API Documentation

ASM - attack surface management listing both assets and potential phishing domains
Combo - focuses on combo lists that contain plaintext credentials
Creds - focuses on 3rd party breaches that contain credentials
Darkweb - focuses on company data being leaked or sold on the darkweb
Monitor - manages monitored assets
Radar - focuses on domains that threat actors have announced as targets
Sessions - focuses on session tokens extracted from malware infected devices
Stealer - focuses on credentials extracted from malware infected devices

Endpoint :

Domain Name Path
api.breachsense.com /asm

Supported Parameters :

Parameter Description
assets filter results to only display assets
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
lic license key
can be sent via a GET parameter or request header
pphish filter results to only display potential phishing domains
r return the number of remaining monthly queries allowed
search accepts a domain name or email address
update return the Unix timestamp the combo database was last updated
unixtime display the import date in unixtime (aliases: unix,epoch)

Output* :

JSON Key Value
cname The CNAME of the domain name identified
dom The domain name found
found The date (in YYYYMMDD or unixtime format) the domain was found
ip The IP address of the domain name identified
type The type of asset identified
ns represents a nameserver
mx represents a mail server
ast represents a domain name asset.
pphish represents a potential phishing domain found.
* Output based on domain names configured in the monitor API endpoint.

Endpoint :

Domain Name Path
api.breachsense.com /combo

Supported Parameters :

Parameter Description
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
lic license key
can be sent via a GET parameter or request header
r return the number of remaining monthly queries allowed
search accepts a domain name or email address
update return the Unix timestamp the combo database was last updated
unixtime display the import date in unixtime (aliases: unix,epoch)

Output* :

JSON Key Value
fnd The date (in YYYYMMDD or unixtime format) the credentials were found
fle The file name the credential was found in
pwd The password used to authenticate
src The target URL or IP that the victim authenticated to
usr The username used to authenticate
* Output dependant on which values were present in the original leak.

Test Data :

Parameter String
search [email protected]

Endpoint :

Domain Name Path
api.breachsense.com /creds

Supported Parameters :

Parameter Description
attr display a short description of the breach
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
hash return a 0 if the password is in hashed format and a 1 if the password has been decrypted
import display the date the breach was imported into the database
json display results in JSON format (default is CSV)
lic license key
can be sent via a GET parameter or request header
list list the breaches and dates they were imported
limit increase / decrease the number of records returned in the response
p results are limited to 500 credentials per request (by default)
when an HTTP 206 response status is returned, pagination is required to view the remaining results.
p is a numeric page value
r return the number of remaining monthly queries allowed
search accepts a domain name or email address
update return the Unix timestamp the creds database was last updated
uniq return a list of all unique email addresses and plaintext passwords
unixtime display the import date in unixtime (aliases: unix,epoch

Output :

JSON Key Value
eml The email address used to authenticate
pwd The password used to authenticate
src The name of the breached website or collection
atr The attribution data associated with the breach
imp The date (in YYYYMMDD format) the breach was found

Test Data :

Parameter String
search [email protected]

Endpoint :

Domain Name Path
api.breachsense.com /darkweb

Supported Parameters :

Parameter Description
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
lic license key
can be sent via a GET parameter or request header
r return the number of remaining monthly queries allowed
range range - accepts a date range in YYYYMMDD-YYYYMMDD format (30 day limit)
search search term - accepts a domain name
update return the Unix timestamp the darkweb database was last updated
unixtime display the import date in unixtime (aliases: unix,epoch)

Output :

JSON Key Value
src A URL containing data associated with the target
site The name of the threat actor
data The domain name associated with the victim
name The company name of the victim
found The date the data was indexed (in YYYYMMDD format)

Test Data :

Parameter String
search example.com

Endpoint :

Domain Name Path
api.breachsense.com /monitor

Supported Parameters :

Parameter Description
action manage monitored assets
must be set to add, del or list
ast add/delete the asset you wish to monitor
must be used in conjunction with the action parameter
lic license key
can be sent via a GET parameter or request header
notify add/delete the email address or webhook you wish to receive alerts at
must be used in conjunction with the action parameter
creds add/delete the basic auth credentials you wish to use when sending an alert to a webhook
must be used in conjunction with the action parameter

Output :

JSON Key Value
notify email or webhook that will be notified
ast asset that will be monitored

Endpoint :

Domain Name Path
api.breachsense.com /radar

Supported Parameters :

Parameter Description
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
lic license key
can be sent via a GET parameter or request header
r return the number of remaining monthly queries allowed
search search term - accepts a domain name
update return the Unix timestamp the radar database was last updated
unixtime display the import date in unixtime (aliases: unix,epoch

Output :

JSON Key Value
data The domain name associated with the victim
found The date the data was indexed (in YYYYMMDD format)
src A URL containing data associated with the target

Test Data :

Parameter String
search example.com

Endpoint :

Domain Name Path
api.breachsense.com /sessions

Supported Parameters :

Parameter Description
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
lic license key
can be sent via a GET parameter or request header
r return the number of remaining monthly queries allowed
search search term - accepts a domain name, email address or IP address
update return the Unix timestamp the sessions database was last updated
unixtime display the import date in unixtime (aliases: unix,epoch

Output :

JSON Key Value
dom The domain name associated with the victim
expires The date (in unixtime) that the cookie is set to expire
fnd The date the data was found (in YYYYMMDD format)
name The name of the cookie
path The cookie path
val The value of the cookie

Test Data :

Parameter String
search example.com

Endpoint :

Domain Name Path
api.breachsense.com /stealer

Supported Parameters :

Parameter Description
date only display results newer that this value. Value set in YYYYMMDD or unixtime formats
lic license key
can be sent via a GET parameter or request header
r return the number of remaining monthly queries allowed
search search term - accepts a domain name, email address or IP address
update return the Unix timestamp the stealer database was last updated
unixtime display the import date in unixtime (aliases: unix,epoch

Output* :

JSON Key Value
fle The file name the credential was found in
fnd The date the credential was found
hid The hardware ID of the infected device
iip The IP address of the infected device
inf The date the machine was infected on
mac The name assigned to the infected device
mal The type of malware infected on the device
nme The user logged in on the infected device
os The operating system installed on the infected device
pth The filesystem path for the malware executable
pwd The password used to authenticate
src The target URL or IP that the victim authenticated to
usr The username used to authenticate to the target
* Output dependant on which values were present in the original leak.

Test Data :

Parameter String
search [email protected]