API v1

The API allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service. Check out who's currently using the API.

Overview

You're reading about v1 of the API which is now superseded by a more recent version. However, v1 is still supported and anr requests for the API that do not specify a version will default to this one.


HTTP GET

There is one API endpoint only accessible via HTTP GET. The account is not case sensitive and will be trimmed of leading or trailing white spaces. The account should always be URL encoded.

GET https://haveibeenpwned.com/api/breachedaccount/{account}

Response

The response is simply an alphabetically sorted string array of pwned websites for the account in JSON format:

["Adobe","Gawker","Stratfor"]

Sample

The sample can be invoked in the browser by clicking here or reconstructed in your tool of choice as follows:

GET HTTP/1.1 https://haveibeenpwned.com/api/breachedaccount/test%40example.com
HTTP/1.1 200 OK ["Adobe","Gawker","Stratfor"]

Pwned website values

Response values may not be suitable for user-facing displays. They are stable (will not change in the future) and are sorted alphabetically. Current breach values are:

000webhost, 126, 17Media, AcneOrg, Adobe, AdultFriendFinder, AhaShare, Aipai, AndroidForums, ArmyForceOnline, AshleyMadison, AstroPID, Aternos, Avast, Badoo, BattlefieldHeroes, BeautifulPeople, Bell, BigMoneyJobs, BTSec, BitTorrent, BlackHatWorld, Boxee, Brazzers, BusinessAcumen, CannabisForum, CheapAssGamer, CivilOnline, ClixSense, Comcast, COMELEC, CrackCommunity, DLH, Dodonew, Dominos, Dropbox, DDO, Duowan, EpicGames, eThekwiniMunicipality, Experian, FFShrine, FlashFlashRevolution, Flashback, Fling, Forbes, FoxyBingo, Fridae, FurAffinity, GamerzPlanet, GameTuts, Gamigo, Gawker, GeekedIn, GFAN, gPotato, GTAGaming, HackForums, HackingTeam, Hemmakvall, Hemmelig, HeroesOfGaia, HeroesOfNewerth, iDressup, iMesh, Insanelyi, Interpals, iPmart, KMRU, Lastfm, Leet, Lifeboat, LinkedIn, LinuxMint, LizardSquad, Lookbook, LOTR, LoungeBoard, Mac-Torrents, MailRu, MajorGeeks, Malwarebytes, MangaTraders, Mate1, MinecraftPocketEditionForum, MinecraftWorldMap, Minefield, MoDaCo, ModernBusinessSolutions, MoneyBookers, MPGH, mSpy, MuslimDirectory, MuslimMatch, myRepoSpace, MySpace, MyVidster, NaughtyAmerica, Neopets, NetEase, Neteller, NextGenUpdate, NexusMods, Nihonomaru, Nival, Nulled, Onverse, OwnedCore, PaddyPower, Patreon, PHPFreaks, PixelFederation, Plex, Pokebip, PokemonCreed, PS3Hax, PSX-Scene, QatarNationalBank, QuantumBooter, R2Games, Rambler, BlueSnapRegpack, RosebuttBoard, SCDailyPhoneSpamList, Seedpeer, ServerPact, SkTorrent, Snapchat, Sony, SpecialKSpamList, Spirol, StarNet, Stratfor, SumoTorrent, Taobao, Solomid, TRAI, Teracod, Tesco, TheFappening, ThisHabboForum, Tianya, Trillian, TruckersMP, Tumblr, Uiggy, IGF, UnrealEngine, uTorrent, VBulletin, Verified, VK, Vodafone, VTech, WarInc, Warframe, WHMCS, WIIUISO, WildStar, Win7Vista, WPT, xat, Xbox-Scene, XSplit, Yahoo, Yandex, YouPorn, SprashivaiRu

Response codes

Semantic HTTP response code are used to indicate the status of the search:

Code Description
200 Ok — everything worked and there's a string array of pwned sites for the account
400 Bad request — the account does not comply with an acceptable format (i.e. it's an empty string)
404 Not found — the account could not be found and has therefore not been pwned

SSL

The API must be invoked over HTTPS. Any requests over HTTP will result in a 301 response with a redirect to the same path on the secure scheme.


Cross-origin resource sharing (CORS)

CORS is fully supported for all origins — you can hit the API from websites on any other domain.


Authentication

There isn't any.


Rate limiting

There isn't any of that either.


Abuse

There's not much point; if you want to build up a treasure trove of pwned email addresses or usernames, go and download the dumps (they're all just a Google search away) and save yourself the hassle and time of trying to enumerate an API one account at a time.