Have I Been Pwned

the have i been pwned connector allows users to integrate real time data breach information into their security workflows, enabling proactive monitoring and response to incidents of data exposure have i been pwned is a renowned platform for checking if personal data has been compromised in data breaches the have i been pwned turbine connector allows users to automate the process of monitoring and responding to breaches involving their organization's domains and email accounts by integrating with swimlane turbine, security teams can proactively detect compromised credentials, assess the impact of breaches, and initiate swift incident response workflows this connector enhances cybersecurity posture by providing actionable insights and streamlining the management of breach incidents connector to integrate with have i been pwned api prerequisites to utilize the have i been pwned connector within swimlane turbine, ensure you have the following api key authentication with the following parameters url the endpoint url for the have i been pwned api api key a valid api key provided by have i been pwned to access their services capabilities the have i been pwned has the following capabilities get a single breached site get all breached sites in the system get all breaches for an account get all data classes get all pastes for an account getting all breached email addresses for a domain getting all subscribed domains getting the most recently added breach getting the subscription status this connector was last tested against product version 3 api documentation have i been pwned api documentation https //haveibeenpwned com/api/v3 configurations have i been pwned api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required hibp api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get a single breached site retrieve detailed information about a specific breach by providing the site's name in have i been pwned endpoint url /api/v3/breach/{{name}} method get input argument name type required description name string required sometimes just a single breach is required and this can be retrieved by the breach "name" this is the stable value which may or may not be the same as the breach "title" (which can change) output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource title string output field title domain string output field domain breachdate string date value addeddate string date value modifieddate string date value pwncount number count value description string output field description logopath string output field logopath dataclasses array response data isverified boolean output field isverified isfabricated boolean output field isfabricated issensitive boolean output field issensitive isretired boolean output field isretired isspamlist boolean output field isspamlist ismalware boolean output field ismalware example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "name" "example name", "title" "string", "domain" "string", "breachdate" "string", "addeddate" "string", "modifieddate" "string", "pwncount" 123, "description" "string", "logopath" "string", "dataclasses" \[], "isverified" true, "isfabricated" true, "issensitive" true, "isretired" true, "isspamlist" true } } ] get all breached sites in the system retrieve detailed information on all breached sites in the system, including notable instances such as adobe and gawker endpoint url /api/v3/breaches method get input argument name type required description domain string optional filters the result set to only breaches against the domain specified it is possible that one site (and consequently domain), is compromised on multiple occasions output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] get all breaches for an account retrieve all data breaches associated with a given account from the have i been pwned api, requiring the 'account' path parameter endpoint url /api/v3/breachedaccount/{{account}} method get input argument name type required description account string required the most common use of the api is to return a list of all breaches a particular account has been involved in the api takes a single parameter which is the account to be searched for the account is not case sensitive and will be trimmed of leading or trailing white spaces truncateresponse boolean optional by default, only the name of the breach is returned rather than the complete breach data, thus reducing the response body size by approximately 98% the name can then be used to either retrieve a single breach or it can be found in the list of all breaches in the system if you'd like complete breach data returned in the api call, set this to false domain string optional filters the result set to only breaches against the domain specified it is possible that one site (and consequently domain), is compromised on multiple occasions includeunverified boolean optional returns breaches that have been flagged as "unverified" by default, both verified and unverified breaches are returned when performing a search output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] get all data classes retrieve a comprehensive list of data classes recognized by have i been pwned as compromised in various breaches endpoint url /api/v3/dataclasses method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "fri, 16 aug 2024 11 29 35 gmt", "content type" "application/json; charset=utf 8", "content length" "1424", "connection" "keep alive", "access control expose headers" "request context", "cache control" "public, max age=3600", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000; includesubdomains; preload", "x frame options" "deny", "x content type options" "nosniff", "referrer policy" "strict origin when cross origin", "x xss protection" "1; mode=block", "content security policy" "default src 'none';script src 'self' www google com www gstatic com cdnjs cloudf ", "request context" "appid=cid v1 3665810e aab5 4aa5 90b9 f46c41b757ec" }, "reason" "ok", "json body" \[ "account balances", "address book contacts", "age groups" ] } ] get all pastes for an account retrieve all paste entries for a specified email account from have i been pwned, with case insensitive and trimmed input handling endpoint url /api/v3/pasteaccount/{{account}} method get input argument name type required description account string required email address to be searched for output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] getting all breached email addresses for a domain retrieve all breached email addresses for a verified domain from have i been pwned endpoint url /api/v3/breacheddomain/{{domain}} method get input argument name type required description domain string required parameter for getting all breached email addresses for a domain output parameter type description status code number http status code of the response reason string response reason phrase alias1 array output field alias1 alias2 array output field alias2 alias3 array output field alias3 example \[ { "status code" 200, "response headers" { "date" "fri, 16 aug 2024 11 29 35 gmt", "content type" "application/json; charset=utf 8", "content length" "1424", "connection" "keep alive", "access