Skip to content

Breach Databases — Commercial Sources

Coming soon

Integrations with commercial breach providers are in development. Release — Q3-Q4 2026.

What this is

Beyond public HIBP, there's an entire market of commercial breach aggregators. They aggregate the same breach dumps, but additionally contain:

  • Dumps that for legal reasons never made it into HIBP.
  • Decrypted plaintext passwords from cracked hashes.
  • Data from combo-lists and stealer logs (RedLine, Raccoon, Vidar — malware that steals credentials from infected PCs).
  • Privately-traded breach dumps from closed forums.

This means much broader coverage than HIBP, but paid, with a grayer legal posture.

Why this matters

HIBP gives you the fact: email X was in breach Y. Commercial bases give email X + specific password Z — and that changes everything:

  • You see the actual password your CTO used in a 2018 dump.
  • You know whether that password is still in use somewhere (via safe one-way checks).
  • You detect password reuse between employees' personal and corporate accounts.
  • You find your internal credentials in stealer logs — meaning someone in your company has malware on their laptop leaking passwords right now.

Supported providers

The platform integrates 3 main providers:

  • Dehashed — most comprehensive (14B+ records). $5/week or $180/year.
  • LeakCheck — cleaner API, separate channel for stealer logs. From $50/month.
  • BreachDirectory — free fallback, less fresh index.

You can connect several at once — the platform dedupes results automatically.

Stealer logs — a separate value

Stealer logs are raw dumps from infected PCs: browser cookies, saved passwords, history, screenshots. If your employee got hit by RedLine/Raccoon, the log shows from which sites credentials were stolen.

What we check:

  • Whether logs contain records with your corporate domain (auth.yourcompany.com, vpn.yourcompany.com).
  • If yes — Critical, immediate IR: this employee is compromised right now, urgent credential rotation and laptop cleanup are needed.

What we store (and what we don't)

⚠️ The platform doesn't store plaintext passwords long-term. That's a security policy and compliance requirement.

  • Plaintext is accessible at the moment of finding view through a separate endpoint with audit logging (who looked and when).
  • 30 days after resolution it's removed even from audit logs — only the compromise fact remains.
  • For long-term storage we keep only the bcrypt-hash of the password (can verify a match but not recover the password).

Severity

Severity Case
Critical Plaintext password from a breach < 12 months old, active employee email + stealer log with your domain
High Plaintext password from an older breach
Medium Hashed password (not cracked) in a dump
Low Email without password in a fresh dump

How to connect (planned)

  1. Purchase API access from one or more providers (Dehashed / LeakCheck / BreachDirectory).
  2. Settings → Detection Sources → Breach Databases.
  3. Pick the provider from the list.
  4. Paste the API key — stored encrypted on our side.
  5. The first scan starts automatically.

⚠️ Use of breach data is regulated:

  • GDPR (EU) — processing personal data needs a legal basis. Typically — legitimate interest for security purposes.
  • Local law — in some jurisdictions (UAE, China) use is restricted.

The platform does not allow export of plaintext passwords — only viewing for resolution. If your compliance officer wants to review our data handling policy — contact support@bytecode.team.

Roadmap

  • Q3 2026: Dehashed integration (MVP).
  • Q4 2026: LeakCheck + stealer logs.
  • 2027: BreachDirectory as fallback.

FAQ

Isn't HIBP alone enough? For small companies — yes, HIBP covers ~80% of needs. For enterprise with compliance requirements and a real IR process, commercial bases add the critical ~20% — fresh breaches and stealer logs with active malware live there.

Who sees my emails when I query a provider? All these providers log API requests. It's a trust relationship — pick a reputable vendor. Dehashed and LeakCheck publicly claim non-logging for API keys.