitivity of the data exposed.

What is the risk score formula?

The risk score formula calculates a normalized risk score (0-100) based on multiple factors that indicate the potential risk level of an account. The score considers the number of breaches, types of exposed passwords, recency of breaches, and sensitivity of exposed data.

The formula combines four main components:

1. Base Score (0-15 points)
• 3 points per breach, up to a maximum of 15 points

2. Password Risk Score (0-40 points)
• Weighted based on password exposure types:
  - Plaintext passwords: 40 points
  - Easy to crack passwords: 30 points
  - Unknown password types: 20 points
  - Strong hash passwords: 10 points
• Final password score is the weighted average based on total passwords

3. Recency Score (0-25 points)
Based on most recent breach:
• Within 3 months: 25 points
• 3-6 months: 20 points
• 6-12 months: 15 points
• 12-24 months: 10 points
• Over 24 months: 5 points

4. Sensitive Data Score (0-20 points)
• 4 points per exposed high-risk data category, up to 20 points
• High-risk categories include:
  - Security Practices (passwords, security questions)
  - Financial Details (credit cards, bank accounts)
  - Health Information (medical data)
  - Personal Identification (identity data)

Final Risk Score
The final score is the sum of all components, capped at 100 points. Risk levels are categorized as:
• High Risk: 70-100 points
• Medium Risk: 40-69 points
• Low Risk: 0-39 points

This comprehensive scoring system helps users understand their exposure risk level and take appropriate action to protect their accounts.

In creating this application and website, I have taken into consideration the impact of unsecured and unsafe environments on data breaches and related exposure. That's why I have made the decision to open source the API and all related files on Github. As a long-time user, I firmly believe that open-source tools have had a significant impact on our environment, more than we may ever realize.

The entire application and website are built on open source technology, including the operating system (Linux), API script (Python), and web files (HTML/CSS/JavaScript). By collaborating and working together, we can improve and enhance any service, and open source is the way forward.

I welcome any pull requests and contributions to modify, enhance, or fix any bugs. Let's work together to create a better and more secure online environment for everyone ❤️ .

If you happen to discover 🔍 a bug or security vulnerability, I would love 😍 to hear from you! I encourage you to disclose it using the responsible disclosure guidelines to support XposedOrNot.

I want to make it clear that this is not a bug bounty program and we do not offer a monetary reward for submissions. However, I would be happy to feature your valid submissions on our Hall of Fame page, based on your preference. I believe in recognizing the positive contributions of reporters who have demonstrated a high level of dedication to our program.

AlertMe is a 💡 handy notification service that sends you an email whenever a new breach is added to XposedOrNot. It's a great way to stay on top of any potential exposure and take the necessary steps to protect yourself. Setting up AlertMe is easy, all you have to do is enter your email and confirm it. From then on, you'll receive an email alert for any new breaches that affect the email address you subscribed with. You can activate AlertMe from the home page or by running a search for exposed data breaches. We'll provide guidance on subscriptions with every search, and you can even activate it through the password search feature.

Yes! Please refer to our comprehensive documentation:

• Terms and Conditions - Complete service agreement including acceptable use, API usage, and user responsibilities
• Transparency Report - How we handle breach data, legal requests, and protect your privacy
• Privacy Policy - Detailed privacy practices and data handling

Feel free to reach out to me at deva[@]xposedornot.com if you have any questions related to privacy and related subjects.

We take a privacy-first approach to handling breach data. Here's exactly what we store and don't store:

What we DO store:
• Email addresses from breach datasets
• Breach metadata (name, date, affected organization, types of data exposed)
• Password hashes for our password checking service (SHA3-Keccak 512)

What we DO NOT store:
• Passwords in plaintext
• Credit card numbers
• Social security numbers
• Personal identification documents
• Any other sensitive personal data from breaches

This selective approach allows you to check if your email appears in known breaches while ensuring that other sensitive information remains completely outside of our infrastructure. For complete details, see our Transparency Report.

We take our legal obligations seriously and operate with full transparency:

• We respond promptly to valid legal orders, law enforcement requests, and regulatory directions
• Each request is reviewed to ensure it meets legal standards before action is taken
• When a breach dataset becomes subject to a court injunction or valid takedown request, we may suppress that information or limit access based on geographic location
• We publish statistics on all takedown and legal requests in our Transparency Report

Need to request a takedown?
Rights-holders and organizations can contact our Legal Operations team at deva[@]xposedornot.com

Yes, but with certain requirements:

• You must strictly adhere to the rate limits specified in our API documentation
• Provide clear attribution to XposedOrNot when displaying our breach data
• Do not attempt to circumvent usage restrictions or rate limits
• Commercial redistribution or resale of our breach data requires explicit written authorization
• Premium API features with higher rate limits are available through paid subscriptions

For complete API usage terms and restrictions, please refer to our Terms and Conditions and API Documentation.

We provide official SDKs for easy integration:

Node.js / JavaScript:
npm install xposedornot

Python:
pip install xposedornot

These libraries provide a simple interface to check emails for breaches, verify password exposure, and access breach analytics. For detailed documentation, code examples, and API endpoints, visit our API Documentation.

