Our Data
Where 11.5B+ breach records come from, how they're verified, what we store — and what we refuse to.
Where the data comes from
We index only breach data that is already publicly available. Sources include public breach disclosures, paste sites, and data dumps circulating on public distribution channels and underground forums once they have surfaced into the public domain. We do not purchase stolen data, trade with threat actors, or commission breaches — if a dataset isn't already exposed, it isn't in our index.
The collection engine is part of the open-source XposedOrNot project, so the methodology is inspectable — full detail in the community FAQ.
How breaches are verified before indexing
A breach enters the index only when it has been acknowledged by the affected organization or credibly reported by established media or security researchers. In the rare case where a breach is not acknowledged by the owner, it is explicitly marked as such in the index and we take steps to notify the organization. Datasets that fail verification are tagged rather than silently blended in — you can see the confidence level of what you're acting on.
What we store — and what we never store
- Email addresses as they appear in public breach datasets
- Breach metadata: name, date, affected organization, exposed data categories
- Derived exposure facts: risk scores, breach counts, data-category classifications
- Passwords in plaintext — password checks use one-way SHA3-Keccak-512 hashes only
- Credit card or payment data
- Government identifiers (SSNs, passport or ID numbers)
- Personal identification documents
- Your API queries — lookups are processed in memory and never logged
The legal basis
Processing already-public breach data to warn the people and organizations it exposes is a legitimate security interest, and it is the same basis on which breach-notification services have operated publicly for over a decade. Two design decisions keep that footing solid:
- We sell exposure facts, not records. Query responses tell you that an account appeared in a named breach, when, and what categories of data were exposed — they do not hand back the underlying stolen data. There is no bulk raw-record marketplace here.
- Defensive use only. The product exists to trigger password resets, account protection, and audit evidence — uses your legal team can approve.
The full commitments live in our privacy policy and DPA, including sub-processor lists, SCCs for EEA/UK transfers, and return-or-delete terms on exit.
What this means for you
Monitoring your domain introduces no new PII liability. We already hold only what the public breach corpus exposed; your monitoring adds domain names and alert preferences, nothing more. Password checks never transmit or store plaintext.
Your partner agreement licenses you to deliver alerts, reports, and dashboards to your clients under your brand. You are never redistributing raw breach records — your clients receive exposure facts and remediation signals, which keeps your service on the right side of the same line we hold ourselves to.
API lookups are stateless: the emails and domains your product checks are processed in memory and never logged or stored. Your users' queries stay yours.
Individual rights
Anyone can permanently mask their email address from all public search results and API responses using the free Privacy Shield. Because every record originates from a third-party breach already in the public domain, selective erasure inside a breach dataset isn't technically meaningful — masking is the effective remedy, and it's free and permanent. Takedown requests and privacy inquiries: [email protected].
See the data quality for yourself
Run a free exposure check on your own domain — real results, no signup.
Check Your Domain Free