I decided to make an API for my bot TrashPanda which searches different paste sites for leaked data. The API itself gives access to the information the bot detected. I did this for personal research reasons. Jake Creps approached me and asked if it would be possible for him to access the API for his own researches. As he has a really good reputation inside the OSINT community and is a respectable and responsible researcher who would not abuse leak data, I decided to granted him access under certain rules. I may grant access to other persons, if I am sure they will not abuse the information and only use it to help the OSINT/INFOSEC community. I will never grant access just for the lols or anything even worse.
Want to get an idea how the data looks like? Visit the statistical page of the API.
I will not publish the API for everyone. It is to likely that somebody will abuse the data and may commit a crime with it. The only way to get access is to convince me that you are a reasonable researcher that provides a benefit for the OSINT/INFOSEC community or helps to fight crime. The goal is to make the internet a little bit more secure. So I encourage every white hat researcher or law enforcement agency to approach me and help to reach this nearly unreachable goal.
Once you gained access there are some rules.
- First of all: NO ABUSE
- You are only allowed to use the information for research purposes to help the OSINT/INFOSEC community to make the internet a safer place
- Account sharing is not allowed
- Use the API to perform your research and publish the results. But do not publish any plain data you got from the API
- If you publish results of your research do not forget me. Please say where you got the data from 🙂
Violating one of the rules results in an account ban.
Am I Pwned?!
If you just wanna know if your email address got pwned you can use TrashSearch. This Python script allows you to search for your email/domain or password and tells you if it was identified by the TrashPanda OSINT bot on a paste site. To avoid abuse the email/domain search does not disclose passwords and the password search does not disclose the corresponding email/domain.