I decided to make an API for my bot TrashPanda which searches different paste sites for leaked credentials. The API itself gives access to all unique credentials the bot ever detected. I did this for personal research reasons. Jake Creps approached me and asked if it would be possible for him to access the API for his own researches. As he has a really good reputation inside the OSINT community and is a respectable and responsible researcher who would not abuse leak data, I decided to granted him access under certain rules. I may grant access to other persons, if I am sure they will not abuse the information and only use it to help the OSINT/INFOSEC community. I will never grant access just for the lols or anything even worse.
Want to get an idea how the data looks like? Visit the statistical page of the API.
The API is based on a relational database and simple web server to provide different API endpoints.
- username: Allows to search for the name in front of an email address (e.g. searching for admin may delivers the password for email@example.com)
- email: Allows to search a whole email address
- domain: Allows to search a domain name (e.g. searching for example.com may delivers the password for firstname.lastname@example.org)
I will not publish the API for everyone. It is to likely that somebody will abuse the data and may commit a crime with it. The only way to get access is to convince me that you are a reasonable researcher that provides a benefit for the OSINT/INFOSEC community or helps to fight crime. The goal is to make the internet a little bit more secure. So I encourage every white hat researcher to approach me and help to reach this nearly unreachable goal.
Once you gained access there are some rules.
- First of all: NO ABUSE
- You are only allowed to use the information for research purposes to help the OSINT/INFOSEC community to make the internet a safer place
- Account sharing is not allowed
- Use the data to perform your research and publish the results. But do not publish any raw data containing username and password combinations
- If you publish results of your research do not forget me. Please say where you got the data from 🙂
Violating one of the rules results in an account ban.
Am I Pwned?!
If you just wanna know if your email address got pwned you can use TrashSearch. This Python script allows you to search for your email/domain or password and tells you if it was identified by the TrashPanda OSINT bot on a paste site. To avoid abuse the email/domain search does not disclose passwords and the password search does not disclose the corresponding email/domain.