API v1

The API allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service. Check out who's currently using the API.


You're reading about version 1 of the API which has since been superseded by version 3. There are breaking changes which make version 2 unusable, this documentation remains for historic reasons only.


There is one API endpoint only accessible via HTTP GET. The account is not case sensitive and will be trimmed of leading or trailing white spaces. The account should always be URL encoded.

GET https://haveibeenpwned.com/api/breachedaccount/{account}


The response is simply an alphabetically sorted string array of pwned websites for the account in JSON format:



The sample can be invoked in the browser by clicking here or reconstructed in your tool of choice as follows:

GET HTTP/1.1 https://haveibeenpwned.com/api/breachedaccount/test%40example.com
HTTP/1.1 200 OK ["Adobe","Gawker","Stratfor"]

Pwned website values

Response values may not be suitable for user-facing displays. They are stable (will not change in the future) and are sorted alphabetically. Current breach values are:

000webhost, 123RF, 126, 17Media, 17173, 2844Breaches, 2fast4u, 500px, 7k7k, 8fit, 8tracks, Abandonia, AbuseWithUs, AcneOrg, Adapt, Adobe, AdultFriendFinder, AdultFriendFinder2016, AdultFanFiction, AerServ, AgusiQTorrents, AhaShare, AIType, Aipai, AKP, Ancestry, AndroidForums, AnimalJam, AnimeGame, AnimePlanet, Animoto, AntiPublic, Apollo, Appartoo, Appen, Aptoide, ArmorGames, ArmyForceOnline, Artsy, Artvalue, AshleyMadison, AstroPID, Aternos, AtlasQuantum, Autocentrum, Avast, B2BUSABusinesses, BabyNames, Badoo, BannerBit, BattlefieldHeroes, BeautifulPeople, Bell, Bell2017, Bestialitysextaboo, BigMoneyJobs, BinWeevils, BiohackMe, BTSec, BitcoinTalk, Bitly, BitTorrent, BlackHatWorld, BlackSpigotMC, BlankMediaGames, Bolt, BombujEu, Bonobos, Bookmate, BotOfLegends, Boxee, Brazzers, BTCE, BtoBet, Bukalapak, BulgarianNationalRevenueAgency, BusinessAcumen, CafeMom, CafePress, CannabisForum, Canva, CashCrate, Catho, CDProjektRed, Chatbooks, CheapAssGamer, Chegg, Chowbus, Cit0day, CityBee, CivilOnline, ClashOfKings, ClixSense, CloudPets, ClubPenguinRewritten, ClubPenguinRewrittenJul2019, Coachella, Coinmama, Collection1, Comcast, COMELEC, CouponMomAndArmorGames, db8151dd, CrackCommunity, CrackedTO, CrackingForum, Creative, CrimeAgencyVBulletin, CrossFire, D3scene, DaFont, Dailymotion, DailyObjects, Dangdang, DaniWeb, DataAndLeads, PDL, DataEnrichment, DataCamp, Dave, DemonForums, devkitPro, DietCom, Digimon, Disqus, DLH, Dodonew, Dominos, Drizly, Dropbox, Dubsmash, DuelingNetwork, DDO, Dunzo, Duowan, DVDShopCH, EatStreet, Edmodo, Elance, Elanic, ElasticsearchSalesLeads, Emuparadise, EpicGames, EpicBot, EpicNPC, Eroticy, Estonia, eThekwiniMunicipality, Ethereum, EuropaJobs, Evermotion, EverybodyEdits, Evite, Evony, Exactis, Experian, Experian2020, ExploitIn, VINs, EyeEm, Facepunch, FaceUP, Factual, WhiteRoom, FashionFantasyGame, FilmaiIn, FFShrine, FlashFlashRevolution, FlashFlashRevolution2019, Flashback, Fling, FLVS, Foodora, Forbes, ForumCommunity, FoxyBingo, FreedomHostingII, FreshMenu, Fridae, Funimation, FunnyGames, FurAffinity, Gaadi, Gab, GamerzPlanet, GameSalad, GameTuts, Gamigo, GateHub, Gawker, Gett, GeekedIn, GeniusU, GFAN, Glofox, GoGames, GoldSilver, gPotato, GPSUnderground, GTAGaming, Playgar, HackForums, HackingTeam, HauteLook, Havenly, HealthNowNetworks, Hemmakvall, Hemmelig, HeroesOfGaia, HeroesOfNewerth, HIAPK, HLTV, HomeChef, HongFire, HookersNL, HoundDawgs, Houzz, HTCMania, HTHStudios, Hub4Tech, Hurb, iDressup, ILikeCheats, iMesh, imgur, IndianRailways, Insanelyi, Intelimost, Interpals, iPmart, ixigo, James, JobAndTalent, JobStreet, JoomlArt, JustDate, KayoMoe, Kickstarter, Kimsufi, KiwiFarms, KMRU, KnownCircle, Knuddels, Kreditplus, Lanwar, Lastfm, Lazada, LeadHunter, LeagueOfLegends, Ledger, Leet