control expose headers" "request context", "cache control" "public, max age=3600", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000; includesubdomains; preload", "x frame options" "deny", "x content type options" "nosniff", "referrer policy" "strict origin when cross origin", "x xss protection" "1; mode=block", "content security policy" "default src 'none';script src 'self' www google com www gstatic com cdnjs cloudf ", "request context" "appid=cid v1 3665810e aab5 4aa5 90b9 f46c41b757ec" }, "reason" "ok", "json body" { "alias1" \[], "alias2" \[], "alias3" \[] } } ] getting all subscribed domains retrieve verified domains from the have i been pwned domain search dashboard endpoint url /api/v3/subscribeddomains method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "fri, 16 aug 2024 11 40 08 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cf ray" "8b4125d4b86379ef hyd", "cf cache status" "dynamic", "content encoding" "gzip", "strict transport security" "max age=31536000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "set cookie" " cf bm=n3s0cyvdjqbztonyjqpbqgvbi9n1tdlv7jb8ibkuueq 1723808408 1 0 1 1 yvp9ugzsn ", "server" "cloudflare" }, "reason" "ok", "json body" \[ {} ] } ] getting the most recently added breach retrieve the most recently added breach information from have i been pwned, regardless of the actual event date endpoint url /api/v3/latestbreach method get output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource title string output field title domain string output field domain breachdate string date value addeddate string date value modifieddate string date value pwncount number count value description string output field description logopath string output field logopath dataclasses array response data isverified boolean output field isverified isfabricated boolean output field isfabricated issensitive boolean output field issensitive isretired boolean output field isretired isspamlist boolean output field isspamlist ismalware boolean output field ismalware issubscriptionfree boolean output field issubscriptionfree example \[ { "status code" 200, "response headers" { "date" "fri, 16 aug 2024 11 47 38 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cf ray" "8b4130d3ace879ef hyd", "cf cache status" "dynamic", "access control allow origin" " ", "cache control" "public, max age=300", "content encoding" "gzip", "strict transport security" "max age=31536000; includesubdomains; preload", "vary" "accept encoding", "arr disable session affinity" "true", "request context" "appid=cid v1 77119892 d8d8 4c8f a69f f4e0344e419f", "x content type options" "nosniff", "set cookie" " cf bm=el8ywcvljsn77rmjpgkmwczyiaperignbktfnff9nwy 1723808858 1 0 1 1 l9cgvsrnh " }, "reason" "ok", "json body" { "name" "chrisleong", "title" "chris leong", "domain" "chrisleong com", "breachdate" "2024 08 10", "addeddate" "2024 08 13t22 16 41z", "modifieddate" "2024 08 13t22 16 41z", "pwncount" 27096, "description" "in august 2024, \<a href=\\"https //x com/darkwebinformer/status/182233052114737600 ", "logopath" "https //haveibeenpwned com/content/images/pwnedlogos/chrisleong png", "dataclasses" \[], "isverified" true, "isfabricated" false, "issensitive" false, "isretired" false, "isspamlist" false } } ] getting the subscription status retrieve current subscription details for have i been pwned, including plan type and expiration date endpoint url /api/v3/subscription/status method get output parameter type description status code number http status code of the response reason string response reason phrase subscribeduntil string output field subscribeduntil subscriptionname string name of the resource description string output field description domainsearchmaxbreachedaccounts number output field domainsearchmaxbreachedaccounts rpm number output field rpm example \[ { "status code" 200, "response headers" { "date" "fri, 16 aug 2024 12 02 50 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cf ray" "8b41471859b279ef hyd", "cf cache status" "dynamic", "content encoding" "gzip", "strict transport security" "max age=31536000; includesubdomains; preload", "vary" "accept encoding", "x content type options" "nosniff", "set cookie" " cf bm=i1p4morpw6sbrbnzgesfgxi5zqlwql11bi3pbuaxjsm 1723809770 1 0 1 1 j40wzbztr ", "server" "cloudflare" }, "reason" "ok", "json body" { "subscribeduntil" "2024 09 14t23 21 04", "subscriptionname" "pwned 1", "description" "domains with up to 25 breached addresses each, and a rate limited api key allowi ", "domainsearchmaxbreachedaccounts" 25, "rpm" 10 } } ] response headers header description example accept ranges http response header accept ranges access control allow origin http response header access control allow origin access control expose headers http response header access control expose headers request context age http response header age arr disable session affinity http response header arr disable session affinity true cache control directives for caching mechanisms public, max age=300 cf cache status http response header cf cache status dynamic cf ray http response header cf ray 8b41471859b279ef hyd connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 1424 content security policy http response header content security policy default src 'none';script src 'self' www google com http //www google com www gstatic com http //www gstatic com cdnjs cloudflare com az416426 vo msecnd net ajax cloudflare com challenges cloudflare com static cloudflareinsights com;style src 'self' 'unsafe inline' cdnjs cloudflare com;img src 'self' www gstatic com http //www gstatic com translate google com logos haveibeenpwned com;font src 'self' cdnjs cloudflare com fonts gstatic com;connect src 'self' api pwnedpasswords com stats g doubleclick net dc services visualstudio com;base uri 'self';child src www google com http //www google com challenges cloudflare com;form action 'self' accounts google com www paypal com http //www paypal com billing stripe com checkout stripe com billing haveibeenpwned com;frame ancestors 'none';worker src 'self';upgrade insecure requests;report uri https //troyhunt report uri com/r/d/csp/enforce https //troyhunt report uri com/r/d/csp/enforce content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated fri, 16 aug 2024 11 47 38 gmt expires the date/time after which the response is considered stale last modified the date and time at which the origin server believes the resource was last modified pragma http response header pragma referrer policy http response header referrer policy strict origin when cross origin request context http response header request context appid=cid v1 77119892 d8d8 4c8f a69f f4e0344e419f server information about the software used by the origin server cloudflare set cookie http response header set cookie cf bm=lwucgjvib6qev c1mw9e4vsi3 vi1jhqxcurxnxasvk 1723807775 1 0 1 1 v2jgrpsrbkwm0awty7bpmc zzkiq5ijl8jdojfpsbtbfnvaujng5h n830i0kn yuauwin5wkxrvvp77g3cwzq; path=/; expires=fri, 16 aug 24 11 59 35 gmt; domain= haveibeenpwned com; httponly; secure; samesite=none strict transport security http response header strict transport security max age=31536000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff