ZeroTrace OSINT
Breach Lookup
Privacy-respecting password and email breach lookups via HIBP k-anonymity, with breach-domain context.
The breach lookup tool checks whether a password or email appears in known data breaches. It uses the HIBP k-anonymity API for passwords (your password never leaves your machine in full) and the HIBP public domain list for email-domain context.
Two modes
The tool runs in two modes depending on the input type:
| Mode | Input | Output |
|---|---|---|
| Password mode | A password string | Whether the password appears in any known breach corpus, and how many times |
| Email mode | An email address | Whether the email's domain appears in HIBP's public breach-domain list, plus a deliverability/risk profile |
Password mode (k-anonymity)
The HIBP password API uses a clever scheme called k-anonymity:
- The toolkit hashes your password locally (SHA-1).
- The toolkit sends only the first five characters of the hash to HIBP.
- HIBP returns every full hash that starts with those five characters (about 500 hashes on average).
- The toolkit checks locally whether your full hash is in that list.
The full password — and the full hash — never leaves your machine. The HIBP API knows only that some user asked about some hash prefix; it cannot reconstruct what password was checked.
The result tells you:
| Field | What it tells you |
|---|---|
| Found | Whether your full hash matches any in the returned list |
| Pwned count | How many times this hash has appeared in breach corpora |
| Last modified | When the HIBP corpus was last updated |
A password that has appeared a million times in breaches has been on the internet a long time. A password that has appeared zero times may still be a bad password (predictable) but is not currently in known breach corpora.
"Pwned count = 0" does not mean a password is safe. It means it is not in known breach corpora. New breaches happen continuously. Treat the count as a strong "this password is definitely compromised" signal when nonzero, and as a weak "no known compromise" signal when zero.
Email mode
For an email address, the tool checks the domain against HIBP's public list of breached domains. This is informational rather than per-email — it tells you whether the domain has been the source of a known breach, not whether this specific email was in any of them.
For a per-email account-level breach check, HIBP requires a paid API key, which the toolkit does not embed. For thorough per-email research, use the public HIBP web interface manually.
The email-mode result includes:
- Whether the domain appears in the public breached-domains list.
- The composite deliverability profile from the email analyzer.
Last-modified header
HIBP's API returns the corpus's last-modified date in the response headers. The tool surfaces this so you know how fresh the data is — typically updated weekly with new breach corpora.
Bulk password / email check
Bulk paste accepts many passwords or many emails. The k-anonymity workflow handles each input separately so individual passwords are never aggregated server-side.
For bulk email-domain checks, the aggregate table shows per-email domain status — fast triage of a list of contacts.
Pivots
| Click on... | Pivot to |
|---|---|
| Email analyzer, person investigation composer | |
| Domain | DNS, WHOIS, certificate transparency |
| Password | (no pivot — confirm-and-rotate is the appropriate action) |
When to use it
- You found an email in a leak. Check whether the domain has been broadly compromised.
- You are vetting a new password your team is about to deploy. Confirm it does not appear in any breach corpora before rolling it out.
- You are doing identity-verification follow-up. A subject's email appearing in many breaches is context, not a verdict.
Sources
- HIBP k-anonymity password API.
- HIBP public breached-domains list.
- The breach-domain context is also surfaced by the email analyzer; the breach lookup tool focuses on the password side.
The k-anonymity protocol is documented at haveibeenpwned.com/API/v3#PwnedPasswords. Every API call is named on the result.