search-leaks

OSINT CLI for breach and infostealer exposure statistics

search-leaks is an open-source, OSINT-focused command-line tool maintained by a member of Haltman.io. It queries public threat-intelligence endpoints from Hudson Rock (Cavalier OSINT) to retrieve statistical indicators related to data leaks, credential exposure, and infostealer activity.

The tool is designed for security assessments and due diligence, not for harvesting or storing sensitive breach payloads. It consumes statistical JSON responses only and prints structured, greppable output suitable for reports, internal reviews, and automated pipelines.

Typical use cases include:

  • Vendor and third-party risk assessment

  • Corporate exposure checks (domain-level)

  • Mailbox exposure validation during incident response

  • High-level breach risk reporting without handling raw stolen data

Installation

Requirements

Build from source (recommended)

git clone https://github.com/haltman-io/search-leaks.git
cd search-leaks
go mod tidy
go build -o search-leaks ./cmd/search-leaks

Run:

./search-leaks -h

Install into $GOBIN

go install github.com/haltman-io/search-leaks/cmd/search-leaks@latest

Verify:

search-leaks -h

If the binary is not found, ensure $GOBIN (or $(go env GOPATH)/bin) is in your PATH.

Configuration

No configuration is required.

  • No API keys

  • No environment variables

  • No config files

All behavior is controlled via CLI flags and execution mode.

Usage

Basic usage

Single domain:

search-leaks -t example.com

Single email:

search-leaks -t user@example.com

Basic usage

Target input methods

Supported input sources:

  • --target / -t (repeatable, comma-separated)

  • --target-list / -tL (file paths, repeatable)

  • stdin / pipeline

Examples:

search-leaks -t google.com,twitter.com

search-leaks -tL targets1.txt -tL targets2.txt

cat targets.txt | search-leaks

Pipeline usage

Execution modes

Only one mode can be active per run.

Automatic mode (default)

Automatically detects target type:

  • Email → email endpoint

  • Anything else → domain endpoint

search-leaks -t example.com -t user@example.com

Forced domain mode

All targets are treated as domains. If an email is provided, its domain is extracted.

search-leaks -d -t user@corp.com

Forced email mode

All targets are treated as emails. If a domain is provided, it is expanded into common mailbox aliases:

  • postmaster@

  • abuse@

  • hostmaster@

  • webmaster@

  • admin@

  • administrator@

  • root@

search-leaks -e -t example.com

Statistics-only mode (domain)

For quick reporting, use statistics-only output:

search-leaks --statistics -t tesla.com

This prints only high-signal fields:

  • total

  • employees

  • users

  • third_parties

  • last_employee_compromised

  • last_user_compromised

Statistics usage

Output format

Output is structured and line-oriented, designed for easy parsing:

[target] [request_url]
[target] [key: value]
[target] [arrayItem(n)] [key: value]

Example (email query):

[user@example.com] [total_corporate_services: 5]
[user@example.com] [stealer(1)] [operating_system: Windows 10]

Example (domain query):

[example.com] [employees: 0]
[example.com] [users: 0]

ANSI colors are enabled by default and can be disabled with:

search-leaks --no-color

Possible Problems / Important Notes

Rate limiting

  • Enforced limit: 50 requests per 10 seconds

  • The tool automatically throttles requests

  • Execution aborts after 3 consecutive API errors

A successful request resets the error counter.

Privacy & data handling

  • Only statistical metadata is retrieved

  • No breach payloads, passwords, or raw dumps are stored

  • Output is printed directly to stdout

This makes the tool suitable for environments with strict data-handling policies.

Intended use

This tool is intended for:

  • Authorized security testing

  • Corporate exposure assessment

  • Vendor risk analysis

Do not use it to target individuals or organizations without authorization.

External References

Updated on
ip-thc
reverse-whois