You're reading about v1 of the API which is now superseded by a more recent version. However, v1 is still supported and anr requests for the API that do not specify a version will default to this one.
There is one API endpoint only accessible via HTTP GET. The account is not case sensitive and will be trimmed of leading or trailing white spaces. The account should always be URL encoded.
The response is simply an alphabetically sorted string array of pwned websites for the account in JSON format:
The sample can be invoked in the browser by clicking here or reconstructed in your tool of choice as follows:
GET HTTP/1.1 https://haveibeenpwned.com/api/breachedaccount/test%40example.com
HTTP/1.1 200 OK ["Adobe","Gawker","Stratfor"]
Response values may not be suitable for user-facing displays. They are stable (will not change in the future) and are sorted alphabetically. Current breach values are:
000webhost, 126, 17Media, AcneOrg, Adobe, AdultFriendFinder, AhaShare, AndroidForums, AshleyMadison, AstroPID, Aternos, Avast, Badoo, BattlefieldHeroes, BeautifulPeople, Bell, BigMoneyJobs, BTSec, BitTorrent, BlackHatWorld, Boxee, Brazzers, BusinessAcumen, CannabisForum, ClixSense, Comcast, COMELEC, CrackCommunity, DLH, Dominos, Dropbox, DDO, eThekwiniMunicipality, Experian, FFShrine, FlashFlashRevolution, Flashback, Fling, Forbes, FoxyBingo, Fridae, FurAffinity, GamerzPlanet, GameTuts, Gamigo, Gawker, GFAN, gPotato, GTAGaming, HackForums, HackingTeam, Hemmakvall, Hemmelig, HeroesOfNewerth, iDressup, iMesh, Insanelyi, Interpals, iPmart, KMRU, Lastfm, Leet, Lifeboat, LinkedIn, LinuxMint, LizardSquad, LOTR, LoungeBoard, Mac-Torrents, MailRu, MajorGeeks, Malwarebytes, MangaTraders, Mate1, MinecraftPocketEditionForum, MinecraftWorldMap, Minefield, MoDaCo, ModernBusinessSolutions, MoneyBookers, MPGH, mSpy, MuslimDirectory, MuslimMatch, myRepoSpace, MySpace, MyVidster, NaughtyAmerica, Neopets, NetEase, Neteller, NextGenUpdate, NexusMods, Nihonomaru, Nival, Nulled, Onverse, OwnedCore, PaddyPower, Patreon, PHPFreaks, PixelFederation, Plex, Pokebip, PokemonCreed, PS3Hax, PSX-Scene, QatarNationalBank, QuantumBooter, R2Games, BlueSnapRegpack, RosebuttBoard, Seedpeer, ServerPact, SkTorrent, Snapchat, Sony, Spirol, StarNet, Stratfor, SumoTorrent, Taobao, Solomid, TRAI, Teracod, Tesco, TheFappening, ThisHabboForum, Tianya, Trillian, TruckersMP, Tumblr, Uiggy, IGF, VBulletin, Verified, VK, Vodafone, VTech, Warframe, WHMCS, WIIUISO, WildStar, Win7Vista, WPT, xat, Xbox-Scene, XSplit, Yahoo, Yandex, YouPorn, SprashivaiRu
Semantic HTTP response code are used to indicate the status of the search:
|200||Ok — everything worked and there's a string array of pwned sites for the account|
|400||Bad request — the account does not comply with an acceptable format (i.e. it's an empty string)|
|404||Not found — the account could not be found and has therefore not been pwned|
The API must be invoked over HTTPS. Any requests over HTTP will result in a 301 response with a redirect to the same path on the secure scheme.
CORS is fully supported for all origins — you can hit the API from websites on any other domain.
There isn't any.
There isn't any of that either.
There's not much point; if you want to build up a treasure trove of pwned email addresses or usernames, go and download the dumps (they're all just a Google search away) and save yourself the hassle and time of trying to enumerate an API one account at a time.