{"id":13510780,"url":"https://github.com/Ekultek/WhatBreach","last_synced_at":"2025-03-30T17:31:18.828Z","repository":{"id":44383770,"uuid":"182323091","full_name":"Ekultek/WhatBreach","owner":"Ekultek","description":"OSINT tool to find breached emails, databases, pastes, and relevant information","archived":false,"fork":false,"pushed_at":"2024-10-22T18:52:55.000Z","size":95,"stargazers_count":1252,"open_issues_count":12,"forks_count":177,"subscribers_count":37,"default_branch":"master","last_synced_at":"2025-03-30T07:05:01.497Z","etag":null,"topics":["breach","breaches","domains","emails","osint"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ekultek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-19T20:40:19.000Z","updated_at":"2025-03-30T05:43:27.000Z","dependencies_parsed_at":"2022-07-14T14:01:02.866Z","dependency_job_id":"68c9aab3-a4e0-4248-9d14-43dcd4b30834","html_url":"https://github.com/Ekultek/WhatBreach","commit_stats":{"total_commits":42,"total_committers":4,"mean_commits":10.5,"dds":0.0714285714285714,"last_synced_commit":"dad6b9f223b053ec522d57c08a698a6026142cd5"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ekultek%2FWhatBreach","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ekultek%2FWhatBreach/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ekultek%2FWhatBreach/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ekultek%2FWhatBreach/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ekultek","download_url":"https://codeload.github.com/Ekultek/WhatBreach/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246355383,"owners_count":20763990,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["breach","breaches","domains","emails","osint"],"created_at":"2024-08-01T02:01:53.792Z","updated_at":"2025-03-30T17:31:18.805Z","avatar_url":"https://github.com/Ekultek.png","language":"Python","funding_links":[],"categories":["Python","Open Sources Intelligence (OSINT)","Uncategorized","OSINT Tools","osint","EMAIL"],"sub_categories":["Email search and analysis tools","Uncategorized","Web Vulnerability Scanners","Email, phone search and analysis tools"],"readme":"# WhatBreach\n\nWhatBreach is an OSINT tool that simplifies the task of discovering what breaches an email address has been discovered in. WhatBreach provides a simple and effective way to search either multiple, or a single email address and discover all known breaches that this email has been seen in. From there WhatBreach is capable of downloading the database if it is publicly available, downloading the pastes the email was seen in, or searching the domain of the email for further investigation. To perform this task successfully WhatBreach takes advantage of the following websites and/or API's:\n\n - WhatBreach takes advantage of [haveibeenpwned.com](https://haveibeenpwned.com/)'s API. HIBP's API is no longer free and costs 3.50 USD per month. To get an API key please see [here](https://haveibeenpwned.com/API/Key)\n - WhatBreach takes advantage of [dehashed.com](https://dehashed.com/) in order to discover if the database has been seen in a breach before. WhatBreach provides a link to a dehashed search for effective downloading\n - WhatBreach takes advantage of [hunter.io](https://hunter.io/)'s API (requires free API token) this allows simple and effective domain searching and will provide further information on the domain being searched along with store the discovered results in a file for later processing\n - WhatBreach takes advantage of pastes from [pastebin.com](https://pastebin.com/) that have been found from HIBP. It will also provide a link to the paste that the breach was seen in and is capable of downloading the raw paste if requested\n - WhatBreach takes advantage of [databases.today](https://databases.today/) to download the databases off the website. This allows a simple and effective way of downloading databases without having to search manually\n - WhatBreach takes advantage of [weleakinfo.com](https://weleakinfo.com/)'s API (requires free API token) this provides an extra search for the email in order to discover even more public breaches\n - WhatBreach takes advantage of [emailrep.io](https://emailrep.io/)'s simple open API to search for possible