StealedStealed Documentation
Open Stealed
API ReferenceLeaks

Retrieve paginated leak details with optional search

GET
/leaks/details

Retrieve paginated, deduplicated leak details for the current organization.

Results are deduplicated by hash: each unique credential (username + password + domain) appears once, with aggregated metadata from all occurrences.

Specific Parameters:

ParameterDefaultDescription
identifier_columnrequiredroot_domain, email_domain, or username
page1Page number
page_size50Items per page (max: 200)
search-Full-text search across username, host, domain, email_domain, root_domain, ip_address, computer_name, machine_user
sort_bysource_countSort order: source_count (most seen first) or last_seen (most recent first)
min_occurrences-Only return credentials seen in N+ distinct sources

Plus all standard filters (see API description above).

Response Fields:

FieldTypeDescription
usernamestringUsername or email
passwordstringMasked password (first and last char visible)
typesstring[]All distinct leak types for this credential, e.g. ["Combo", "Stealer"]. A credential found in both Combo dumps and Stealer logs will have both values.
typestringDeprecated. Single type value (most recent ingestion). Use types instead. Kept for backward compatibility.
last_seendatetimeMost recent detection date (aggregated max(upload_stealed) across all occurrences)
first_seendatetimeEarliest detection date (aggregated min(upload_stealed) across all occurrences)
source_countintNumber of distinct sources reporting this credential
domainstringAssociated domain
hoststringFull URL or host
email_domainstringEmail domain part
root_domainstringRoot domain
countrystringISO 2-letter country code
stealer_namestringStealer family (RedLine, Raccoon, etc.)
softwarestringBrowser/app
ip_addressstringVictim IP address
computer_namestringMachine name
machine_userstringMachine user
hashstringUnique deduplication hash

Note: Results are deduplicated by hash. The raw upload_stealed column is not returned directly. Instead, first_seen and last_seen are computed as min(upload_stealed) and max(upload_stealed) across all occurrences of each credential.

Response Format:

{
  "data": [
    {
      "username": "user@example.com",
      "password": "p****d",
      "types": ["Stealer"],
      "type": "Stealer",
      "first_seen": "2025-01-15T08:30:00",
      "last_seen": "2025-03-01T12:00:00",
      "host": "login.example.com",
      "domain": "login.example.com",
      "local_part": "user",
      "protocol": "https",
      "email_domain": "example.com",
      "root_domain": "example.com",
      "upload_date": "2025-02-28T10:00:00",
      "log_date": "2025-02-27T14:00:00",
      "machine_id": "DESKTOP-ABC1234",
      "computer_name": "LAPTOP-XYZ",
      "hardware_id": "hwid-1234-5678",
      "machine_user": "john.doe",
      "ip_address": "192.168.1.10",
      "country": "FR",
      "software": "chrome, profile: 0",
      "stealer_name": "RedLine",
      "hash": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
      "source_count": 3
    }
  ],
  "total": 12345,
  "page": 1,
  "page_size": 50,
  "total_pages": 247
}

Examples:

# Basic paginated request
GET /leaks/details?identifier_column=root_domain&page=1&page_size=50

# Sort by most recent
GET /leaks/details?identifier_column=root_domain&sort_by=last_seen

# Only credentials seen 3+ times
GET /leaks/details?identifier_column=root_domain&min_occurrences=3

# Full-text search with filters
GET /leaks/details?identifier_column=root_domain&search=john&type=Stealer&country=FR

# Custom date range
GET /leaks/details?identifier_column=root_domain&start_date=2024-01-01&end_date=2024-12-31&page_size=200

Pagination (retrieve all results):

# Page 1
GET /leaks/details?identifier_column=root_domain&page=1&page_size=200
# Page 2
GET /leaks/details?identifier_column=root_domain&page=2&page_size=200
# ... continue until page >= total_pages

Authorization

ApiKeyAuth
X-API-Key<token>

API key for authentication

In: header

Query Parameters

identifier_column*Identifier Column

Column to use for identifying the domain

Value in"root_domain" | "email_domain" | "username"
page?Page

Page number

Default1
Range1 <= value
page_size?Page Size

Items per page (max 200)

Default50
Range1 <= value <= 200
search?Search

Search term for full-text filtering

Lengthlength <= 200
sort_by?Sort By

Sort order: source_count (default) or last_seen

Default"source_count"
Value in"source_count" | "last_seen"
leak_mode?Leak Mode

Leak counting mode: 'new' counts only credentials first discovered in the period, 'all' counts any credential with at least one occurrence in the period.

Default"new"
Value in"new" | "all"
username?|array<string>|

Username of the leaked user (can be phone, email, ID, ...)

type?|array<string>|

Type of leak (combo, stealer)

hash?|array<string>|

Uniq identifier for the concatenation of : username, password and domain

upload_stealed?||array<|string>|

Upload date on stealed, ISO 8601, pattern YYYY-MM-DD

upload_date?||array<|string>|

Upload date on the plateform the credential was found, ISO 8601, pattern YYYY-mm-dd

log_date?||array<|string>|

Log date of the device at compromized moment (if applicable, stealer only)

start_date?||

Start date to search from leaks, format: YYYY-mm-dd (default: today - 14days at 0:00am)

end_date?||

End date to search leaks from, format YYYY-mm-dd (default: today)

host?|array<string>|

URL of the leaked data

domain?|array<string>|

FQDN of the leaked data

local_part?|array<string>|

Local part of the username section (if applicable, email only)

protocol?|array<string>|

Protocol identified (if applicable)

email_domain?|array<string>|

Email domain to filter on (if multiple email domains declared)

root_domain?|array<string>|

Root domain to filter on (if multiple root domains declared)

machine_id?|array<string>|

Machine ID (if applicable, stealer only)

computer_name?|array<string>|

Computer name (if applicable, stealer only)

hardware_id?|array<string>|

Hardware ID (if applicable, stealer only)

machine_user?|array<string>|

Machine user (if applicable, stealer only)

ip_address?|array<string>|

IP address (if applicable, stealer only)

country?|array<string>|

Country (if applicable, stealer only)

software?|array<string>|

Software (if applicable, stealer only)

stealer_name?|array<string>|

Stealer name (if applicable)

keyword?|array<string>|

Keyword to filter on (only active keywords for tenant)

match_type?|array<string>|

Match type for leaks_matched table (root_domain or email_domain)

not_root_domain?|array<string>|

Root domains to exclude (NOT IN filter)

not_email_domain?|array<string>|

Email domains to exclude (NOT IN filter)

not_domain?|array<string>|

Domains to exclude (NOT IN filter)

not_type?|array<string>|

Types to exclude

not_software?|array<string>|

Software to exclude

not_stealer_name?|array<string>|

Stealer names to exclude

not_protocol?|array<string>|

Protocols to exclude

not_country?|array<string>|

Countries to exclude

first_seen_date?|

Show only hashes whose first appearance (min upload_stealed) falls on this exact date. Format: YYYY-MM-DD.

first_seen_since?|

Show only hashes whose first appearance (min upload_stealed) is on or after this date. Format: YYYY-MM-DD.

limit?|

Limit result length

min_occurrences?|

Minimum number of sources (source_count >= N)

Response Body

application/json

application/json

curl -X GET "https://api.stealed.io/leaks/details?identifier_column=root_domain"
null
{
  "detail": [
    {
      "loc": [
        "string"
      ],
      "msg": "string",
      "type": "string"
    }
  ]
}

Retrieve all leak statistics in a single request GET

Retrieve all leak statistics for the current organization in a single request. This endpoint fetches all leak data once and calculates multiple statistics server-side, reducing the number of queries needed. If `start_date` and `end_date` are not provided, defaults to **the last 14 days**. Includes trend data comparing the current period to the previous period of the same length (e.g. if querying 30 days, trends compare to the 30 days before that). **Returns a dictionary with the following statistics:** - `total_leaks`: Total number of leaks - `unique_usernames`: Number of unique usernames - `unique_domains`: Number of unique domains - `unique_passwords`: Number of unique passwords - `unique_leaks`: Number of unique leak hashes - `leaks_by_type`: Number of leaks grouped by type (combo/stealer) - `leaks_by_day`: Number of leaks grouped by day and identifier (limited globally to 10 top identifiers + other) - `leaks_by_domain`: Number of leaks grouped by domain (limited globally to 10 top domains + other) - `leaks_by_domain_all`: Number of leaks grouped by domain (all domains, no limit) - `leaks_by_inverse_identifier`: Number of leaks grouped by the inverse identifier (email_domain if root_domain, or vice-versa) (limited globally to 10 top + other) - `top_domains`: Top domains with most leaks (limited globally to 10) - `top_users`: Top users with most leaks (all users, no limit) - `password_strength`: Average password length - `password_reuse`: Number of reused passwords - `password_length_distribution`: Distribution of passwords by length - `external_accounts`: Detailed list of external accounts (limited globally to 10 top + other) - `external_accounts_count`: Total count of external accounts - `admin_accounts`: Detailed list of admin accounts (limited globally to 10 top + other) - `admin_accounts_count`: Total count of admin accounts - `unique_sources`: Total number of unique sources (telegram_channel) - `sources`: List of sources with leak counts (all sources, no limit) - `latest_leak_date`: Date of the latest leak - `leak_details`: All leak details (same as org_leaks_detail_per_identifier, limited to 20000) - `leaks_by_country`: Top 50 countries by leak count (non-empty only) - `leaks_by_stealer_name`: Top 50 stealer families by leak count (non-empty only) - `leaks_by_software`: Top 50 software/browsers by leak count (non-empty only) - `leaks_by_computer_name`: Top 30 computer names by leak count (non-empty only) **Trend Fields** (percentage change vs previous period of same length): - `total_leaks_trend`, `unique_usernames_trend`, `unique_domains_trend` - `unique_sources_trend`, `admin_accounts_count_trend`, `external_accounts_count_trend` **Examples:** ```bash # All stats for the last 14 days (default) GET /leaks/stats?identifier_column=root_domain # With custom date range GET /leaks/stats?identifier_column=root_domain&start_date=2024-01-01&end_date=2024-12-31 # With filters GET /leaks/stats?identifier_column=root_domain&type=Stealer&country=FR ```

Retrieve all occurrences of a specific leak by hash GET

Retrieve all individual occurrences (raw records) for a specific leak hash. Use this after `/leaks/details` to drill down into a deduplicated leak and see every source where the credential was found. **Parameters:** - `hash` (required): The leak hash from the `/leaks/details` response - `identifier_column` (required): `root_domain`, `email_domain`, or `username` **Response:** ```json { "data": [ { "type": "Stealer", "username": "user@example.com", "password": "p****d", "domain": "example.com", "upload_stealed": "2025-01-15T10:30:00", "upload_date": "2025-01-14T08:00:00", "stealer_name": "RedLine", "country": "FR", "ip_address": "1.2.3.4", "computer_name": "DESKTOP-ABC", "software": "Chrome" }, ... ] } ``` **Example:** ```bash GET /leaks/details/by-hash?hash=5d41402abc4b2a76b9719d911017c592&identifier_column=root_domain ```