See your exposure before adversaries do.
Continuous indexing of every public breach, infostealer log, and credential dump. Built for security, fraud, and threat-intel teams that need to know which of their domains, employees, and customers are already in the wild.
Threat intelligence sources
Three feeds. One unified index.
Every record we ingest is normalized and joined into a single search index. One query reaches the full corpus. Built for teams that need to act on exposure, not assemble it.
Breach data
Database dumps from compromised companies. Email, name, postal address, SSN, password hashes — plaintext when the breach was that bad.
What gets exposed
Infostealer logs
Output from infostealer malware on infected endpoints. Browser-saved credentials, autofill, session cookies, authenticated tokens, saved cards, wallet seeds.
What gets exposed
Drop sites
Files dropped on paste sites, exposed cloud buckets, and adversary forums. Combolists, scraped profiles, exfiltrated SSN dumps, leaked cards.
What gets exposed
Latest intelligence
Recent high-impact disclosures.
The largest collections currently in the catalog, ranked by record count. Click into any to inspect the schema, the source provenance, and run a scoped query.
cdek.ru
Database dump from CDEK (СДЭК), a major Russian logistics and courier delivery company. The data contains customer and shipment records including full names in Russian/Cyrillic, internal IDs, order/shipment numbers (ИМ-prefixed), email addresses, branch/pickup point codes, and UUIDs. The dataset is approximately 18 GB and contains hundreds of millions of records spanning senders, recipients, and corporate clients.
boulanger.com
In September 2024, French electronics retailer Boulanger suffered a data breach exposing over 27 million rows of customer data (approximately 13.8 million after deduplication), affecting nearly 5.4 million customers. The leaked data included full names, email addresses, phone numbers, physical addresses, zip codes, city, country, and geographic coordinates (latitude/longitude). Approximately 2.3 million unique email addresses were exposed. The data was published on BreachForums and has been indexed by Have I Been Pwned.
bloomstoday.com
In April 2024, approximately 15 million records from Blooms Today, an online florist, were listed for sale and leaked on BreachForums by threat actor @KryptonZambie. The breach contained data as recent as November 2023 and exposed approximately 3.2 million unique email addresses, names, phone numbers, physical addresses, and partial credit card data (card type, last 4 digits, and expiry date). Blooms Today did not respond to disclosure inquiries. The breach is indexed on Have I Been Pwned.
catho.com.br
Breach of Catho (catho.com.br), a major Brazilian online job board. The dataset contains user account records including full names, usernames/email logins, plaintext passwords, employer IDs, job titles, and template paths. Passwords appear to be stored in plaintext, representing a significant credential exposure for Brazilian job seekers and recruiters.
123rf.com
Breach of 123RF, a stock photo and image website. The dataset contains member records including usernames, MD5-hashed passwords, names, addresses, phone numbers, email addresses, IP addresses, registration dates, payment methods, and linked social account IDs (Google, Facebook). The data was circulated on BreachForums.
dshs.texas.gov
A dataset containing Texas vital records compiled up to 2014, including birth records (1950–1995), death records (1965–1999), marriage records (1966–2014), and divorce records (1968–2014). Data includes full names, dates, counties, sexes, and marital statuses. Likely sourced from the Texas Department of State Health Services vital statistics unit. Circulated on BreachForums.
Threat briefings
What our analysts are tracking.
Original reporting on emerging breaches, leak campaigns, and the operators behind them. No press releases. No reposts.
Threat brief
Plaintext credentials from ys168.com surface in a Chinese-language dump
A plaintext credential dump from ys168.com, a Chinese file-hosting service, is being shared on BreachForums. The archive contains around 657,000 records of usernames, plaintext pas…
Threat brief
An expanded Elance archive resurfaces with 2.6M user records and admin accounts
A new variant of the Elance breach archive is being shared on BreachForums. Elance was the early freelance-work marketplace that eventually merged into what became Upwork, and this…
Threat brief
Havenly database dump exposes 1.7M interior-design-platform accounts
A MySQL database dump and customer CSV from Havenly, the Denver-based online interior-design platform, is circulating on dark-web forums. The combined data covers roughly 1.7 milli…
Who uses it
Built for the teams defending exposed identities.
Surface credential exposure across your domain. Pivot from a single leaked email to every dataset that record appears in, then push remediation to your IDP in seconds.
Detect compromised customer accounts before they're exploited. Score session and signup risk against known-stolen credentials joined to identity attributes.
Hit the API from your own infrastructure. Boolean queries, cursor pagination, sparse fields. Same query language as the UI, free for the first 500 calls a day.
For engineers
Wire exposure data into your stack.
Same engine that powers this site, exposed as a clean REST API. Boolean queries. Cursor pagination. Sparse fields. HATEOAS links. Free for the first 500 calls a day, with quota tiers for production traffic.