Alternate-Style Exposures API


An Exposure refers to any unintended release of user credentials on the Internet. This could be due to a data breach at a site, malware that has captured user credentials, a phishing site which has been capturing user credentials, etc. An Exposure occurs when this stolen credential data is then posted or shared in some public or private venue. PasswordPing routinely scours the web looking for this data and catalogues it into its database. Every time a new list of credentials is found, this is added as a new Exposure in our database.

The Alternate-Style Exposures API allows you to lookup information on credentials Exposures (which were known in Pwnedlist as Leaks) and obtain the detailed information about each Exposure, using an API format similar to that of the original Pwnedlist API.

Available Calls

  • Exposures by Date Range
    Returns all of the credentials Exposures (AKA Leaks) that have been found since a specified number of days in the past.
  • Exposure Details
    Returns the detailed information for a Exposure (AKA Leak).

POST – Exposures by Date Range

https://api.passwordping.com/exposures

Returns all of the credentials Exposures (aka Leaks) that have been found back to a specified number of days in the past, up to a maximum of 200 entries.

See Using PasswordPing for general instructions on using the API.

Request

Parameter Type Description
daysAgo integer Specifies a number of days in the past. All Exposures catalogued since that date will be returned, up to a max of 200 entries.

Response

Response Description
200 The associated Exposures are in the response body

Response Body

The response body contains an array of the Exposure IDs this user has associated with it. These IDs can be used with the Exposure Details API to get additional information about each Exposure.

Member Type Description
count integer The number of items in the leaks array
leaks LeakDetails[] An array of LeakDetails[]

LeakDetails:
Member Type Description
leak_id string The ID of the Exposure
title string Title of the exposure – for breaches, the domain of the origin site
num_entries integer The number of credentials found in the exposure
leak_date date The date the exposure occurred, as much as is known. The value is as follows:

  • null if the date is not known
  • Month and day set to December 31st, if only the year is known (e.g. “2015-12-31” if Exposure date was sometime in 2015)
  • Day set to the first of the month if only the month is known (e.g. “2015-06-01” if Exposure date was sometime in June 2015)
  • Otherwise, exact date if exact date is known, including time
passwordType string The format of the passwords in the Exposure, e.g. “Cleartext”, “MD5”, “BCrypt”, etc.
compromisedData string[] An array of the types of user data which were present in the Exposure, e.g. “Emails”, “Passwords”, “Physical Addresses”, “Phone Numbers”, etc.
import_date date The date the Exposure was found and added to the PasswordPing database.
attackers string[] Array containing information about the attackers
media_refs string[] Links to any relevant media articles on the exposure
source_refs string[] An array of URLs the data was found at. Only present for some types of Exposures.
target_industries string[] An array of industries which were affected.
num_domains_affected integer The number of unique email address domains in this Exposure. So, for instance, if the Exposure only contained “gmail.com” and
“yahoo.com” email addresses, this number would be 2.

Example

Request
curl --header "authorization: basic {your auth string}" --data "daysAgo=1" "https://api.passwordping.com/exposures"
Response
{ 
  "count": 1,
  "leaks": [
      {
          "leak_id": "58b4618a4eb6d812f04faef4",
          "title": "Unknown dark web leak 2017-02-28T00:27:37.000Z",
          "num_entries": 20,
          "leak_date": "2017-02-28T00:27:37.000Z",
          "passwordType": "Cleartext",
          "compromisedData": [
              "Emails",
              "Passwords"
          ],
          "import_date": "2017-02-27T17:27:38.000Z",
          "attackers": [],
          "media_refs": [],
          "source_refs": [],
          "target_industries": [
              "Dark Web Leak"
          ],
          "num_domains_affected": 8
      }
  ]
}

POST – Exposure Details

https://api.passwordping.com/exposures

Returns the detailed information for a credentials Exposure.

See Using PasswordPing for general instructions on using the API.

Request

Parameter Type Description
leak_id string The ID of the Exposure

Response

Response Description
200 The response body contains the details of the Exposure
404 The requested Exposure was not found

Response Body

Member Type Description
leak_id string The ID of the Exposure
title string Title of the exposure – for breaches, the domain of the origin site
num_entries integer The number of credentials found in the exposure
leak_date date The date the exposure occurred, as much as is known. The value is as follows:

  • null if the date is not known
  • Month and day set to December 31st, if only the year is known (e.g. “2015-12-31” if Exposure date was sometime in 2015)
  • Day set to the first of the month if only the month is known (e.g. “2015-06-01” if Exposure date was sometime in June 2015)
  • Otherwise, exact date if exact date is known, including time
passwordType string The format of the passwords in the Exposure, e.g. “Cleartext”, “MD5”, “BCrypt”, etc.
compromisedData string[] An array of the types of user data which were present in the Exposure, e.g. “Emails”, “Passwords”, “Physical Addresses”, “Phone Numbers”, etc.
import_date date The date the Exposure was found and added to the PasswordPing database.
attackers string[] Array containing information about the attackers
media_refs string[] Links to any relevant media articles on the exposure
source_refs string[] An array of URLs the data was found at. Only present for some types of Exposures.
target_industries string[] An array of industries which were affected.
num_domains_affected integer The number of unique email address domains in this Exposure. So, for instance, if the Exposure only contained “gmail.com” and “yahoo.com” email addresses, this number would be 2.

Example

Request
curl --header "authorization: basic {your auth string}" --data "leak_id=57dc11964d6db21300991b78" "https://api.passwordping.com/exposures"
Response
{ 
  "count": 1,
  "leaks": [
      {
          "leak_id": "57dc11964d6db21300991b78",
          "title": "funsurveys.net",
          "num_entries": 5123,
          "leak_date": "2015-05-01T00:00:00.000Z",
          "passwordType": "Cleartext",
          "compromisedData": [
              "Emails",
              "Passwords"
          ],
          "import_date": "2016-09-16T15:36:54.000Z",
          "attackers": [],
          "media_refs": [],
          "source_refs": [],
          "target_industries": [
              "Surveys"
          ],
          "num_domains_affected": 683
      }
  ],
}