, Lifebear, Lifeboat, LightsHope, LinkedIn, LinuxForums, LinuxMint, LittleMonsters, LiveAuctioneers, LiveJournal, LizardSquad, Lookbook, LOTR, LoungeBoard, LuminPDF, LyricsMania, MacForums, Mac-Torrents, MailRu, MajorGeeks, MallCZ, Malwarebytes, MangaTraders, MangaFox, Mappery, Mashable, MasterDeeds, MastercardPricelessSpecials, Mate1, Mathway, MCBans, MDPI, MeetMindful, MGM, MindJolt, MinecraftPocketEditionForum, MinecraftWorldMap, Minefield, Minehut, Minted, MoDaCo, ModernBusinessSolutions, MoneyBookers, MoreleNet, MortalOnline, MPGH, MrExcel, mSpy, MuslimDirectory, MuslimMatch, MyFHA, MyFitnessPal, MyHeritage, myRepoSpace, MySpace, MyVidster, NapsGear, NaughtyAmerica, NemoWeb, Neopets, NetEase, Neteller, NetGalley, Netlog, NetProspex, Netshoes, NextGenUpdate, NexusMods, Nihonomaru, Nitro, Nival, NonNudeGirls, NulledCH, Nulled, NurseryCam, OGUsers, OGUsers2020, OnlinerSpambot, Onverse, OpenCSGO, OrdineAvvocatiDiRoma, OVH, OwnedCore, Oxfam, PaddyPower, Patreon, PayAsUGym, Peatix, Pemiblanc, PeoplesEnergy, PetFlow, PHPFreaks, PixelFederation, Pixlr, piZap, PlanetCalypso, Plex, PlutoTV, Pokebip, PokemonCreed, PokemonNegro, PoliceOne, Poshmark, Powerbot, ProctorU, ProgrammingForums, Promo, Promofarma, PropTiger, PS3Hax, PSPISO, PSX-Scene, QatarNationalBank, QIP, QuantumBooter, Quidd, QuinStreet, R2-2017, R2Games, Rambler, Rankwatch, RbxRocks, RealEstateMogul, BlueSnapRegpack, Reincubate, RetinaX, Reverb-Nation, RiverCityMedia, Roll20, Romwe, RosebuttBoard, RussianAmerica, SaverSpy, SCDailyPhoneSpamList, Scentbird, Seedpeer, Sephora, ServerPact, ShareThis, SHEIN, Shotbow, SkTorrent, Slickwraps, Smogon, Snail, Snapchat, SocialEngineered, SIAE, Sonicbids, Sony, Soundwave, SpecialKSpamList, Spirol, SpyFone, Staminus, StarNet, StarTribune, SterKinekor, StockX, StoryBird, Straffic, Stratfor, StreetEasy, StrongholdKingdoms, SumoTorrent, SuperVPNGeckoVPN, SvenskaMagic, SweClockers, Swvl, TaiLieu, Tamodo, Taobao, Taringa, Solomid, Technic, TRAI, Teracod, Tesco, TGBUS, TheCandidBoard, TheFappening, TheFlyOnTheWall, HalloweenSpot, TheTVDB, ThisHabboForum, Tianya, Ticketcounter, Ticketfly, Tokopedia, ToonDoo, TorrentInvites, Tout, TrikSpamBotnet, Trillian, TruckersMP, TrueFire, Tumblr, Uiggy, Ulmon, IGF, UnderworldEmpire, UnicoCampania, Universarium, UnrealEngine, UtahGunExchange, uTorrent, uuu9, Vakinha, VBulletin, Vedantu, VerificationsIO, Verified, Vianet, VictoryPhones, ViewFines, VK, VNG, Vodafone, VoidTO, VTech, VTightGel, Wanelo, WarInc, Warframe, Warmane, Wattpad, WeHeartIt, Whitepages, WHMCS, WienerBuchereien, WifeLovers, WIIUISO, WildStar, Win7Vista, Wishbone, Wishbone2020, WiziShop, Wongnai, WPSandbox, WPT, xat, Xbox360ISO, Xbox-Scene, xHamster, Xiaomi, XKCD, XPGameSaves, XSplit, Yahoo, Yandex, Yatra, Youku, YouNow, YouPorn, YouveBeenScraped, Zhenai, Zomato, Zoomcar, Zoosk, Zoosk2020, Zooville, Zynga, Parapa, SprashivaiRu, DecoratingTheHouse

Response codes

Semantic HTTP response codes are used to indicate the status of the search:

Code Description
200 Ok — everything worked and there's a string array of pwned sites for the account
400 Bad request — the account does not comply with an acceptable format (i.e. it's an empty string)
404 Not found — the account could not be found and has therefore not been pwned


The API must be invoked over HTTPS. Any requests over HTTP will result in a 301 response with a redirect to the same path on the secure scheme.

Cross-origin resource sharing (CORS)

CORS is fully supported for all origins — you can hit the API from websites on any other domain.


There isn't any.

Rate limiting

There isn't any of that either.


There's not much point; if you want to build up a treasure trove of pwned email addresses or usernames, go and download the dumps (they're all just a Google search away) and save yourself the hassle and time of trying to enumerate an API one account at a time.