DeHashed

DeHashed is a credential intelligence platform aggregating breach data from thousands of compromised databases. It enables security teams to discover exposed credentials, assess password reuse risk, and perform attack surface reconnaissance through web search and programmatic API access.

Overview

DeHashed aggregates and indexes credentials from major data breaches, offering OSINT teams visibility into exposed credentials, usernames, email addresses, and hashed passwords. The platform supports free queries with limited results and premium subscriptions for unlimited access, bulk operations, and API integration.

Subscription Tiers

Tier	Features	Cost
Free	Web search only, 5 results per query	Free
Starter	Unlimited web searches, API access	$19/month or $190/year
Professional	Unlimited searches/API, bulk export, priority support	$99/month or $990/year
Enterprise	Custom limits, SLA, dedicated account manager	Contact sales

API Access

Authentication: API key (bearer token)
Rate Limits: Varies by tier (50-1000 requests/day)
Output Formats: JSON, CSV export
Endpoints: Search, bulk query, statistics

Web Interface

Basic Search

Access the search bar at the main dashboard. By default, searches across all fields (email, username, IP address, etc.).

Query: john@example.com
Results show: breaches, usernames, hashes, associated credentials

Field-Specific Searches

Use field-specific syntax to narrow results:

Field	Syntax	Example
Email	`email:value`	`email:admin@corp.com`
Username	`username:value`	`username:jsmith`
IP Address	`ip_address:value`	`ip_address:192.168.1.1`
Name	`name:value`	`name:"John Smith"`
Address	`address:value`	`address:"123 Main St"`
Phone	`phone:value`	`phone:555-1234`
VIN	`vin:value`	`vin:1HGBH41JXMN109186`
Password	`password:value`	`password:Password123`
Hashed Password	`hashed_password:value`	`hashed_password:5f4dcc3b5aa765d61d8327deb882cf99`
Domain	`domain:value`	`domain:example.com`

Advanced Filtering

Combine field searches with operators to refine queries:

Query: email:*@example.com password:*
Result: All credentials from example.com domain with any password

Query: ip_address:10.0.* username:admin
Result: Admin accounts within 10.0.x.x subnet

API Usage

REST Endpoints

The primary endpoint is /api/search/breach. Authentication requires an API key passed in the request header.

Authentication

# API key stored in header
Authorization: Bearer YOUR_API_KEY_HERE

# Example using curl
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.dehashed.com/search?query=admin@example.com

Basic curl Examples

# Simple email search
curl -s -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=admin@example.com" | jq .

# Field-specific search
curl -s -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=email:user@corp.com" | jq .

# IP address lookup
curl -s -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=ip_address:203.0.113.45" | jq .

# Paginated results
curl -s -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=domain:example.com&size=100&page=2" | jq .

Response Format

{
  "success": true,
  "query": "admin@example.com",
  "took": 145,
  "entries": [
    {
      "id": "1234567890",
      "email": "admin@example.com",
      "username": "admin_user",
      "password": "SecurePass123!",
      "hashed_password": "5f4dcc3b5aa765d61d8327deb882cf99",
      "name": "John Admin",
      "address": "123 Main St",
      "phone": "555-0100",
      "ip_address": "203.0.113.50",
      "database_name": "LinkedIn_2021",
      "obtained_from": "Dark Web Source",
      "leaked_at": "2021-06-15"
    }
  ],
  "total": 45,
  "page": 1
}

Search Operators

Exact Match

Use double quotes for exact phrase matching:

# Exact email match
"john.smith@example.com"

# Exact name match
"John Smith"

# Exact password match (careful - may have encoding issues)
"MyExactPassword123!"

Wildcard Searches

Use * as a wildcard for partial matching:

# All emails from domain
*@example.com

# Usernames starting with admin
admin*

# Any password containing "password"
*password*

# IP addresses in subnet
192.168.1.*

Field-Value Syntax

Explicitly search specific fields:

# All results from specific domain
domain:example.com

# Multiple conditions (implicit AND)
email:admin@example.com password:Pa$$word

# Username search with wildcard
username:test*

# Phone number search
phone:+1-555-*

Boolean Operators

Operator	Usage	Example
AND	Both conditions must match	`email:admin@example.com AND domain:internal.local`
OR	Either condition can match	`email:admin@example.com OR username:administrator`
NOT	Exclude results	`email:*@example.com NOT username:test`

