Retrieve leak statistics for a given domain and query
Endpoint to retrieve leak statistics for the provided domain and query.
Gated on the public_exposure tenant feature flag.
Only analytics queries are allowed via this endpoint.
Authorization
ApiKeyAuth API key for authentication
In: header
Query Parameters
Column to use for identifying the domain
"root_domain" | "email_domain" | "username"Domain to filter data on
Query name to execute
Username of the leaked user (can be phone, email, ID, ...)
Type of leak (combo, stealer)
Uniq identifier for the concatenation of : username, password and domain
Upload date on stealed, ISO 8601, pattern YYYY-MM-DD
Upload date on the plateform the credential was found, ISO 8601, pattern YYYY-mm-dd
Log date of the device at compromized moment (if applicable, stealer only)
Start date to search from leaks, format: YYYY-mm-dd (default: today - 14days at 0:00am)
End date to search leaks from, format YYYY-mm-dd (default: today)
URL of the leaked data
Local part of the username section (if applicable, email only)
Protocol identified (if applicable)
Email domain to filter on (if multiple email domains declared)
Root domain to filter on (if multiple root domains declared)
Machine ID (if applicable, stealer only)
Computer name (if applicable, stealer only)
Hardware ID (if applicable, stealer only)
Machine user (if applicable, stealer only)
IP address (if applicable, stealer only)
Country (if applicable, stealer only)
Software (if applicable, stealer only)
Stealer name (if applicable)
Keyword to filter on (only active keywords for tenant)
Match type for leaks_matched table (root_domain or email_domain)
Root domains to exclude (NOT IN filter)
Email domains to exclude (NOT IN filter)
Domains to exclude (NOT IN filter)
Types to exclude
Software to exclude
Stealer names to exclude
Protocols to exclude
Countries to exclude
Show only hashes whose first appearance (min upload_stealed) falls on this exact date. Format: YYYY-MM-DD.
Show only hashes whose first appearance (min upload_stealed) is on or after this date. Format: YYYY-MM-DD.
Limit result length
Minimum number of sources (source_count >= N)
Response Body
application/json
application/json
curl -X GET "https://api.stealed.io/leaks/?identifier_column=root_domain&domain=string&query=string"null{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}Retrieve public exposure analytics stats for a domain GET
Endpoint to retrieve pre-aggregated analytics statistics for a domain. Restricted to MSSP role. No raw credential data is returned -- stats only. Data comes from permanent pre-aggregated tables (no TTL), so full history is available. **Returns:** - `total_leaks`: Total number of leaks - `unique_usernames`: Unique usernames (HyperLogLog estimate) - `unique_passwords`: Unique passwords (HyperLogLog estimate) - `unique_leaks`: Unique credentials by hash (HyperLogLog estimate) - `unique_sources`: Unique Telegram channels (HyperLogLog estimate) - `unique_domains`: Unique cross-domains (email_domains for root_domain queries, or vice-versa) - `latest_leak_date`: Date of the most recent leak - `leaks_by_type`: Leaks split by type (Stealer / Combo) - `leaks_by_day`: Daily leak timeline - `leaks_by_stealer`: Top 20 stealer families - `leaks_by_country`: Top 20 countries **Example Usage:** ```bash GET /leaks/stats/analytics?domain=example.com&identifier_column=root_domain GET /leaks/stats/analytics?domain=gmail.com&identifier_column=email_domain ```
Preview keyword search results (stats only) GET
Preview the number of leaked credentials matching a keyword, along with the top root domains where the keyword appears. Returns aggregated stats only, no credential data. Available to all plans including Free. The keyword is matched as a **token** in the host/URL column using the ClickHouse text index. For example, keyword `acme-corp` matches `acme-corp-recrute.talent-soft.com` and `tekkit.io/offre/acme-corp/cdd`. **Example:** ``` GET /leaks/keyword/preview?keyword=acme-corp ```