Frequently Asked Questions (FAQ)
Hello, I'm, Devanand Premkumar, and I bring over two
decades of experience in IT and information security. My career has been dedicated to
helping organizations fortify their online defenses and ensure they comply with industry
standards. I'm skilled at crafting and implementing security strategies that work across
the globe, whether it's technical or not.
Outside of work, I have a strong interest in forensic investigations and enjoy tackling challenges in Capture The Flag (CTF) competitions. In 2017, I started a side project called XposedOrNot. It began as a way to collect and share exposed passwords for free. Over time, I've been gathering data from public breaches, and now, with a wealth of information at hand, I want to offer this resource to those who can benefit from it the most.
My journey in IT and information security has been immensely fulfilling, and I'm committed to sharing my knowledge and expertise to create a safer digital world for all.
Outside of work, I have a strong interest in forensic investigations and enjoy tackling challenges in Capture The Flag (CTF) competitions. In 2017, I started a side project called XposedOrNot. It began as a way to collect and share exposed passwords for free. Over time, I've been gathering data from public breaches, and now, with a wealth of information at hand, I want to offer this resource to those who can benefit from it the most.
My journey in IT and information security has been immensely fulfilling, and I'm committed to sharing my knowledge and expertise to create a safer digital world for all.
XposedOrNot (XON) is a practical and resourceful tool designed to enable
you to verify π if your personal data has been implicated in a data breach. Originally,
this initiative was born out of my deep interest in forensics and the analysis of data
breaches. The realization of the sheer volume of sensitive information exposed and the
potential harm it could cause quickly led me to transform this interest into a public
service. I was motivated to offer this service to everyone for free, making it accessible
to all who want to protect their personal data and privacy.
The XposedOrNot platform aids people in discovering whether their email or personal details have been compromised in a data breach. This knowledge can propel users to safeguard their accounts with measures such as password changes and vigilant account monitoring.
Aside from just checking emails and passwords, the website also facilitates users in scrutinizing data breach information at a domain or sub-domain level. For those who can confirm their domain ownership, they gain access to a detailed analysis of the data breaches that have affected their users.
An exciting addition to our suite of tools is the CXO Dashboard. This feature is particularly helpful for companies and corporations managing multiple domains. The CXO Dashboard offers a unified view of data breaches and all associated analytics. This consolidated perspective can significantly simplify the complex task of breach monitoring across various domains, empowering organizations to understand and respond to security incidents more efficiently and effectively.
Xposed (single page repository) comprises of details about all the data breaches loaded onto XposedOrNot. This repository is designed to be visually engaging, simplifying the understanding of each breach's unique aspects.For folks who prefer a simple list of rows in a table, you may refer to breaches page.
We have also created a useful utility, a Privacy Shield feature for individuals who do not wish to have their emails publicly searched on our platform. This is particularly useful for those who value their privacy and want to protect their data.
You may wonder why you should choose XposedOrNot over other breach monitoring services. The answer lies in our goal to raise awareness about data breaches and provide support to reduce the effects of such breaches. Every bit of help is a light in the darkness, and we aim to add to that illumination.
Unlike traditional monitoring services that merely inform you of your exposure and the volume of leaked records, XposedOrNot takes an extra step. We give each email a risk score, notify if the password was exposed in plaintext, and provide information on the top breaches where the email was compromised, among other details.
Data breaches are classified by industry on our platform, offering an insightful perspective into the most affected sectors. Our aim is to foster transparency and enable individuals to guard against data breaches effectively.
I've also incorporated an alerting feature that can be activated for individual websites and domains whenever they appear in data breaches. This service is totally free and is beneficial for everyone β from individual email users to corporations seeking to comprehend their users' vulnerability to data breaches better.
Furthermore, our entire data set can be queried and integrated into your custom applications via our XposedOrNot API. Detailed instructions on using the XposedOrNot API in your projects can be found on our API playground. Keeping with our ethos of free and open access to data, our API will continue to remain completely free of charge.
Lastly, I'd like to highlight that our application, API, and related files are all open source and hosted in GitHub. This open-source approach helps improve the security posture of the platform and invites contributions from the public. I believe in the power of collective wisdom and encourage security enthusiasts, web developers, designers, and data-breach researchers to share their ideas and collaborate to make XposedOrNot even more robust,secure and effective. Your contributions can help further strengthen this free public utility. Let's work together to make XposedOrNot even better!
The XposedOrNot platform aids people in discovering whether their email or personal details have been compromised in a data breach. This knowledge can propel users to safeguard their accounts with measures such as password changes and vigilant account monitoring.
Aside from just checking emails and passwords, the website also facilitates users in scrutinizing data breach information at a domain or sub-domain level. For those who can confirm their domain ownership, they gain access to a detailed analysis of the data breaches that have affected their users.
An exciting addition to our suite of tools is the CXO Dashboard. This feature is particularly helpful for companies and corporations managing multiple domains. The CXO Dashboard offers a unified view of data breaches and all associated analytics. This consolidated perspective can significantly simplify the complex task of breach monitoring across various domains, empowering organizations to understand and respond to security incidents more efficiently and effectively.
Xposed (single page repository) comprises of details about all the data breaches loaded onto XposedOrNot. This repository is designed to be visually engaging, simplifying the understanding of each breach's unique aspects.For folks who prefer a simple list of rows in a table, you may refer to breaches page.
We have also created a useful utility, a Privacy Shield feature for individuals who do not wish to have their emails publicly searched on our platform. This is particularly useful for those who value their privacy and want to protect their data.
You may wonder why you should choose XposedOrNot over other breach monitoring services. The answer lies in our goal to raise awareness about data breaches and provide support to reduce the effects of such breaches. Every bit of help is a light in the darkness, and we aim to add to that illumination.
Unlike traditional monitoring services that merely inform you of your exposure and the volume of leaked records, XposedOrNot takes an extra step. We give each email a risk score, notify if the password was exposed in plaintext, and provide information on the top breaches where the email was compromised, among other details.
Data breaches are classified by industry on our platform, offering an insightful perspective into the most affected sectors. Our aim is to foster transparency and enable individuals to guard against data breaches effectively.
I've also incorporated an alerting feature that can be activated for individual websites and domains whenever they appear in data breaches. This service is totally free and is beneficial for everyone β from individual email users to corporations seeking to comprehend their users' vulnerability to data breaches better.
Furthermore, our entire data set can be queried and integrated into your custom applications via our XposedOrNot API. Detailed instructions on using the XposedOrNot API in your projects can be found on our API playground. Keeping with our ethos of free and open access to data, our API will continue to remain completely free of charge.
Lastly, I'd like to highlight that our application, API, and related files are all open source and hosted in GitHub. This open-source approach helps improve the security posture of the platform and invites contributions from the public. I believe in the power of collective wisdom and encourage security enthusiasts, web developers, designers, and data-breach researchers to share their ideas and collaborate to make XposedOrNot even more robust,secure and effective. Your contributions can help further strengthen this free public utility. Let's work together to make XposedOrNot even better!
At XposedOrNot, I source most of our exposed data from breaches that are available on the
internet. These breaches are typically found on various websites, and with proper
searching techniques, can be relatively easy for someone to access. Additionally, I also
source some data breaches through technologies such as torrents.
XON only uses data breaches that have been made publicly available. Our goal is to make it easy for individuals and organizations to check whether their personal information has been exposed in any known data breaches, and to take steps to protect themselves against potential harm.
The entire list of data breaches loaded in XposedOrNot is documented in detail for easy reference on Xposed Page .
XON only uses data breaches that have been made publicly available. Our goal is to make it easy for individuals and organizations to check whether their personal information has been exposed in any known data breaches, and to take steps to protect themselves against potential harm.
The entire list of data breaches loaded in XposedOrNot is documented in detail for easy reference on Xposed Page .