# AND operator (implicit - space between terms)
email:admin@example.com domain:example.com

# OR operator
email:admin@example.com OR email:root@example.com

# Negation
domain:example.com NOT username:guest

Python Integration

Using requests Library

import requests
import json

API_KEY = "your_api_key_here"
BASE_URL = "https://api.dehashed.com"
HEADERS = {"Authorization": f"Bearer {API_KEY}"}

def search_dehashed(query):
    """Search DeHashed and return results"""
    params = {"query": query, "size": 100}
    response = requests.get(f"{BASE_URL}/search", headers=HEADERS, params=params)
    
    if response.status_code == 200:
        return response.json()
    else:
        print(f"Error: {response.status_code} - {response.text}")
        return None

# Example usage
results = search_dehashed("admin@example.com")
print(f"Found {results['total']} entries")

for entry in results.get('entries', []):
    print(f"Email: {entry.get('email')}, Password: {entry.get('password')}")

Bulk Query Operations

import requests
import csv
from typing import List, Dict

def bulk_search_dehashed(queries: List[str], api_key: str) -> List[Dict]:
    """Bulk search multiple queries"""
    headers = {"Authorization": f"Bearer {api_key}"}
    all_results = []
    
    for query in queries:
        params = {"query": query, "size": 100}
        response = requests.get(
            "https://api.dehashed.com/search",
            headers=headers,
            params=params
        )
        
        if response.status_code == 200:
            data = response.json()
            all_results.extend(data.get('entries', []))
            print(f"Query '{query}': {len(data.get('entries', []))} results")
    
    return all_results

# Example: Search corporate domain
domain_employees = ["emp1@corp.com", "emp2@corp.com", "emp3@corp.com"]
results = bulk_search_dehashed(domain_employees, "your_api_key")
print(f"Total results: {len(results)}")

Parsing JSON Responses

import json
from collections import defaultdict

def parse_dehashed_results(response_json: dict) -> dict:
    """Parse and organize results by breach source"""
    analysis = defaultdict(list)
    
    for entry in response_json.get('entries', []):
        breach = entry.get('database_name', 'Unknown')
        analysis[breach].append({
            'email': entry.get('email'),
            'username': entry.get('username'),
            'password': entry.get('password'),
            'leaked_date': entry.get('leaked_at')
        })
    
    return dict(analysis)

# Organize by breach source
results = search_dehashed("*@example.com")
organized = parse_dehashed_results(results)

for breach, credentials in organized.items():
    print(f"\n{breach}: {len(credentials)} credentials")
    for cred in credentials[:3]:
        print(f"  - {cred['email']} | {cred['username']}")

Using dehashed-py Wrapper

# Installation: pip install dehashed-py
from dehashed import DehashedAPI

api = DehashedAPI(api_key="your_api_key")

# Simple search
results = api.search("admin@example.com")
print(f"Found {results.total} results")

# Iterate through entries
for entry in results.entries:
    print(f"{entry.email} - {entry.password}")

# Field-specific search
results = api.search("domain:example.com")

# Pagination
results = api.search("*@example.com", page=2, size=100)

Common OSINT Workflows

Domain Reconnaissance

Identify all exposed credentials associated with a corporate domain:

# Web interface: domain:example.com
# Shows all usernames, emails, and passwords from example.com breaches

# API approach
curl -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=domain:example.com&size=500"

# Results reveal:
# - Employee email patterns
# - Commonly reused usernames
# - Password complexity assessment
# - Breach sources and timelines

Password Reuse Analysis

Assess how many accounts use the same password across breaches:

def analyze_password_reuse(password, api_key):
    """Find all accounts using a specific password"""
    response = requests.get(
        "https://api.dehashed.com/search",
        headers={"Authorization": f"Bearer {api_key}"},
        params={"query": f"password:{password}"}
    )
    
    data = response.json()
    print(f"Password found in {data['total']} breaches across:")
    
    domains = defaultdict(int)
    for entry in data['entries']:
        domain = entry.get('email', '').split('@')[1] if '@' in entry.get('email', '') else 'unknown'
        domains[domain] += 1
    
    for domain, count in sorted(domains.items(), key=lambda x: x[1], reverse=True):
        print(f"  {domain}: {count} accounts")

analyze_password_reuse("Password123", api_key)