profiles associated with an email, it also dumps all information discovered into a file for further processing\n\nSome interesting features of WhatBreach include the following:\n \n - Ability to detect if the email is a ten minute email or not and prompt to process it or not\n - Check the email for deliverable status using hunter.io\n - Ability to throttle the requests in order to help prevent HIBP from blocking you\n - Download the databases (since they are large) into a directory of your choice\n - Search either a single email or a text file containing one email per line\n\n# Examples\n\nHelp page:\n```\nusage: whatbreach.py [-h] [-e EMAIL] [-l PATH] [-nD] [-nP] [-sH] [-wL] [-dP]\n                     [-vH] [-cT] [-d] [-s DIRECTORY-PATH] [--throttle TIME]\n\noptional arguments:\n  -h, --help            show this help message and exit\n\nmandatory opts:\n  -e EMAIL, --email EMAIL\n                        Pass a single email to scan for\n  -l PATH, -f PATH, --list PATH, --file PATH\n                        Pass a file containing emails one per line to scan\n\nsearch opts:\n  -nD, --no-dehashed    Suppres dehashed output\n  -nP, --no-pastebin    Suppress Pastebin output\n  -sH, --search-hunter  Search hunter.io with a provided email address and\n                        query for all information, this will process all\n                        emails found as normal\n  -wL, --search-weleakinfo\n                        Search weleakinfo.com as well as HIBP for results\n\nmisc opts:\n  -dP, --download-pastes\n                        Download pastes associated with the email address\n                        found (if any)\n  -vH, --verify-hunter  Verify the emails found on hunter.io for deliverable\n                        status\n  -cT, --check-ten-minute\n                        Check if the provided email address is a ten minute\n                        email or not\n  -d, --download        Attempt to download the database if there is one\n                        available\n  -s DIRECTORY-PATH, --save-dir DIRECTORY-PATH\n                        Pass a directory to save the downloaded databases into\n                        instead of the `HOME` path\n  --throttle TIME       Throttle the HIBP requests to help prevent yourself\n                        from being blocked\n```\n\nSimple email search:\n```\npython whatbreach.py -e user1337@gmail.com\n\n\t                                                    _____ \n\t   _ _ _ _       _   _____                 _       |___  |\n\t  | | | | |_ ___| |_| __  |___ ___ ___ ___| |_       |  _|\n\t  | | | |   | .'|  _| __ -|  _| -_| .'|  _|   |      |_|  \n\t  |_____|_|_|__,|_| |_____|_| |___|__,|___|_|_|[][][]|_|\n\tFind emails and their associated leaked databases.. v0.1.5\n\n\n[ i ] starting search on single email address: user1337@gmail.com\n[ i ] searching breached accounts on HIBP related to: user1337@gmail.com\n[ i ] searching for paste dumps on HIBP related to: user1337@gmail.com\n[ i ] found a total of 9 database breach(es) pertaining to: user1337@gmail.com\n---------------------------------------------------------------------------\nBreach/Paste:\t     | Database/Paste Link:\nDailymotion          | https://www.dehashed.com/search?query=Dailymotion\n500px                | https://www.dehashed.com/search?query=500px\nLinkedIn             | https://www.dehashed.com/search?query=LinkedIn\nMyFitnessPal         | https://www.dehashed.com/search?query=MyFitnessPal\nBolt                 | https://www.dehashed.com/search?query=Bolt\nDropbox              | https://www.dehashed.com/search?query=Dropbox\nLastfm               | https://www.dehashed.com/search?query=Lastfm\nApollo               | https://www.dehashed.com/search?query=Apollo\nOnlinerSpambot       | N/A                           \n---------------------------------------------------------------------------\n```\n\nSearching with weleakinfo and haveibeenpwned:\n```\npython whatbreach.py -e user1337@gmail.com -wL\n\n\t                                                    _____ \n\t   _ _ _ _       _   _____                 _       |___  |\n\t  | | | | |_ ___| |_| __  |___ ___ ___ ___| |_       |  _|\n\t  | | | |   | .'|  _| __ -|  _| -_| .'