XposedOrNot is a data breach monitoring service that allows users to check whether
personal information has been exposed in any known data breaches. I want to be transparent
with our users about what is and what is not stored in our service.
To answer that question, we do not store any user passwords or personal identifiable information (PII) in XON. When a user enters their email address or domain name into our search engine, we check our database of known data breaches to see if that email or domain has been involved in any past breaches. If there is a match, we provide the user with information on the specific breach(es) that their email or domain was involved in, along with any additional details we have on the incident.
We do not store information about user searches, such as the email or domain name searched and the date of the search, and we take measures to ensure the privacy and security of our users' data.
In summary, XON does not store any user passwords or PII, but we do store some basic information about user searches for the purpose of improving our service.
XON also has the ability to check exposed passwords . This service makes use of the SHA3-keccack 512 hashing algorithm for converting the collected passwords into one-way hashes in storage. With the current technologies available, it is highly unlikely someone can reverse these SHA-3 Keccak hashes easily. This ensures the highest level of safety for stored hashes.
Please check the sample login page, making use of XON Passwords API. This can help a lot of users, preventing them from reusing old and exposed passwords inline with NIST guidelines.
To answer that question, we do not store any user passwords or personal identifiable information (PII) in XON. When a user enters their email address or domain name into our search engine, we check our database of known data breaches to see if that email or domain has been involved in any past breaches. If there is a match, we provide the user with information on the specific breach(es) that their email or domain was involved in, along with any additional details we have on the incident.
We do not store information about user searches, such as the email or domain name searched and the date of the search, and we take measures to ensure the privacy and security of our users' data.
In summary, XON does not store any user passwords or PII, but we do store some basic information about user searches for the purpose of improving our service.
XON also has the ability to check exposed passwords . This service makes use of the SHA3-keccack 512 hashing algorithm for converting the collected passwords into one-way hashes in storage. With the current technologies available, it is highly unlikely someone can reverse these SHA-3 Keccak hashes easily. This ensures the highest level of safety for stored hashes.
Please check the sample login page, making use of XON Passwords API. This can help a lot of users, preventing them from reusing old and exposed passwords inline with NIST guidelines.
When we report on data breaches, we aim to provide a comprehensive overview of the
types of data that have been exposed. This
helps users understand the potential impact and risks associated with a particular
breach.
To make it easier for our readers, I've logically grouped the exposed
data into categories. Below is a breakdown of these categories and the types of data
they encompass:
| Category | Types of Exposed Data |
|---|---|
| π€ Personal Identification | Names, Dates of birth, Genders, Nationalities, Photos, Profile photos, Salutations, Nicknames, Licence plates, Social media profiles, Private messages, Avatars |
| π³ Financial Information | Account balance, Bank account numbers, Credit cards |
| π Personal Habits and Lifestyle | Drug habits, Spoken languages, Vehicle details, Vehicle identification numbers |
| π Security Practices | Passwords, Historical passwords, Security questions and answers |
| π Employment and Education | Job applications, Employers, Occupations, Education levels |
| π Communication and Social Interactions | Email addresses, Instant messenger identities, Phone numbers, Private messages, Social connections, Social media profiles |
| π₯οΈ Device and Network Information | IP addresses, Device information, Browser user agent details, Website activity |
| π©Ί Health Information | Personal health data, Health insurance information, Fitness levels, Smoking habits |
| π₯ Demographics | Age group, Age, Ethnicities, Marital statuses, Spoken languages, Sexual preferences |
| π³οΈ Political and Social Views | Social connections, Private messages |
Note: The data presented reflects significant exposed details only; not all data types from breaches are included. Due to manual compilation, errors may occur. For corrections, please contact me.
Usually, it's not a good idea to reveal where data breaches come from because of how much
sensitive information is at stake. However, in XON, all the data that's been collected is
uploaded and can be easily searched through the website or API for any email you input.
