Breach Databases — Commercial Sources¶
Coming soon
Integrations with commercial breach providers are in development. Release — Q3-Q4 2026.
What this is¶
Beyond public HIBP, there's an entire market of commercial breach aggregators. They aggregate the same breach dumps, but additionally contain:
- Dumps that for legal reasons never made it into HIBP.
- Decrypted plaintext passwords from cracked hashes.
- Data from combo-lists and stealer logs (RedLine, Raccoon, Vidar — malware that steals credentials from infected PCs).
- Privately-traded breach dumps from closed forums.
This means much broader coverage than HIBP, but paid, with a grayer legal posture.
Why this matters¶
HIBP gives you the fact: email X was in breach Y. Commercial bases give email X + specific password Z — and that changes everything:
- You see the actual password your CTO used in a 2018 dump.
- You know whether that password is still in use somewhere (via safe one-way checks).
- You detect password reuse between employees' personal and corporate accounts.
- You find your internal credentials in stealer logs — meaning someone in your company has malware on their laptop leaking passwords right now.
Supported providers¶
The platform integrates 3 main providers:
- Dehashed — most comprehensive (14B+ records). $5/week or $180/year.
- LeakCheck — cleaner API, separate channel for stealer logs. From $50/month.
- BreachDirectory — free fallback, less fresh index.
You can connect several at once — the platform dedupes results automatically.
Stealer logs — a separate value¶
Stealer logs are raw dumps from infected PCs: browser cookies, saved passwords, history, screenshots. If your employee got hit by RedLine/Raccoon, the log shows from which sites credentials were stolen.
What we check:
- Whether logs contain records with your corporate domain (auth.yourcompany.com, vpn.yourcompany.com).
- If yes — Critical, immediate IR: this employee is compromised right now, urgent credential rotation and laptop cleanup are needed.
What we store (and what we don't)¶
⚠️ The platform doesn't store plaintext passwords long-term. That's a security policy and compliance requirement.
- Plaintext is accessible at the moment of finding view through a separate endpoint with audit logging (who looked and when).
- 30 days after resolution it's removed even from audit logs — only the compromise fact remains.
- For long-term storage we keep only the bcrypt-hash of the password (can verify a match but not recover the password).
Severity¶
| Severity | Case |
|---|---|
| Critical | Plaintext password from a breach < 12 months old, active employee email + stealer log with your domain |
| High | Plaintext password from an older breach |
| Medium | Hashed password (not cracked) in a dump |
| Low | Email without password in a fresh dump |
How to connect (planned)¶
- Purchase API access from one or more providers (Dehashed / LeakCheck / BreachDirectory).
- Settings → Detection Sources → Breach Databases.
- Pick the provider from the list.
- Paste the API key — stored encrypted on our side.
- The first scan starts automatically.
Legal considerations¶
⚠️ Use of breach data is regulated:
- GDPR (EU) — processing personal data needs a legal basis. Typically — legitimate interest for security purposes.
- Local law — in some jurisdictions (UAE, China) use is restricted.
The platform does not allow export of plaintext passwords — only viewing for resolution. If your compliance officer wants to review our data handling policy — contact support@bytecode.team.
Roadmap¶
- Q3 2026: Dehashed integration (MVP).
- Q4 2026: LeakCheck + stealer logs.
- 2027: BreachDirectory as fallback.
FAQ¶
Isn't HIBP alone enough? For small companies — yes, HIBP covers ~80% of needs. For enterprise with compliance requirements and a real IR process, commercial bases add the critical ~20% — fresh breaches and stealer logs with active malware live there.
Who sees my emails when I query a provider? All these providers log API requests. It's a trust relationship — pick a reputable vendor. Dehashed and LeakCheck publicly claim non-logging for API keys.