Credential Stuffing Assessment

Check if corporate employee credentials appear in breach databases:

# Search for all employees from company domain
domain:mycompany.com

# Reveals:
# - How many employees appear in breach databases
# - Which breaches exposed company credentials
# - Credential stuffing attack risk level
# - Recommended password reset priority

Executive/VIP Exposure

Monitor critical personnel for exposure:

executives = [
    "ceo@example.com",
    "cto@example.com",
    "cffo@example.com"
]

headers = {"Authorization": f"Bearer {api_key}"}

for email in executives:
    response = requests.get(
        "https://api.dehashed.com/search",
        headers=headers,
        params={"query": email}
    )
    
    data = response.json()
    if data['total'] > 0:
        print(f"ALERT: {email} exposed in {data['total']} breaches")
        for entry in data['entries']:
            print(f"  Breach: {entry['database_name']}, Password: {entry['password']}")

Supply Chain Risk Assessment

Search for credentials of third-party vendors and partners:

# Search vendor domain
domain:vendor-company.com

# Search vendor email patterns
email:*@partner.io

# Results inform:
# - Vendor security posture
# - Shared credential risk
# - Third-party breach impact
# - Supply chain attack surface

Bulk Operations

Batch Query from File

import requests
import csv

def batch_query_from_csv(csv_file, api_key, output_file):
    """Query multiple emails from CSV and export results"""
    headers = {"Authorization": f"Bearer {api_key}"}
    results = []
    
    with open(csv_file, 'r') as f:
        for row in csv.DictReader(f):
            email = row.get('email')
            response = requests.get(
                "https://api.dehashed.com/search",
                headers=headers,
                params={"query": email, "size": 100}
            )
            
            if response.status_code == 200:
                data = response.json()
                for entry in data.get('entries', []):
                    results.append(entry)
    
    # Export to CSV
    if results:
        with open(output_file, 'w', newline='') as f:
            writer = csv.DictWriter(f, fieldnames=results[0].keys())
            writer.writeheader()
            writer.writerows(results)
    
    print(f"Exported {len(results)} results to {output_file}")

batch_query_from_csv("employees.csv", "api_key", "breached_employees.csv")

CSV Export

# Web interface: After search results, click "Export CSV"
# Downloads all results with columns:
# - Email
# - Username
# - Password
# - Hashed Password
# - Name
# - Address
# - Phone
# - IP Address
# - Database Name
# - Obtained From
# - Leaked Date

# Use with analysis tools: Excel, Power BI, SIEM integration

Rate Limiting and Credits

API Credits System

Free tier: 5 searches/day
Starter tier: 50 API calls/day
Professional tier: 1000 API calls/day
Enterprise: Custom limits

Rate Limit Headers

curl -s -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=admin@example.com" -i

# Response headers include:
# X-RateLimit-Limit: 1000
# X-RateLimit-Remaining: 997
# X-RateLimit-Reset: 1681234567

Pagination

# Default: 10 results per page
curl -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=domain:example.com&size=100&page=1"

# Parameters:
# - size: 1-1000 (results per page)
# - page: 1-N (page number)

# Next page
curl -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=domain:example.com&size=100&page=2"

Combining with Other Tools

Integration with Maltego

1. Create new Maltego project
2. Add Manual Input > Email Address
3. Create Local Transform: DeHashed API search
4. Link to Password, Person, Domain entities
5. Visualize credential exposure graph

Cross-Reference with Hunter.io

# Verify credentials against business email directory
import requests

def cross_reference_hunter(email, domain, hunter_api_key):
    """Check if DeHashed credential matches Hunter.io record"""
    