Absolutely! We offer an AlertMe Service that you can use to stay informed
about any exposed data. You can use the AlertMe service while searching for emails or
verifying passwords on our website. Simply activate the service, and we'll send you alerts
if we detect any breaches involving your email address. This is a great way to stay on top
of potential security threats and protect your sensitive information.
I don't intend to make this community edition a chargeable one. You're free to make use of
this service and if you find it useful, please share it and spread the usage of XposedOrNot
(XON). Every word of sharing and recommendation is always welcome for me as a researcher, as
it will benefit the general population more and more.
You're welcome to check your emails/passwords, as well as those of your family, friends, or immediate circle, without any limit on the number of checks.
You're welcome to check your emails/passwords, as well as those of your family, friends, or immediate circle, without any limit on the number of checks.
All the breaches exposed here are acknowledged by the website
owners or online media and available as
references
.
At XposedOrNot, we make sure that all the exposed
exposed breaches uploaded on our website are acknowledged by the
respective website owners or online media, and we provide references for each one. In rare
cases where a breach is not acknowledged by the website owner, we mark it as such and take
steps to notify them through defined processes. We believe in transparency and post all such
communication on our XposedOrNot Twitter account as well as in the references.
Please note that verification of individual data breaches impacting a website and its users is currently a manual process, and we take utmost care to ensure accuracy.
Please note that verification of individual data breaches impacting a website and its users is currently a manual process, and we take utmost care to ensure accuracy.
Data breaches are currently classified as follows:
Data Breach: A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Websites or online applications which have their data breached by external or internal resources and exposed/breached on the web for unauthorized access.
ComboList: A combo list is a text file containing a list of usernames and passwords in a consistent format. Combolists are meant to be machine-readable so they can be used as input to tools that will automate authentication requests to a website or API.
Tags used in exposed breaches :
Verified: Breaches that are verified individually and confirmed as authentic data breaches.
Untrustworthy: Breaches that are not verified and not confirmed.
Searchable: Breaches or ComboLists that can be publicly searched with an email address.
Sensitive-Site: Breaches that cannot be publicly searched considering the sensitivity of the data exposed.
Data Breach: A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Websites or online applications which have their data breached by external or internal resources and exposed/breached on the web for unauthorized access.
ComboList: A combo list is a text file containing a list of usernames and passwords in a consistent format. Combolists are meant to be machine-readable so they can be used as input to tools that will automate authentication requests to a website or API.
Tags used in exposed breaches :
Verified: Breaches that are verified individually and confirmed as authentic data breaches.
Untrustworthy: Breaches that are not verified and not confirmed.
Searchable: Breaches or ComboLists that can be publicly searched with an email address.
Sensitive-Site: Breaches that cannot be publicly searched considering the sensitivity of the data exposed.
What is the risk score formula?
The risk score formula calculates a normalized risk score (0-100) based on multiple factors that indicate the potential risk level of an account. The score considers the number of breaches, types of exposed passwords, recency of breaches, and sensitivity of exposed data.
The formula combines four main components:
1. Base Score (0-15 points)
β’ 3 points per breach, up to a maximum of 15 points
2. Password Risk Score (0-40 points)
β’ Weighted based on password exposure types:
- Plaintext passwords: 40 points
- Easy to crack passwords: 30 points
- Unknown password types: 20 points
- Strong hash passwords: 10 points
β’ Final password score is the weighted average based on total passwords
3. Recency Score (0-25 points)
Based on most recent breach:
β’ Within 3 months: 25 points
β’ 3-6 months: 20 points
β’ 6-12 months: 15 points
β’ 12-24 months: 10 points
β’ Over 24 months: 5 points
4. Sensitive Data Score (0-20 points)
β’ 4 points per exposed high-risk data category, up to 20 points
β’ High-risk categories include:
- Security Practices (passwords, security questions)
- Financial Details (credit cards, bank accounts)
- Health Information (medical data)
- Personal Identification (identity data)
Final Risk Score
The final score is the sum of all components, capped at 100 points. Risk levels are categorized as:
β’ High Risk: 70-100 points
β’ Medium Risk: 40-69 points
β’ Low Risk: 0-39 points
This comprehensive scoring system helps users understand their exposure risk level and take appropriate action to protect their accounts.
The risk score formula calculates a normalized risk score (0-100) based on multiple factors that indicate the potential risk level of an account. The score considers the number of breaches, types of exposed passwords, recency of breaches, and sensitivity of exposed data.
The formula combines four main components:
1. Base Score (0-15 points)
β’ 3 points per breach, up to a maximum of 15 points
2. Password Risk Score (0-40 points)
β’ Weighted based on password exposure types:
- Plaintext passwords: 40 points
- Easy to crack passwords: 30 points
- Unknown password types: 20 points
- Strong hash passwords: 10 points
β’ Final password score is the weighted average based on total passwords
3. Recency Score (0-25 points)
Based on most recent breach:
β’ Within 3 months: 25 points
β’ 3-6 months: 20 points
β’ 6-12 months: 15 points
β’ 12-24 months: 10 points
β’ Over 24 months: 5 points
4. Sensitive Data Score (0-20 points)
β’ 4 points per exposed high-risk data category, up to 20 points
β’ High-risk categories include:
- Security Practices (passwords, security questions)
- Financial Details (credit cards, bank accounts)
- Health Information (medical data)
- Personal Identification (identity data)
Final Risk Score
The final score is the sum of all components, capped at 100 points. Risk levels are categorized as:
β’ High Risk: 70-100 points
β’ Medium Risk: 40-69 points
β’ Low Risk: 0-39 points
This comprehensive scoring system helps users understand their exposure risk level and take appropriate action to protect their accounts.
In creating this application and website, I have taken into consideration the impact of
unsecured and unsafe environments on data breaches and related exposure. That's why I have
made the decision to open source the API and all related files on Github. As a long-time user, I firmly
believe that open-source tools have had a significant impact on our environment, more than we
may ever realize.
The entire application and website are built on open source technology, including the operating system (Linux), API script (Python), and web files (HTML/CSS/JavaScript). By collaborating and working together, we can improve and enhance any service, and open source is the way forward.
I welcome any pull requests and contributions to modify, enhance, or fix any bugs. Let's work together to create a better and more secure online environment for everyone β€οΈ .
The entire application and website are built on open source technology, including the operating system (Linux), API script (Python), and web files (HTML/CSS/JavaScript). By collaborating and working together, we can improve and enhance any service, and open source is the way forward.
I welcome any pull requests and contributions to modify, enhance, or fix any bugs. Let's work together to create a better and more secure online environment for everyone β€οΈ .
If you happen to discover π a bug or security vulnerability, I would love π to hear from
you! I encourage you to disclose it using the responsible disclosure
guidelines to support XposedOrNot.
I want to make it clear that this is not a bug bounty program and we do not offer a monetary reward for submissions. However, I would be happy to feature your valid submissions on our Hall of Fame page, based on your preference. I believe in recognizing the positive contributions of reporters who have demonstrated a high level of dedication to our program.
I want to make it clear that this is not a bug bounty program and we do not offer a monetary reward for submissions. However, I would be happy to feature your valid submissions on our Hall of Fame page, based on your preference. I believe in recognizing the positive contributions of reporters who have demonstrated a high level of dedication to our program.
AlertMe is a π‘ handy notification service that sends you an email whenever a new breach is
added to XposedOrNot. It's a great way to stay on top of any potential exposure and take the
necessary steps to protect yourself. Setting up AlertMe is easy, all you have to do is enter
your email and confirm it. From then on, you'll receive an email alert for any new breaches
that affect the email address you subscribed with. You can activate AlertMe from the home
page or by running a search for exposed data breaches. We'll provide guidance on
subscriptions with every search, and you can even activate it through the password search
feature.
Please refer
XON Acceptable Use Policy & Privacy Policy
.
