DeHashed
DeHashed is a credential intelligence platform aggregating breach data from thousands of compromised databases. It enables security teams to discover exposed credentials, assess password reuse risk, and perform attack surface reconnaissance through web search and programmatic API access.
Overview
Seção intitulada “Overview”DeHashed aggregates and indexes credentials from major data breaches, offering OSINT teams visibility into exposed credentials, usernames, email addresses, and hashed passwords. The platform supports free queries with limited results and premium subscriptions for unlimited access, bulk operations, and API integration.
Subscription Tiers
Seção intitulada “Subscription Tiers”| Tier | Features | Cost |
|---|---|---|
| Free | Web search only, 5 results per query | Free |
| Starter | Unlimited web searches, API access | $19/month or $190/year |
| Professional | Unlimited searches/API, bulk export, priority support | $99/month or $990/year |
| Enterprise | Custom limits, SLA, dedicated account manager | Contact sales |
API Access
Seção intitulada “API Access”- Authentication: API key (bearer token)
- Rate Limits: Varies by tier (50-1000 requests/day)
- Output Formats: JSON, CSV export
- Endpoints: Search, bulk query, statistics
Web Interface
Seção intitulada “Web Interface”Basic Search
Seção intitulada “Basic Search”Access the search bar at the main dashboard. By default, searches across all fields (email, username, IP address, etc.).
Query: john@example.com
Results show: breaches, usernames, hashes, associated credentialsField-Specific Searches
Seção intitulada “Field-Specific Searches”Use field-specific syntax to narrow results:
| Field | Syntax | Example |
|---|---|---|
email:value | email:admin@corp.com | |
| Username | username:value | username:jsmith |
| IP Address | ip_address:value | ip_address:192.168.1.1 |
| Name | name:value | name:"John Smith" |
| Address | address:value | address:"123 Main St" |
| Phone | phone:value | phone:555-1234 |
| VIN | vin:value | vin:1HGBH41JXMN109186 |
| Password | password:value | password:Password123 |
| Hashed Password | hashed_password:value | hashed_password:5f4dcc3b5aa765d61d8327deb882cf99 |
| Domain | domain:value | domain:example.com |
Advanced Filtering
Seção intitulada “Advanced Filtering”Combine field searches with operators to refine queries:
Query: email:*@example.com password:*
Result: All credentials from example.com domain with any password
Query: ip_address:10.0.* username:admin
Result: Admin accounts within 10.0.x.x subnetAPI Usage
Seção intitulada “API Usage”REST Endpoints
Seção intitulada “REST Endpoints”The primary endpoint is /api/search/breach. Authentication requires an API key passed in the request header.
Authentication
Seção intitulada “Authentication”# API key stored in header
Authorization: Bearer YOUR_API_KEY_HERE
# Example using curl
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.dehashed.com/search?query=admin@example.comBasic curl Examples
Seção intitulada “Basic curl Examples”# Simple email search
curl -s -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=admin@example.com" | jq .
# Field-specific search
curl -s -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=email:user@corp.com" | jq .
# IP address lookup
curl -s -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=ip_address:203.0.113.45" | jq .
# Paginated results
curl -s -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=domain:example.com&size=100&page=2" | jq .Response Format
Seção intitulada “Response Format”{
"success": true,
"query": "admin@example.com",
"took": 145,
"entries": [
{
"id": "1234567890",
"email": "admin@example.com",
"username": "admin_user",
"password": "SecurePass123!",
"hashed_password": "5f4dcc3b5aa765d61d8327deb882cf99",
"name": "John Admin",
"address": "123 Main St",
"phone": "555-0100",
"ip_address": "203.0.113.50",
"database_name": "LinkedIn_2021",
"obtained_from": "Dark Web Source",
"leaked_at": "2021-06-15"
}
],
"total": 45,
"page": 1
}Search Operators
Seção intitulada “Search Operators”Exact Match
Seção intitulada “Exact Match”Use double quotes for exact phrase matching:
# Exact email match
"john.smith@example.com"
# Exact name match
"John Smith"
# Exact password match (careful - may have encoding issues)
"MyExactPassword123!"Wildcard Searches
Seção intitulada “Wildcard Searches”Use * as a wildcard for partial matching:
# All emails from domain
*@example.com
# Usernames starting with admin
admin*
# Any password containing "password"
*password*
# IP addresses in subnet
192.168.1.*Field-Value Syntax
Seção intitulada “Field-Value Syntax”Explicitly search specific fields:
# All results from specific domain
domain:example.com
# Multiple conditions (implicit AND)
email:admin@example.com password:Pa$$word
# Username search with wildcard
username:test*
# Phone number search
phone:+1-555-*Boolean Operators
Seção intitulada “Boolean Operators”| Operator | Usage | Example |
|---|---|---|
| AND | Both conditions must match | email:admin@example.com AND domain:internal.local |
| OR | Either condition can match | email:admin@example.com OR username:administrator |
| NOT | Exclude results | email:*@example.com NOT username:test |
# AND operator (implicit - space between terms)
email:admin@example.com domain:example.com
# OR operator
email:admin@example.com OR email:root@example.com
# Negation
domain:example.com NOT username:guestPython Integration
Seção intitulada “Python Integration”Using requests Library
Seção intitulada “Using requests Library”import requests
import json
API_KEY = "your_api_key_here"
BASE_URL = "https://api.dehashed.com"
HEADERS = {"Authorization": f"Bearer {API_KEY}"}
def search_dehashed(query):
"""Search DeHashed and return results"""
params = {"query": query, "size": 100}
response = requests.get(f"{BASE_URL}/search", headers=HEADERS, params=params)
if response.status_code == 200:
return response.json()
else:
print(f"Error: {response.status_code} - {response.text}")
return None
# Example usage
results = search_dehashed("admin@example.com")
print(f"Found {results['total']} entries")
for entry in results.get('entries', []):
print(f"Email: {entry.get('email')}, Password: {entry.get('password')}")Bulk Query Operations
Seção intitulada “Bulk Query Operations”import requests
import csv
from typing import List, Dict
def bulk_search_dehashed(queries: List[str], api_key: str) -> List[Dict]:
"""Bulk search multiple queries"""
headers = {"Authorization": f"Bearer {api_key}"}
all_results = []
for query in queries:
params = {"query": query, "size": 100}
response = requests.get(
"https://api.dehashed.com/search",
headers=headers,
params=params
)
if response.status_code == 200:
data = response.json()
all_results.extend(data.get('entries', []))
print(f"Query '{query}': {len(data.get('entries', []))} results")
return all_results
# Example: Search corporate domain
domain_employees = ["emp1@corp.com", "emp2@corp.com", "emp3@corp.com"]
results = bulk_search_dehashed(domain_employees, "your_api_key")
print(f"Total results: {len(results)}")Parsing JSON Responses
Seção intitulada “Parsing JSON Responses”import json
from collections import defaultdict
def parse_dehashed_results(response_json: dict) -> dict:
"""Parse and organize results by breach source"""
analysis = defaultdict(list)
for entry in response_json.get('entries', []):
breach = entry.get('database_name', 'Unknown')
analysis[breach].append({
'email': entry.get('email'),
'username': entry.get('username'),
'password': entry.get('password'),
'leaked_date': entry.get('leaked_at')
})
return dict(analysis)
# Organize by breach source
results = search_dehashed("*@example.com")
organized = parse_dehashed_results(results)
for breach, credentials in organized.items():
print(f"\n{breach}: {len(credentials)} credentials")
for cred in credentials[:3]:
print(f" - {cred['email']} | {cred['username']}")Using dehashed-py Wrapper
Seção intitulada “Using dehashed-py Wrapper”# Installation: pip install dehashed-py
from dehashed import DehashedAPI
api = DehashedAPI(api_key="your_api_key")
# Simple search
results = api.search("admin@example.com")
print(f"Found {results.total} results")
# Iterate through entries
for entry in results.entries:
print(f"{entry.email} - {entry.password}")
# Field-specific search
results = api.search("domain:example.com")
# Pagination
results = api.search("*@example.com", page=2, size=100)Common OSINT Workflows
Seção intitulada “Common OSINT Workflows”Domain Reconnaissance
Seção intitulada “Domain Reconnaissance”Identify all exposed credentials associated with a corporate domain:
# Web interface: domain:example.com
# Shows all usernames, emails, and passwords from example.com breaches
# API approach
curl -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=domain:example.com&size=500"
# Results reveal:
# - Employee email patterns
# - Commonly reused usernames
# - Password complexity assessment
# - Breach sources and timelinesPassword Reuse Analysis
Seção intitulada “Password Reuse Analysis”Assess how many accounts use the same password across breaches:
def analyze_password_reuse(password, api_key):
"""Find all accounts using a specific password"""
response = requests.get(
"https://api.dehashed.com/search",
headers={"Authorization": f"Bearer {api_key}"},
params={"query": f"password:{password}"}
)
data = response.json()
print(f"Password found in {data['total']} breaches across:")
domains = defaultdict(int)
for entry in data['entries']:
domain = entry.get('email', '').split('@')[1] if '@' in entry.get('email', '') else 'unknown'
domains[domain] += 1
for domain, count in sorted(domains.items(), key=lambda x: x[1], reverse=True):
print(f" {domain}: {count} accounts")
analyze_password_reuse("Password123", api_key)Credential Stuffing Assessment
Seção intitulada “Credential Stuffing Assessment”Check if corporate employee credentials appear in breach databases:
# Search for all employees from company domain
domain:mycompany.com
# Reveals:
# - How many employees appear in breach databases
# - Which breaches exposed company credentials
# - Credential stuffing attack risk level
# - Recommended password reset priorityExecutive/VIP Exposure
Seção intitulada “Executive/VIP Exposure”Monitor critical personnel for exposure:
executives = [
"ceo@example.com",
"cto@example.com",
"cffo@example.com"
]
headers = {"Authorization": f"Bearer {api_key}"}
for email in executives:
response = requests.get(
"https://api.dehashed.com/search",
headers=headers,
params={"query": email}
)
data = response.json()
if data['total'] > 0:
print(f"ALERT: {email} exposed in {data['total']} breaches")
for entry in data['entries']:
print(f" Breach: {entry['database_name']}, Password: {entry['password']}")Supply Chain Risk Assessment
Seção intitulada “Supply Chain Risk Assessment”Search for credentials of third-party vendors and partners:
# Search vendor domain
domain:vendor-company.com
# Search vendor email patterns
email:*@partner.io
# Results inform:
# - Vendor security posture
# - Shared credential risk
# - Third-party breach impact
# - Supply chain attack surfaceBulk Operations
Seção intitulada “Bulk Operations”Batch Query from File
Seção intitulada “Batch Query from File”import requests
import csv
def batch_query_from_csv(csv_file, api_key, output_file):
"""Query multiple emails from CSV and export results"""
headers = {"Authorization": f"Bearer {api_key}"}
results = []
with open(csv_file, 'r') as f:
for row in csv.DictReader(f):
email = row.get('email')
response = requests.get(
"https://api.dehashed.com/search",
headers=headers,
params={"query": email, "size": 100}
)
if response.status_code == 200:
data = response.json()
for entry in data.get('entries', []):
results.append(entry)
# Export to CSV
if results:
with open(output_file, 'w', newline='') as f:
writer = csv.DictWriter(f, fieldnames=results[0].keys())
writer.writeheader()
writer.writerows(results)
print(f"Exported {len(results)} results to {output_file}")
batch_query_from_csv("employees.csv", "api_key", "breached_employees.csv")CSV Export
Seção intitulada “CSV Export”# Web interface: After search results, click "Export CSV"
# Downloads all results with columns:
# - Email
# - Username
# - Password
# - Hashed Password
# - Name
# - Address
# - Phone
# - IP Address
# - Database Name
# - Obtained From
# - Leaked Date
# Use with analysis tools: Excel, Power BI, SIEM integrationRate Limiting and Credits
Seção intitulada “Rate Limiting and Credits”API Credits System
Seção intitulada “API Credits System”- Free tier: 5 searches/day
- Starter tier: 50 API calls/day
- Professional tier: 1000 API calls/day
- Enterprise: Custom limits
Rate Limit Headers
Seção intitulada “Rate Limit Headers”curl -s -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=admin@example.com" -i
# Response headers include:
# X-RateLimit-Limit: 1000
# X-RateLimit-Remaining: 997
# X-RateLimit-Reset: 1681234567Pagination
Seção intitulada “Pagination”# Default: 10 results per page
curl -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=domain:example.com&size=100&page=1"
# Parameters:
# - size: 1-1000 (results per page)
# - page: 1-N (page number)
# Next page
curl -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=domain:example.com&size=100&page=2"Combining with Other Tools
Seção intitulada “Combining with Other Tools”Integration with Maltego
Seção intitulada “Integration with Maltego”1. Create new Maltego project
2. Add Manual Input > Email Address
3. Create Local Transform: DeHashed API search
4. Link to Password, Person, Domain entities
5. Visualize credential exposure graphCross-Reference with Hunter.io
Seção intitulada “Cross-Reference with Hunter.io”# Verify credentials against business email directory
import requests
def cross_reference_hunter(email, domain, hunter_api_key):
"""Check if DeHashed credential matches Hunter.io record"""
# Hunter.io verification
hunter_params = {"domain": domain, "email": email}
hunter_response = requests.get(
"https://api.hunter.io/v2/email-verifier",
params=hunter_params,
headers={"Authorization": f"Bearer {hunter_api_key}"}
)
if hunter_response.status_code == 200:
validity = hunter_response.json().get('data', {}).get('result')
print(f"{email}: Hunter.io verification = {validity}")