    # Hunter.io verification
    hunter_params = {"domain": domain, "email": email}
    hunter_response = requests.get(
        "https://api.hunter.io/v2/email-verifier",
        params=hunter_params,
        headers={"Authorization": f"Bearer {hunter_api_key}"}
    )
    
    if hunter_response.status_code == 200:
        validity = hunter_response.json().get('data', {}).get('result')
        print(f"{email}: Hunter.io verification = {validity}")
        return validity == "valid"
    
    return False

# High-confidence exposure: DeHashed + Hunter.io verified

Enriching BloodHound Data

# Add exposed credentials to BloodHound for attack path analysis
# Feed DeHashed results into BloodHound graph database

def enrich_bloodhound(dehashed_results):
    """Convert DeHashed credentials to BloodHound objects"""
    for entry in dehashed_results:
        create_bloodhound_user(
            username=entry['username'],
            email=entry['email'],
            exposed=True,
            breach_source=entry['database_name'],
            leaked_date=entry['leaked_at']
        )

# Enables: "Show all exposed users" queries in BloodHound

Troubleshooting

Common Issues

Issue	Cause	Solution
No results	Query too specific or data not indexed	Try wildcard or different field
401 Unauthorized	Invalid or expired API key	Verify API key in account settings
429 Too Many Requests	Rate limit exceeded	Check X-RateLimit-Remaining header, wait for reset
Invalid query syntax	Malformed field syntax	Use `field:value` format without spaces
Special characters fail	URL encoding issues	Properly escape or URL-encode special chars

Debug API Requests

# Verbose curl output
curl -v -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=test@example.com"

# Check response status and headers
curl -i -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=test@example.com"

# Pretty-print JSON response
curl -s -H "Authorization: Bearer $API_KEY" \
  "https://api.dehashed.com/search?query=test@example.com" | jq '.' | less

Best Practices

Legal Considerations

Authorization: Only search credentials for systems you own or have permission to assess
CFAA Compliance: Unauthorized access to computer systems is illegal in many jurisdictions
Data Privacy: Protect exposed credentials responsibly; don’t publicly disclose without context
Client Engagement: Document written authorization before conducting security assessments
Regulatory Requirements: Follow GDPR, CCPA, and local data protection laws

Responsible Use

## Acceptable Use Cases
- Security audits with explicit client approval
- Incident response and breach notification
- Compliance auditing (PCI-DSS, SOC 2)
- Employee security awareness training
- Vendor risk assessment (with vendor permission)

## Prohibited Use Cases
- Unauthorized access to employee personal data
- Blackmail, extortion, or identity theft
- Competitive intelligence without authorization
- Public disclosure of unpatched vulnerabilities
- Mass surveillance or targeting without consent

Client Authorization Template

Before searching for credentials, ensure written authorization:

[CLIENT LETTERHEAD]

AUTHORIZATION FOR SECURITY ASSESSMENT

We, [Company Name], authorize [Security Team] to conduct credential 
intelligence assessments using DeHashed API against our infrastructure 
and employee base as part of our security testing engagement dated 
[DATE] through [DATE].

This authorization covers:
- Search of corporate domain credentials
- Assessment of exposed employee credentials
- Evaluation of password reuse across breaches
- Supply chain risk assessment

Restrictions:
- Only query systems and credentials we own
- Maintain confidentiality of findings
- Report only to authorized stakeholders
- Destroy raw data upon engagement conclusion

Authorized by: [Name/Title]
Date: [DATE]

Tool	Purpose	Integration
IntelX	Breach search + chat analysis	Alternative OSINT search engine
SpyCloud	Enterprise credential recovery	Combines DeHashed + proprietary sources
Snusbase	Breach data search and API	Similar to DeHashed, larger database
HaveIBeenPwned	Consumer breach checking	Free, single-email focus
Maltego	Graph-based OSINT	Direct DeHashed integration
TheHarvester	Email enumeration	Feed results to DeHashed
Hunter.io	Business email verification	Cross-reference exposed credentials
Shodan	Internet-facing asset discovery	Combine with DeHashed for targeting
Censys	Certificate/SSL intelligence	Identify domains to search

Workflow: Combined OSINT Stack

1. Domain enumeration (Censys, certificate transparency logs)
   ↓
2. Email discovery (Hunter.io, TheHarvester)
   ↓
3. Credential search (DeHashed, IntelX)
   ↓
4. Asset mapping (Shodan, nmap)
   ↓
5. Graph analysis (Maltego, BloodHound)
   ↓
6. Risk reporting and remediation