|  _|   |      |_|  \n\t  |_____|_|_|__,|_| |_____|_| |___|__,|___|_|_|[][][]|_|\n\tFind emails and their associated leaked databases.. v0.1.5\n\n\n[ i ] starting search on single email address: user1337@gmail.com\n[ i ] searching breached accounts on HIBP related to: user1337@gmail.com\n[ i ] searching for paste dumps on HIBP related to: user1337@gmail.com\n[ i ] searching weleakinfo.com for breaches related to: user1337@gmail.com\n[ i ] discovered a total of 12 more breaches from weleakinfo.com\n[ i ] found a total of 21 database breach(es) pertaining to: user1337@gmail.com\n[ w ] large amount of database breaches, obtaining links from dehashed (this may take a minute)\n-------------------------------------------------------------------------------\nBreach/Paste:\t     | Database/Paste Link:\nPesfan.com           | https://www.dehashed.com/search?query=Pesfan.com\nDailymotion          | https://www.dehashed.com/search?query=Dailymotion\nApollo               | https://www.dehashed.com/search?query=Apollo\nMyFitnessPal         | https://www.dehashed.com/search?query=MyFitnessPal\n500px                | https://www.dehashed.com/search?query=500px\nCollection 4         | https://www.dehashed.com/search?query=Collection 4\nOnlinerSpambot       | N/A                           \nLinkedIn             | https://www.dehashed.com/search?query=LinkedIn\nDropbox.com          | https://www.dehashed.com/search?query=Dropbox.com\n500px.com            | https://www.dehashed.com/search?query=500px.com\nDailymotion.com      | https://www.dehashed.com/search?query=Dailymotion.com\nLast.fm March 2012   | https://www.dehashed.com/search?query=Last.fm March 2012\nDropbox              | https://www.dehashed.com/search?query=Dropbox\nMyfitnesspal.com     | https://www.dehashed.com/search?query=Myfitnesspal.com\nCollection 1         | https://www.dehashed.com/search?query=Collection 1\nCollection 2         | https://www.dehashed.com/search?query=Collection 2\nBolt.cd              | https://www.dehashed.com/search?query=Bolt.cd\nLastfm               | https://www.dehashed.com/search?query=Lastfm\nBolt                 | https://www.dehashed.com/search?query=Bolt\nCollection 3         | https://www.dehashed.com/search?query=Collection 3\nLinkedIn.com         | https://www.dehashed.com/search?query=LinkedIn.com\n-------------------------------------------------------------------------------\n```\n\nDownloading public databases:\n```\npython whatbreach.py -e user1337@gmail.com -d\n\n\t                                                    _____ \n\t   _ _ _ _       _   _____                 _       |___  |\n\t  | | | | |_ ___| |_| __  |___ ___ ___ ___| |_       |  _|\n\t  | | | |   | .'|  _| __ -|  _| -_| .'|  _|   |      |_|  \n\t  |_____|_|_|__,|_| |_____|_| |___|__,|___|_|_|[][][]|_|\n\tFind emails and their associated leaked databases.. v0.1.5\n\n\n[ i ] starting search on single email address: user1337@gmail.com\n[ i ] searching breached accounts on HIBP related to: user1337@gmail.com\n[ i ] searching for paste dumps on HIBP related to: user1337@gmail.com\n[ i ] found a total of 9 database breach(es) pertaining to: user1337@gmail.com\n---------------------------------------------------------------------------\nBreach/Paste:\t     | Database/Paste Link:\nDailymotion          | https://www.dehashed.com/search?query=Dailymotion\n500px                | https://www.dehashed.com/search?query=500px\nLinkedIn             | https://www.dehashed.com/search?query=LinkedIn\nMyFitnessPal         | https://www.dehashed.com/search?query=MyFitnessPal\nBolt                 | https://www.dehashed.com/search?query=Bolt\nDropbox              | https://www.dehashed.com/search?query=Dropbox\nLastfm               | https://www.dehashed.com/search?query=Lastfm\nApollo               | https://www.dehashed.com/search?query=Apollo\nOnlinerSpambot       | N/A                           \n---------------------------------------------------------------------------\n[ i ] searching for downloadable databases using query: dailymotion\n[ w ] no databases appeared to be present and downloadable related to query: Dailymotion\n[ i ] searching for downloadable databases using query: 500px\n[ w ] no databases appeared to be present and downloadable related