admin

Background

I decided to make an API for my bot TrashPanda which searches different paste sites for leaked credentials. The API itself gives access to all unique credentials the bot ever detected. I did this for personal research reasons. Jake Creps approached me and asked if it would be possible for him to access the API for his own researches. As he has a really good reputation inside the OSINT community and is a respectable and responsible researcher who would not abuse leak data, I decided to granted him access under certain rules. I may grant access to other persons, if I am sure they will not abuse the information and only use it to help the OSINT/INFOSEC community. I will never grant access just for the lols or anything even worse.

Statistical Data

Want to get an idea how the data looks like? Visit the statistical page of the API.

http://stats.got-hacked.wtf:6780/

Technical Data

The API is based on a relational database and simple web server to provide different API endpoints.

Data sources:

pastebin.com
ghostbin.co
0paste.com

API Endpoints:

username: Allows to search for the name in front of an email address (e.g. searching for admin may delivers the password for admin@example.com)
email: Allows to search a whole email address
domain: Allows to search a domain name (e.g. searching for example.com may delivers the password for admin@example.com)

Need Access?

I will not publish the API for everyone. It is to likely that somebody will abuse the data and may commit a crime with it. The only way to get access is to convince me that you are a reasonable researcher that provides a benefit for the OSINT/INFOSEC community. The goal is to make the internet a little bit more secure. So I encourage every white hat researcher to approach me and help to reach this nearly unreachable goal.

Am I Pwned?!

If you just wanna know if your email address got pwned you can use TrashSearch. This Python script allows you to search for your email address and tells you if it was identified by the TrashPanda OSINT bot on a paste site (without exposing sensitive information like the password).

Made a little python script which tells you if your email address was identified by @leak_scavenger. To avoid abuse it will not expose the corresponding password. #osint #infosec https://t.co/s9vhKBITYP
— Call me h¤.¶°¢ [SEGFAULT] (@rnd_infosec_guy) February 23, 2021

Rules

Once you gained access there are some rules.

First of all: NO ABUSE
You are only allowed to use the information for research purposes to help the OSINT/INFOSEC community to make the internet a safer place
Account sharing is not allowed
Use the data to perform your research and publish the results. But do not publish any raw data containing username and password combinations
If you publish results of your research do not forget me. Please say where you got the data from 🙂

Violating one of the rules results in an account ban.

Scavenger

TrashPanda API