Database Leaks API

Retrieve corporate email addresses exposed in third-party database breaches for a given domain. Results are grouped by breach source and include metadata such as breach date, description, and exposed data fields.

Endpoint

POST https://api.whiteintel.io/get_third_party_db_leaks.php

Authentication

All requests require a valid API key passed in the request body.

This endpoint is only available for Enterprise and Threat Intelligence (tifirm) license tiers.

Request

Headers

Header

Value

Required

Content-Type

application/json

Yes

Body Parameters

Parameter

Type

Required

Default

Description

apikey

string

Yes

—

Your WhiteIntel API key

query

string

Yes

—

The domain to search (e.g. tripadvisor.com) Must be a valid domain address.

page

integer

1

Page number for pagination

limit

integer

500

Number of records to return. Min 1, max 5000

start_date

string

—

Filter by breach date start. Format: YYYY-MM-DD. Must be used with end_date

end_date

string

—

Filter by breach date end. Format: YYYY-MM-DD. Must be used with start_date

Query parameter must be an domain address. Email addresses or "*" chars are not allowed.

Example Request

curl -X POST https://api.whiteintel.io/get_third_party_db_leaks.php \
  -H 'Content-Type: application/json' \
  -d '{"apikey":"YOUR_API_KEY","query":"tesla.com","page":1,"limit":1000}'

With date filter:

curl -X POST https://api.whiteintel.io/get_third_party_db_leaks.php \
  -H 'Content-Type: application/json' \
  -d '{"apikey":"YOUR_API_KEY","query":"tesla.com","start_date":"2024-01-01","end_date":"2026-12-31","page":1,"limit":1000}'

Response

Success Response

{
  "success": true,
  "remaining_daily_calls": 47,
  "total_databases": 2,
  "results": [
    {
      "database_name": "Apollo",
      "breach_date": "2018-07-23",
      "breach_description": "In July 2018, the sales engagement startup Apollo left a database exposed...",
      "data_fields": "Email, Name, Phone, Title, Company",
      "total": 1243,
      "page": 1,
      "limit": 1000,
      "accounts": [
        {
          "id": 27256247,
          "email": "[email protected]",
          "password": "plaintext_if_available",
          "hashed_password": null
        }
      ]
    },
    {
      "database_name": "LinkedIn",
      "breach_date": "2021-06-01",
      "breach_description": "In June 2021, data associated with 700 million LinkedIn users was posted...",
      "data_fields": "Email, Name, LinkedIn URL, Job Title",
      "total": 87,
      "page": 1,
      "limit": 1000,
      "accounts": [...]
    }
  ]
}

Empty Result

{
  "success": true,
  "results": []
}

Response Fields

Root

Field

Type

Description

success

boolean

Whether the request was processed successfully

remaining_daily_calls

integer

How many API calls you have left today

total_databases

integer

Number of distinct breach sources returned

results

array

Array of breach group objects

Breach Group Object (results[])

Field

Type

Description

database_name

string

Name of the breached database/source

breach_date

string

Date of the breach in YYYY-MM-DD format

breach_description

string

Human-readable description of the breach

data_fields

string

Comma-separated list of data types exposed in this breach

total

integer

Total number of records for this domain in this breach

page

integer

Current page

limit

integer

Records per page

accounts

array

Paginated list of exposed account objects

Account Object (accounts[])

Field

Type

Description

id

integer

Internal record ID

email

string

Exposed email address

password

string or null

Plaintext password if available, otherwise null

hashed_password

string or null

Hashed password if available, otherwise null

Pagination

The limit applies globally across all breach sources, not per source. For example, with limit=1000 and two databases containing 600 and 800 records respectively:

Page 1 → 600 from DB1 + 400 from DB2 = 1000 total
Page 2 → 400 remaining from DB2 + 400 from DB3 = 800 total

This ensures you never receive duplicate records across pages.

Error Responses

HTTP Status

Error

400

Invalid request method or content type

403

API key missing or invalid

403

Subscription tier not eligible

403

Daily limit reached

429

Rate limited — wait 5 seconds between requests

Error Response Format

{
  "success": false,
  "error": "Database leak API is only available for Enterprise and Threat Intelligence licenses."
}

Rate Limits

Limit Type

Value

Request rate

1 request per 1 second

Daily call limit

Depends on your plan

Records per call

Max 5000

remaining_daily_calls in the response tells you exactly how many calls you have left for the day.

Notes

start_date and end_date must always be provided together. Providing only one will return an error.
The total field in each breach group reflects the true total for that source, even if fewer records are returned due to pagination.
Domains are automatically normalized — passing https://www.nonexistentdomain.com will resolve to nonexistentdomain.com.

PreviousLookalike Domains API NextThreat Feed API

Last updated 5 hours ago

hashtagEndpoint

hashtagAuthentication

hashtagRequest

hashtagHeaders

hashtagBody Parameters

hashtagExample Request

hashtagResponse

hashtagSuccess Response

hashtagEmpty Result

hashtagResponse Fields

hashtagPagination

hashtagError Responses

hashtagError Response Format

hashtagRate Limits

hashtagNotes

Endpoint

Authentication

Request

Headers

Body Parameters

Example Request

Response

Success Response

Empty Result

Response Fields

Pagination

Error Responses

Error Response Format

Rate Limits

Notes