to query: 500px\n[ i ] searching for downloadable databases using query: linkedin\n[ ? ] discovered publicly available database for query LinkedIn, do you want to download [y/N]: n\n[ i ] skipping download as requested\n[ w ] no databases appeared to be present and downloadable related to query: LinkedIn\n[ i ] searching for downloadable databases using query: myfitnesspal\n[ w ] no databases appeared to be present and downloadable related to query: MyFitnessPal\n[ i ] searching for downloadable databases using query: bolt\n[ w ] no databases appeared to be present and downloadable related to query: Bolt\n[ i ] searching for downloadable databases using query: dropbox\n[ ? ] discovered publicly available database for query Dropbox, do you want to download [y/N]: n\n[ i ] skipping download as requested\n[ w ] no databases appeared to be present and downloadable related to query: Dropbox\n[ i ] searching for downloadable databases using query: lastfm\n[ ? ] discovered publicly available database for query Lastfm, do you want to download [y/N]: n\n[ i ] skipping download as requested\n[ w ] no databases appeared to be present and downloadable related to query: Lastfm\n[ i ] searching for downloadable databases using query: apollo\n[ w ] no databases appeared to be present and downloadable related to query: Apollo\n[ i ] searching for downloadable databases using query: onlinerspambot\n[ w ] no databases appeared to be present and downloadable related to query: OnlinerSpambot\n```\n\nUsing hunter.io for domain hunting and throttling the requests to attempt prevention of HIBP from blocking you:\n```\npython whatbreach.py -e user1337@fbi.com -sH --throttle 35\n\n\t                                                    _____ \n\t   _ _ _ _       _   _____                 _       |___  |\n\t  | | | | |_ ___| |_| __  |___ ___ ___ ___| |_       |  _|\n\t  | | | |   | .'|  _| __ -|  _| -_| .'|  _|   |      |_|  \n\t  |_____|_|_|__,|_| |_____|_| |___|__,|___|_|_|[][][]|_|\n\tFind emails and their associated leaked databases.. v0.1.5\n\n\n[ i ] starting search on hunter.io using user1337@fbi.com\n[ i ] discovered a total of 11 email(s)\n[ i ] information discovered associated with fbi.com\n[ i ] discovered possible pattern to emails: {first}.{last}@fbi.com\n[ w ] did not discover any associated phone number(s)\n[ i ] discovered associated email address(es):\n\t-\u003e user1337@fbi.com\n\t-\u003e blackeagle@fbi.com\n\t-\u003e jillian.cartwright@fbi.com\n\t-\u003e management@fbi.com\n\t-\u003e info@fbi.com\n\t-\u003e fmulder@fbi.com\n\t-\u003e markamorgan@fbi.com\n\t-\u003e james.bond@fbi.com\n\t-\u003e robert.mueller@fbi.com\n[ w ] hit maximum length, total of 1 not displayed\n[ i ] discovered associated external URL(s):\n\t-\u003e http://jobsnotification.blogspot.com/2011/03/ifbi-pgdbo-admission-2011-pg-diploma-in.html\n\t-\u003e http://complaintsboard.com/complaints/fbi-robert-s-muelleriii-huber-heights-ohio-c121118.html\n\t-\u003e http://user.xmission.com/~daina/known_scammers.html\n\t-\u003e http://anonymousxwrites.blogspot.com/2012/02\n\t-\u003e http://boingboing.net/2012/02/14\n\t-\u003e http://joewein.net/dbl-update/2014-06/2014-06-22.htm\n\t-\u003e http://anonymousxwrites.blogspot.fr/2012/02/federal-bureau-of-investigation-fbi-yet.html\n\t-\u003e http://anonymousxwrites.blogspot.sg/2012/02\n\t-\u003e http://meg-golpistasvirtuais.blogspot.fr/2013/04/update-emails-addresses-scammers-dia.html\n[ w ] hit maximum length, total of 35 not displayed\n[ i ] dumping all information into json file for further processing\n[ i ] information written to: /Users/admin/.whatbreach_home/downloads/json_dumps/cbNcFiXZsU_fbi.com.json\n[ i ] searching breached accounts on HIBP related to: user1337@fbi.com\n[ i ] searching for paste dumps on HIBP related to: user1337@fbi.com\n[ ! ] email user1337@fbi.com was not found in any breach\n[ i ] searching breached accounts on HIBP related to: blackeagle@fbi.com\n[ i ] searching for paste dumps on HIBP related to: blackeagle@fbi.com\n[ ! ] email blackeagle@fbi.com was not found in any breach\n[ i ] searching breached accounts on HIBP related to: jillian.cartwright@fbi.com\n[ i ] searching for paste dumps on HIBP related to: jillian.cartwright@fbi.com\n...