return validity == "valid"
return False
# High-confidence exposure: DeHashed + Hunter.io verifiedEnriching BloodHound Data
Seção intitulada “Enriching BloodHound Data”# Add exposed credentials to BloodHound for attack path analysis
# Feed DeHashed results into BloodHound graph database
def enrich_bloodhound(dehashed_results):
"""Convert DeHashed credentials to BloodHound objects"""
for entry in dehashed_results:
create_bloodhound_user(
username=entry['username'],
email=entry['email'],
exposed=True,
breach_source=entry['database_name'],
leaked_date=entry['leaked_at']
)
# Enables: "Show all exposed users" queries in BloodHoundTroubleshooting
Seção intitulada “Troubleshooting”Common Issues
Seção intitulada “Common Issues”| Issue | Cause | Solution |
|---|---|---|
| No results | Query too specific or data not indexed | Try wildcard or different field |
| 401 Unauthorized | Invalid or expired API key | Verify API key in account settings |
| 429 Too Many Requests | Rate limit exceeded | Check X-RateLimit-Remaining header, wait for reset |
| Invalid query syntax | Malformed field syntax | Use field:value format without spaces |
| Special characters fail | URL encoding issues | Properly escape or URL-encode special chars |
Debug API Requests
Seção intitulada “Debug API Requests”# Verbose curl output
curl -v -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=test@example.com"
# Check response status and headers
curl -i -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=test@example.com"
# Pretty-print JSON response
curl -s -H "Authorization: Bearer $API_KEY" \
"https://api.dehashed.com/search?query=test@example.com" | jq '.' | lessBest Practices
Seção intitulada “Best Practices”Legal Considerations
Seção intitulada “Legal Considerations”- Authorization: Only search credentials for systems you own or have permission to assess
- CFAA Compliance: Unauthorized access to computer systems is illegal in many jurisdictions
- Data Privacy: Protect exposed credentials responsibly; don’t publicly disclose without context
- Client Engagement: Document written authorization before conducting security assessments
- Regulatory Requirements: Follow GDPR, CCPA, and local data protection laws
Responsible Use
Seção intitulada “Responsible Use”## Acceptable Use Cases
- Security audits with explicit client approval
- Incident response and breach notification
- Compliance auditing (PCI-DSS, SOC 2)
- Employee security awareness training
- Vendor risk assessment (with vendor permission)
## Prohibited Use Cases
- Unauthorized access to employee personal data
- Blackmail, extortion, or identity theft
- Competitive intelligence without authorization
- Public disclosure of unpatched vulnerabilities
- Mass surveillance or targeting without consentClient Authorization Template
Seção intitulada “Client Authorization Template”Before searching for credentials, ensure written authorization:
[CLIENT LETTERHEAD]
AUTHORIZATION FOR SECURITY ASSESSMENT
We, [Company Name], authorize [Security Team] to conduct credential
intelligence assessments using DeHashed API against our infrastructure
and employee base as part of our security testing engagement dated
[DATE] through [DATE].
This authorization covers:
- Search of corporate domain credentials
- Assessment of exposed employee credentials
- Evaluation of password reuse across breaches
- Supply chain risk assessment
Restrictions:
- Only query systems and credentials we own
- Maintain confidentiality of findings
- Report only to authorized stakeholders
- Destroy raw data upon engagement conclusion
Authorized by: [Name/Title]
Date: [DATE]Related Tools
Seção intitulada “Related Tools”| Tool | Purpose | Integration |
|---|---|---|
| IntelX | Breach search + chat analysis | Alternative OSINT search engine |
| SpyCloud | Enterprise credential recovery | Combines DeHashed + proprietary sources |
| Snusbase | Breach data search and API | Similar to DeHashed, larger database |
| HaveIBeenPwned | Consumer breach checking | Free, single-email focus |
| Maltego | Graph-based OSINT | Direct DeHashed integration |
| TheHarvester | Email enumeration | Feed results to DeHashed |
| Hunter.io | Business email verification | Cross-reference exposed credentials |
| Shodan | Internet-facing asset discovery | Combine with DeHashed for targeting |
| Censys | Certificate/SSL intelligence | Identify domains to search |
Workflow: Combined OSINT Stack
Seção intitulada “Workflow: Combined OSINT Stack”1. Domain enumeration (Censys, certificate transparency logs)
↓
2. Email discovery (Hunter.io, TheHarvester)
↓
3. Credential search (DeHashed, IntelX)
↓
4. Asset mapping (Shodan, nmap)
↓
5. Graph analysis (Maltego, BloodHound)
↓
6. Risk reporting and remediation