Feel free to reach out to me if you have any questions related to privacy and related subjects.
Feel free to reach out to me if you have any questions related to privacy and related subjects.
The emails which can be received are as follows:
As this email is used only for automated notifications as stated above, this email will not be monitored for inbound emails. Please use the email address given in " How can I be reached " for response and communication.
- Alert me notification confirmation
- Alert me notifications of breaches
- Privacy shield notification and confirmations
- Domain validation notifications and confirmations
As this email is used only for automated notifications as stated above, this email will not be monitored for inbound emails. Please use the email address given in " How can I be reached " for response and communication.
I would love for everyone to contribute to making XON more useful for the general public.
Account takeovers and password attacks are a real problem, and any help we can get in that
direction is highly appreciated. I strongly believe that every little effort counts in the
fight against data breaches, and I welcome anyone who wants to lend a hand.
If you come across a data breach that is not listed in XON and is publicly accessible without any cost or expectation of remuneration, please do not hesitate to contact me and let me know. I will verify the breach and add it to XON for everyone to benefit from. We even have a special Hall of Fame page dedicated to recognizing and thanking individuals who help us in this initiative.
Thank you in advance for your support and patronage. We really appreciate it! π
If you come across a data breach that is not listed in XON and is publicly accessible without any cost or expectation of remuneration, please do not hesitate to contact me and let me know. I will verify the breach and add it to XON for everyone to benefit from. We even have a special Hall of Fame page dedicated to recognizing and thanking individuals who help us in this initiative.
Thank you in advance for your support and patronage. We really appreciate it! π
We don't store any of the data that's searched on our website or API. We only collect
demographic data through Google Analytics, which you can opt-out of at any time. You can find
more information about our privacy and acceptable use policy on our website.
To improve our service, we do collect some data about our users, but we don't log any user actions except for demographic data. This helps us better understand our users and provide a better service in alignment with the privacy policy
The only exception to this is for users who sign up for our "Alert Me" service. We use this service to notify the owners of email addresses and domains of any future breaches that are loaded in XON. To ensure the accuracy of our notifications, we use a dual opt-in process where users must confirm their email address before receiving alerts.
To improve our service, we do collect some data about our users, but we don't log any user actions except for demographic data. This helps us better understand our users and provide a better service in alignment with the privacy policy
The only exception to this is for users who sign up for our "Alert Me" service. We use this service to notify the owners of email addresses and domains of any future breaches that are loaded in XON. To ensure the accuracy of our notifications, we use a dual opt-in process where users must confirm their email address before receiving alerts.
If you're feeling extra cautious and want to keep your online presence under wraps π΅οΈ, we
understand. You can totally use the Tor Browser to check for any data breaches and exposed
data on XposedOrNot. We want to make sure everyone feels safe and secure, even if you're
browsing in the shadows like a stealthy ninja.
If you happen to stumble upon any publicly exposed data breaches out there that we haven't
caught yet, we'd love to hear about it! Just drop an email to
deva[@]xposedornot.com, or message me at the following channels:
Twitter - https://twitter.com/DevaOnBreaches
LinkedIn - https://www.linkedin.com/in/devasecurity/
Mastodon - https://infosec.exchange/@DevaOnBreaches
I am always on the lookout π for ways to make XON more useful and informative, and your input could help us take our game to the next level. Plus, who knows - maybe you'll make it onto our special "Breaches Super Sleuths π¦Έ " list for your heroic efforts!
Let's make the internet a safer place for all.
Twitter - https://twitter.com/DevaOnBreaches
LinkedIn - https://www.linkedin.com/in/devasecurity/
Mastodon - https://infosec.exchange/@DevaOnBreaches
I am always on the lookout π for ways to make XON more useful and informative, and your input could help us take our game to the next level. Plus, who knows - maybe you'll make it onto our special "Breaches Super Sleuths π¦Έ " list for your heroic efforts!
Let's make the internet a safer place for all.