\n```\n\nChecking for ten minute emails:\n```\npython whatbreach.py -l test.txt -cT \n\n\t                                                    _____ \n\t   _ _ _ _       _   _____                 _       |___  |\n\t  | | | | |_ ___| |_| __  |___ ___ ___ ___| |_       |  _|\n\t  | | | |   | .'|  _| __ -|  _| -_| .'|  _|   |      |_|  \n\t  |_____|_|_|__,|_| |_____|_| |___|__,|___|_|_|[][][]|_|\n\tFind emails and their associated leaked databases.. v0.1.5\n\n\n[ i ] parsing email file: test.txt\n[ i ] starting search on a total of 2 email(s)\n[ i ] searching breached accounts on HIBP related to: user1337@gmail.com\n[ i ] searching for paste dumps on HIBP related to: user1337@gmail.com\n[ i ] found a total of 9 database breach(es) pertaining to: user1337@gmail.com\n---------------------------------------------------------------------------\nBreach/Paste:\t     | Database/Paste Link:\nDailymotion          | https://www.dehashed.com/search?query=Dailymotion\n500px                | https://www.dehashed.com/search?query=500px\nLinkedIn             | https://www.dehashed.com/search?query=LinkedIn\nMyFitnessPal         | https://www.dehashed.com/search?query=MyFitnessPal\nBolt                 | https://www.dehashed.com/search?query=Bolt\nDropbox              | https://www.dehashed.com/search?query=Dropbox\nLastfm               | https://www.dehashed.com/search?query=Lastfm\nApollo               | https://www.dehashed.com/search?query=Apollo\nOnlinerSpambot       | N/A                           \n---------------------------------------------------------------------------\n[ w ] email: userl337@uhren.com appears to be a ten minute email\n[ ? ] would you like to process the email[y/N]: n\n```\n\nSearching for profiles associated with the email:\n```\npython whatbreach.py -e user@gmail.com -cA\n\n                                                            _____ \n           _ _ _ _       _   _____                 _       |___  |\n          | | | | |_ ___| |_| __  |___ ___ ___ ___| |_       |  _|\n          | | | |   | .'|  _| __ -|  _| -_| .'|  _|   |      |_|  \n          |_____|_|_|__,|_| |_____|_| |___|__,|___|_|_|[][][]|_|\n        Find emails and their associated leaked databases.. v0.1.8\n\n\n[ i ] starting search on single email address: user@gmail.com\n[ i ] searching for possible profiles related to user@gmail.com\n[ i ] all data dumped to file for future processing: /Users/admin/.whatbreach_home/downloads/json_dumps/user_emailrep.json\n[ i ] found a total of 5 possible profiles associated with user@gmail.com on the following domains:\n        -\u003e Twitter\n        -\u003e Instagram\n        -\u003e Pastebin\n        -\u003e Pinterest\n        -\u003e Spotify\n...\n```\n\n# Installation\n\nInstalling is extremely easy, just run `pip install -r requirements.txt`\n\n# Why?\n\nDuring my time in information technology, during researching and doing OSINT, I have noticed a need to find email addresses as well as their password. I have found reliable tools that do this successfully and make the process quick and easy, however I have not found a tool that meets my exact requirements. This tool is basically my own personal take on how I think email searching should work and ties in the database searching and database downloading as well. What better way to break into an email then to have the possible password as well as all _known_ breaches it's been seen in?\n\n# Shoutouts\n\n - [NullArray](https://github.com/NullArray) for providing me with the idea for the hash checking and the idea for the databases.today downloads, as well as being an awesome and supportive person at all times.\n - [khast3x](https://github.com/khast3x) (or as you know him the creator of [h8mail](https://github.com/khast3x/h8mail)) for being supportive and and overall enjoyable person. The best way to find the data in the databases downloaded from this tool is to use [h8mail](https://github.com/khast3x/h8mail), it's quick, efficient, and easy. Go check it out.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEkultek%2FWhatBreach","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FEkultek%2FWhatBreach","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEkultek%2FWhatBreach/lists"}