Retrieve all occurrences of a specific leak by hash
Retrieve all individual occurrences (raw records) for a specific leak hash.
Use this after /leaks/details to drill down into a deduplicated leak and see
every source where the credential was found.
Parameters:
hash(required): The leak hash from the/leaks/detailsresponseidentifier_column(required):root_domain,email_domain, orusername
Response:
{
"data": [
{
"type": "Stealer",
"username": "user@example.com",
"password": "p****d",
"domain": "example.com",
"upload_stealed": "2025-01-15T10:30:00",
"upload_date": "2025-01-14T08:00:00",
"stealer_name": "RedLine",
"country": "FR",
"ip_address": "1.2.3.4",
"computer_name": "DESKTOP-ABC",
"software": "Chrome"
},
...
]
}Example:
GET /leaks/details/by-hash?hash=5d41402abc4b2a76b9719d911017c592&identifier_column=root_domainAuthorization
ApiKeyAuth API key for authentication
In: header
Query Parameters
The leak hash to look up
Column to use for identifying the domain
"root_domain" | "email_domain" | "username"Response Body
application/json
application/json
curl -X GET "https://api.stealed.io/leaks/details/by-hash?hash=string&identifier_column=root_domain"null{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}Retrieve paginated leak details with optional search GET
Retrieve paginated, deduplicated leak details for the current organization. Results are **deduplicated by hash**: each unique credential (username + password + domain) appears once, with aggregated metadata from all occurrences. **Specific Parameters:** | Parameter | Default | Description | |-----------|---------|-------------| | `identifier_column` | *required* | `root_domain`, `email_domain`, or `username` | | `page` | 1 | Page number | | `page_size` | 50 | Items per page (max: 200) | | `search` | - | Full-text search across username, host, domain, email_domain, root_domain, ip_address, computer_name, machine_user | | `sort_by` | `source_count` | Sort order: `source_count` (most seen first) or `last_seen` (most recent first) | | `min_occurrences` | - | Only return credentials seen in N+ distinct sources | Plus all standard filters (see API description above). **Response Fields:** | Field | Type | Description | |-------|------|-------------| | `username` | string | Username or email | | `password` | string | Masked password (first and last char visible) | | `types` | string[] | All distinct leak types for this credential, e.g. `["Combo", "Stealer"]`. A credential found in both Combo dumps and Stealer logs will have both values. | | `type` | string | **Deprecated.** Single type value (most recent ingestion). Use `types` instead. Kept for backward compatibility. | | `last_seen` | datetime | Most recent detection date (aggregated `max(upload_stealed)` across all occurrences) | | `first_seen` | datetime | Earliest detection date (aggregated `min(upload_stealed)` across all occurrences) | | `source_count` | int | Number of distinct sources reporting this credential | | `domain` | string | Associated domain | | `host` | string | Full URL or host | | `email_domain` | string | Email domain part | | `root_domain` | string | Root domain | | `country` | string | ISO 2-letter country code | | `stealer_name` | string | Stealer family (RedLine, Raccoon, etc.) | | `software` | string | Browser/app | | `ip_address` | string | Victim IP address | | `computer_name` | string | Machine name | | `machine_user` | string | Machine user | | `hash` | string | Unique deduplication hash | **Note:** Results are deduplicated by hash. The raw `upload_stealed` column is not returned directly. Instead, `first_seen` and `last_seen` are computed as `min(upload_stealed)` and `max(upload_stealed)` across all occurrences of each credential. **Response Format:** ```json { "data": [ { "username": "user@example.com", "password": "p****d", "types": ["Stealer"], "type": "Stealer", "first_seen": "2025-01-15T08:30:00", "last_seen": "2025-03-01T12:00:00", "host": "login.example.com", "domain": "login.example.com", "local_part": "user", "protocol": "https", "email_domain": "example.com", "root_domain": "example.com", "upload_date": "2025-02-28T10:00:00", "log_date": "2025-02-27T14:00:00", "machine_id": "DESKTOP-ABC1234", "computer_name": "LAPTOP-XYZ", "hardware_id": "hwid-1234-5678", "machine_user": "john.doe", "ip_address": "192.168.1.10", "country": "FR", "software": "chrome, profile: 0", "stealer_name": "RedLine", "hash": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4", "source_count": 3 } ], "total": 12345, "page": 1, "page_size": 50, "total_pages": 247 } ``` **Examples:** ```bash # Basic paginated request GET /leaks/details?identifier_column=root_domain&page=1&page_size=50 # Sort by most recent GET /leaks/details?identifier_column=root_domain&sort_by=last_seen # Only credentials seen 3+ times GET /leaks/details?identifier_column=root_domain&min_occurrences=3 # Full-text search with filters GET /leaks/details?identifier_column=root_domain&search=john&type=Stealer&country=FR # Custom date range GET /leaks/details?identifier_column=root_domain&start_date=2024-01-01&end_date=2024-12-31&page_size=200 ``` **Pagination (retrieve all results):** ```bash # Page 1 GET /leaks/details?identifier_column=root_domain&page=1&page_size=200 # Page 2 GET /leaks/details?identifier_column=root_domain&page=2&page_size=200 # ... continue until page >= total_pages ```
Retrieve public exposure analytics stats for a domain GET
Endpoint to retrieve pre-aggregated analytics statistics for a domain. Restricted to MSSP role. No raw credential data is returned -- stats only. Data comes from permanent pre-aggregated tables (no TTL), so full history is available. **Returns:** - `total_leaks`: Total number of leaks - `unique_usernames`: Unique usernames (HyperLogLog estimate) - `unique_passwords`: Unique passwords (HyperLogLog estimate) - `unique_leaks`: Unique credentials by hash (HyperLogLog estimate) - `unique_sources`: Unique Telegram channels (HyperLogLog estimate) - `unique_domains`: Unique cross-domains (email_domains for root_domain queries, or vice-versa) - `latest_leak_date`: Date of the most recent leak - `leaks_by_type`: Leaks split by type (Stealer / Combo) - `leaks_by_day`: Daily leak timeline - `leaks_by_stealer`: Top 20 stealer families - `leaks_by_country`: Top 20 countries **Example Usage:** ```bash GET /leaks/stats/analytics?domain=example.com&identifier_column=root_domain GET /leaks/stats/analytics?domain=gmail.com&identifier_column=email_domain ```