No, your privacy is protected when you search:

• Search queries are processed in memory and are not logged in any identifiable form
• We do not store the email addresses you search for
• We do not associate queries with IP addresses beyond transient security logs that are automatically purged
• We never sell search data to third parties or use it for marketing purposes

Exception: If you voluntarily sign up for our "Alert Me" service, we store your email address to send you breach notifications. You can unsubscribe at any time.

For complete details on our privacy practices, see our Transparency Report.

While we work hard to provide comprehensive breach coverage, it's important to understand the limitations:

• We can only report on breaches that have been publicly disclosed or that we have received through our sources
• Many breaches remain unreported, undiscovered, or are kept confidential under legal agreements
• Breach data may be incomplete or contain inaccuracies inherited from the original source
• We rely substantially on the security research community and public disclosures
• A search showing no breaches does NOT guarantee your information has never been compromised

Important: XposedOrNot is designed to be one tool in your overall security strategy, not a complete security solution. You should also use strong, unique passwords for each account, enable two-factor authentication, and use a reputable password manager.

For complete details on our service limitations, see our Terms and Conditions.

Yes! XposedOrNot is fully open source and we actively welcome contributions:

• Our source code is publicly available on GitHub
• You are free to review, modify, and contribute to the code
• Contributors retain ownership of their contributions
• By contributing, you grant XposedOrNot a license to use your contribution under our open-source license
• We may publicly credit contributors in release notes and documentation

What's protected:
While our code is open source, the XposedOrNot name, logo, and branding are our intellectual property and may not be used to create competing services without permission.

For complete contribution guidelines and intellectual property details, see our Terms and Conditions and Hall of Fame.

The emails which can be received are as follows:

1. Alert me notification confirmation
   
2. Alert me notifications of breaches
   
3. Privacy shield notification and confirmations
   
4. Domain validation notifications and confirmations
   
   

Currently, all the emails from XON will be from notifications[@]xposedornot.com only and it is completely automated.

As this email is used only for automated notifications as stated above, this email will not be monitored for inbound emails. Please use the email address given in " How can I be reached " for response and communication.

I would love for everyone to contribute to making XON more useful for the general public. Account takeovers and password attacks are a real problem, and any help we can get in that direction is highly appreciated. I strongly believe that every little effort counts in the fight against data breaches, and I welcome anyone who wants to lend a hand.

If you come across a data breach that is not listed in XON and is publicly accessible without any cost or expectation of remuneration, please do not hesitate to contact me and let me know. I will verify the breach and add it to XON for everyone to benefit from. We even have a special Hall of Fame page dedicated to recognizing and thanking individuals who help us in this initiative.

Thank you in advance for your support and patronage. We really appreciate it! 🙏

We don't store any of the data that's searched on our website or API. We only collect demographic data through Google Analytics, which you can opt-out of at any time. You can find more information about our privacy and acceptable use policy on our website.

To improve our service, we do collect some data about our users, but we don't log any user actions except for demographic data. This helps us better understand our users and provide a better service in alignment with the privacy policy

The only exception to this is for users who sign up for our "Alert Me" service. We use this service to notify the owners of email addresses and domains of any future breaches that are loaded in XON. To ensure the accuracy of our notifications, we use a dual opt-in process where users must confirm their email address before receiving alerts.

If you're feeling extra cautious and want to keep your online presence under wraps 🕵️, we understand. You can totally use the Tor Browser to check for any data breaches and exposed data on XposedOrNot. We want to make sure everyone feels safe and secure, even if you're browsing in the shadows like a stealthy ninja.

The Breach Comparison Tool lets you check two email addresses side-by-side to see how their breach exposures overlap. This is particularly useful for:

🔍 Finding Password Reuse Risks
If both emails appear in the same breach, you may have reused the same password across accounts. This is one of the most common ways attackers gain access to multiple accounts.

📧 Comparing Personal & Work Emails
See if your personal habits have put your work account at risk, or vice versa. Many people unknowingly use the same credentials across both.

📊 How It Works
When you enter two email addresses, we search our database of known data breaches for both. The tool then:

• Shows total breaches affecting each email
• Highlights shared breaches that appear in both
• Displays a visual Venn diagram of the overlap
• Calculates individual and combined risk scores
• Lists all exposed data types (passwords, phone numbers, addresses, etc.)
• Provides actionable security recommendations

🔒 Privacy First
We don't store your email addresses or search history. Each comparison is performed in real-time and nothing is logged. You can also use our Privacy Shield to opt out of appearing in any searches.

If you happen to stumble upon any publicly exposed data breaches out there that we haven't caught yet, we'd love to hear about it! Just drop an email to deva[@]xposedornot.com, or message me at the following channels:
Twitter - https://twitter.com/DevaOnBreaches
LinkedIn - https://www.linkedin.com/in/devasecurity/
Mastodon - https://infosec.exchange/@DevaOnBreaches
I am always on the lookout 👀 for ways to make XON more useful and informative, and your input could help us take our game to the next level. Plus, who knows - maybe you'll make it onto our special "Breaches Super Sleuths 🦸 " list for your heroic efforts!

Let's make the internet a safer place for all.