StealedStealed Documentation
Open Stealed
API ReferenceLeaks

Retrieve public exposure analytics stats for a domain

GET
/leaks/stats/analytics

Endpoint to retrieve pre-aggregated analytics statistics for a domain. Restricted to MSSP role. No raw credential data is returned -- stats only. Data comes from permanent pre-aggregated tables (no TTL), so full history is available.

Returns:

  • total_leaks: Total number of leaks
  • unique_usernames: Unique usernames (HyperLogLog estimate)
  • unique_passwords: Unique passwords (HyperLogLog estimate)
  • unique_leaks: Unique credentials by hash (HyperLogLog estimate)
  • unique_sources: Unique Telegram channels (HyperLogLog estimate)
  • unique_domains: Unique cross-domains (email_domains for root_domain queries, or vice-versa)
  • latest_leak_date: Date of the most recent leak
  • leaks_by_type: Leaks split by type (Stealer / Combo)
  • leaks_by_day: Daily leak timeline
  • leaks_by_stealer: Top 20 stealer families
  • leaks_by_country: Top 20 countries

Example Usage:

GET /leaks/stats/analytics?domain=example.com&identifier_column=root_domain
GET /leaks/stats/analytics?domain=gmail.com&identifier_column=email_domain

Authorization

ApiKeyAuth
X-API-Key<token>

API key for authentication

In: header

Query Parameters

domain*Domain

Domain to look up (single value)

identifier_column*Identifier Column

Column to match domain against

Value in"root_domain" | "email_domain"
time_range?Time Range

Time window: '30d' for last 30 days (daily), '12m' for last 12 months (monthly)

Default"12m"
Value in"30d" | "12m"

Response Body

application/json

application/json

curl -X GET "https://api.stealed.io/leaks/stats/analytics?domain=example.com&identifier_column=root_domain&time_range=12m"
{
  "latest_leak_date": "2025-03-01",
  "leaks_by_country": [
    {
      "count": 3100,
      "name": "FR"
    },
    {
      "count": 2800,
      "name": "US"
    }
  ],
  "leaks_by_day": [
    {
      "count": 450,
      "date": "2025-02-28"
    },
    {
      "count": 310,
      "date": "2025-03-01"
    }
  ],
  "leaks_by_stealer": [
    {
      "count": 4200,
      "name": "RedLine"
    },
    {
      "count": 2100,
      "name": "Raccoon"
    }
  ],
  "leaks_by_type": [
    {
      "count": 9800,
      "type": "Stealer"
    },
    {
      "count": 2700,
      "type": "Combo"
    }
  ],
  "subdomains": [
    {
      "count": 1234,
      "domain": "mail.example.com"
    },
    {
      "count": 567,
      "domain": "www.example.com"
    }
  ],
  "total_leaks": 12500,
  "unique_domains": 320,
  "unique_leaks": 10200,
  "unique_passwords": 7900,
  "unique_sources": 45,
  "unique_usernames": 8300
}
{
  "detail": [
    {
      "loc": [
        "string"
      ],
      "msg": "string",
      "type": "string"
    }
  ]
}

Retrieve all occurrences of a specific leak by hash GET

Retrieve all individual occurrences (raw records) for a specific leak hash. Use this after `/leaks/details` to drill down into a deduplicated leak and see every source where the credential was found. **Parameters:** - `hash` (required): The leak hash from the `/leaks/details` response - `identifier_column` (required): `root_domain`, `email_domain`, or `username` **Response:** ```json { "data": [ { "type": "Stealer", "username": "user@example.com", "password": "p****d", "domain": "example.com", "upload_stealed": "2025-01-15T10:30:00", "upload_date": "2025-01-14T08:00:00", "stealer_name": "RedLine", "country": "FR", "ip_address": "1.2.3.4", "computer_name": "DESKTOP-ABC", "software": "Chrome" }, ... ] } ``` **Example:** ```bash GET /leaks/details/by-hash?hash=5d41402abc4b2a76b9719d911017c592&identifier_column=root_domain ```

Retrieve leak statistics for a given domain and query GET

Endpoint to retrieve leak statistics for the provided domain and query. Gated on the ``public_exposure`` tenant feature flag. Only analytics queries are allowed via this endpoint.