Posted on September 30th, 2018

During my Advanced OSINT training, I demonstrate the benefits of publicly released breach data within my online investigations. These data sets often translate an email address into a full name, password, IP address, and confirmation of online accounts. Searching unique passwords can often identify alias and burner email addresses which can lead to new intelligence. If one possessed all of the public breaches, wild card searches can lead to amazing discoveries. However, many people cannot possess the actual data due to internal policies or storage restrictions. This does not eliminate the potential to use this data as part of an investigation thanks to numerous websites that allow search of most public breaches. This post reviews each service and identifies the benefits and limitations of each. Let’s start with the basics. Note that I have removed all direct hyperlinks in order to prevent accidental clicking of questionable sites.

Have I Been Pwned (https://haveibeenpwned.com):

This staple has been around the longest, but does not share a ton of details. A search of an old government email address which I no longer use revealed it is present within eight data breaches including Dropbox, MySpace, and some combo lists. This confirms that the email address was a valid account at one time, and that it was used to create accounts within specific online services. As an investigator, I would now look for my target within those services. I find this site is a better email validation option than websites created for that specific purpose.

This site does not allow search via direct URL input, but the API does. The following URL instantly searches the address referenced above and identifies the same eight results as a text-only result.

https://haveibeenpwned.com/api/v2/breachedaccount/bazzell@altonpolice.com?truncateResponse=true

This can be beneficial when you have many addresses to search and you want to automate the process. It also allows me to use this search option on my Email Search Tool and User Name Search Tool. Note that this site does not display results for “sensitive” breaches such as the Ashley Madison hack. For that, you will need to use a service such as https://ashley.cynic.al.

DeHashed (https://dehashed.com):

Similar to Have I Been Pwned, DeHashed allows a free search of any email address in order to identify known breaches. However, it is important to place the email address within quotation marks because DeHashed allows a full wild card search by default. When searching bazzell@altonpolice.com without quotes, I received 1,164 potential hits. When searching within quotes, I received six applicable results. These results were also present within Have I Been Pwned, but I can now conduct further searching such as “altonpolice.com”, “mbazzell”, and any other target data I have such as a phone number, IP Address, or full name. The results identify only the source of the breach, which will confirm the services used by my target. If I create an account and pay a few bucks, I can see the entire record, including password. The MySpace result for my old email address identifies the user number for the account and a weakly encrypted password as seen below.

A quick look at the Exploit.In combo breach easily translates that hash value into my actual password from 1999 as seen below (shame on me):

A search of that email address reveals that I am not the only person to choose weak passwords at one time:

Regardless of using a free or paid account, DeHashed allows direct URL queries in the following format:

https://dehashed.com/search?query=%22bazzell%40altonpolice.com%22

DeHashed adds new breaches every week. The business model is to provide paid search services to investigators and legitimate companies. It is also present on my Email Search Tool.

SpyCloud (https://spycloud.com):

This service focuses on defensive monitoring, but can also offer a bit of OSINT to us. A query of an email address can be submitted through the home page or via direct URL at the following.

https://spycloud.com/breachstats/?email=bazzell%40altonpolice.com#

The result, as seen below, confirms that the email address is valid, it has been seen within seven breaches within SpyCloud’s database, the domain is present within 78 breaches, and it was last seen within a breach one week prior to the search.

In order to see the full report, you must request access, and the result will be sent to the email address searched. Therefore, if you do not own the email of interest, you cannot see any further detail. If you search your own address, you can receive a full report and sign up for free monitoring. This will notify you if any new breaches are discovered containing your account. SpyCloud has a full-time staff adding new breaches every week. The business model is to provide paid monitoring services for large companies.

Gotcha (https://gotcha.pw):

The previous options actively collect entire data breaches and insert them into self-maintained databases. This may be overkill for your needs. Gotcha possess only one large “Combo” file which likely consists of the Exploit.In and AntiPublic credential lists floating around publicly. A search can be conducted from the home page or via direct URL as follows.

https://gotcha.pw/search/bazzell@altonpolice.com

The results sanitize the full record, but we can still confirm a partial password as seen below.

Due to the direct URL option, I have added this to the Email Search Tool. Because the results are masked, it is unlikely this resource will be shut down any time soon.

Ghost Project (https://ghostproject.fr/):

This site seems to possess the exact same combo file as Gotcha, but it reveals the entire password of a target. In my example, the following result identifies a full password without the need for any registration.

Wild card searching through this site was hit or miss. A user name appeared to work well, but a password failed. It seems that the wild card searches only apply to the first portion of the first field of the combo list which is almost always an email address. In other words “bazzell” had several hits but “altonpolice.com” had none. My gut tells me that this will either turn into a premium site or will disappear completely.

We Leak Info (https://weleakinfo.com/):

My first complaint about this site is that it blocks most VPN IP addresses. Every US based VPN server I tried that is used by PIA and ProtonVPN was blocked. All Tor addresses were also banned. Fortunately, switching to a Canadian server released the block and I was able to proceed. The search for my example email address provided the expected results as seen below. The drop-down search box allows search of user names, email addresses, passwords, hashed passwords, IP Addresses, telephone numbers, and full names.

Viewing the details of each breach, including the passwords, requires a premium account. While the prices are similar to DeHashed, I believe that DeHashed has better data. We Leak Info also advertises on many of the “hacker” related sites as a “hack tool” and tries to force users to connect with their real IP addresses. Therefore, I only recommend using We Leak Info as a free cursory search behind an international VPN IP address.

Leaked Source (https://leakedsource.ru):

This service visibly appears like a combination of Ghost Project and We Leak Info, and provides various detail based on level of subscription. Free accounts translate an email address, IP address, user name, real name, or telephone number into a notification of any breaches that contain the target data. Obtaining passwords or any sensitive details requires a paid account. Similar to We Leak Info, I find the collection a bit stale and over priced. Again, I believe DeHashed is a better choice for paid content. The following was the result of my demo search. It was the least productive of all searches.

NEVER RECOMMENDED:

SnusBase (https://www.snusbase.com): This service requires an account and premium paid subscription before any searches can be conducted. I found the prices to be high and the content to be weaker than the other paid searches. I see no reason to use this service since a paid subscription is required for any searches.

Have I Been Compromised (https://haveibeencompromised.com): This service only displays results to the account owner. It is easy to accidentally search a target email address, which sends an email to the target, notifying him or her of your actions.

Hacked-Emails (https://hacked-emails.com): Similar to the previous option, you will obtain no valuable information here. It will also notify the target of the search.

Summary:

I believe that any thorough OSINT investigator should take advantage of all free resources available during every investigation. I have embedded the best options into my Email Search Tool. For defensively monitoring your own accounts, I believe SpyCloud is the most effective and has the strongest collection of breaches. For offensive investigation, I believe DeHashed is the best paid resource. I am sure I am missing some, and this list may continue to grow as new services emerge. I have also posted a new video for the members of the IntelTechniques Video Training on how to fully utilize these resources during investigations. Obviously, use this data responsibly. Protect your true IP address with a VPN at all times. Attempting to use credentials that do not belong to you is a crime.

Filed under OSINT, Security |