Primary Use Case

Security analysts and threat intelligence professionals use WhatBreach to quickly discover if an email address has been compromised in known data breaches, pastes, or databases. It helps in assessing the risk exposure of email accounts and domains by consolidating breach data from various public and paid APIs.

Key Features

Search single or multiple emails for breach data

Integrates with haveibeenpwned, dehashed, hunter.io, weleakinfo, emailrep.io, pastebin, and databases.today

Download breached databases and raw pastes when publicly available

Detects and warns about temporary (ten minute) email addresses

Checks email deliverability status via hunter.io

Throttles requests to avoid API rate limiting or blocking

Supports domain searches to gather related email information

Stores discovered results in files for later processing

Insights & Recommendations

Users must obtain and configure API keys for several integrated services, some of which require paid subscriptions (e.g., haveibeenpwned). The tool respects API rate limits by allowing throttling of requests. It is recommended to verify email deliverability and avoid scanning temporary emails to improve result relevance. Downloading large breached databases requires sufficient storage and bandwidth.

Clone the repository from GitHub Install required dependencies (not explicitly listed, but likely Python packages) Obtain API keys for haveibeenpwned.com (paid), hunter.io (free), and weleakinfo.com (free) Configure API keys as needed before running the tool

Usage

whatbreach.py -e user@example.com

Scan a single email address for known breaches and related information.

whatbreach.py -l emails.txt

Scan multiple emails listed one per line in a file.

whatbreach.py -e user@example.com -nD

Scan a single email but suppress output from dehashed.com.

whatbreach.py -e user@example.com -nP

Scan a single email but suppress Pastebin output.

whatbreach.py -e user@example.com -sH

Search hunter.io for the email and process all found emails normally.

whatbreach.py -e user@example.com -wL

Search weleakinfo.com in addition to haveibeenpwned for results.

whatbreach.py -e user@example.com -dP

Download pastes associated with the email address if available.

whatbreach.py -e user@example.com -vH

Verify deliverability status of emails found on hunter.io.

whatbreach.py -e user@example.com -cT

Check if the email address is a temporary (ten minute) email.

whatbreach.py -e user@example.com -d -s /path/to/save

Download breached databases into a specified directory.

whatbreach.py --throttle 5 -e user@example.com

Throttle requests with a 5-second delay to avoid API blocking.

Smart Usage Notes

Integrate WhatBreach into automated threat intelligence workflows to enrich email and domain risk profiles.Use the tool to proactively identify compromised credentials during phishing simulation campaigns.Leverage domain search features to map potential exposure across organizational email assets.Combine with SIEM solutions to correlate breach data with internal alerts for faster incident detection.Schedule regular scans of critical email lists to support continuous risk assessment and user awareness.

OpenSec Atlas

WhatBreach

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like