CheckLeaked.cc — Breach & OSINT Intelligence Suite

The most comprehensive breach-lookup + OSINT enrichment actor on Apify. One API call. Six upstream data sources. Cracked passwords, Gmail profiles, geo-located IPs, and a 0–100 risk score per identifier.

A single osint_report query against a real email returns 12+ breach records, 12 distinct leak sources, full Google profile (maps, reviews, photos, services), and a computed risk score — the kind of dossier that costs enterprise OSINT vendors $500+/month to produce. This actor delivers it for a tiny fraction of that, billed per request.

---

What you actually get per query

Run osint_report on one email, one name, one IP, one hash — the actor fans it out across every compatible CheckLeaked endpoint and emits one enriched record per hit plus one merged dossier:

Identifier input	Records returned
name@gmail.com	12+ breach records · cracked passwords · hashed passwords · usernames · IPs · full Google profile · maps reviews
john.doe@company.com	Breach dumps across Dehashed + Snusbase + LeakCheck · historical passwords · linked usernames · last-seen IPs
Eduardo Airaudo (name)	20+ cross-database person records · emails · phones · addresses · linked breach sources
8.8.8.8 (IP)	Geo (city + street + lat/lon) · ASN · ISP · WHOIS · proxy/hosting flags · threat data
5f4dcc3b… (MD5)	Plaintext recovery via rainbow tables · additional password reuse context
airaudoeduardo (user)	Cross-platform breach entries · email links · social surface area

Every run also emits a combined dossier with:

• breach_count, breach_sources[]
• cracked_password (plaintext, when Snusbase / rainbow tables recover it)
• gmail_profile (names, photos, linked Google services — Maps, Photos, Meet, YouTube — plus public reviews)
• ip_geo (city-level geo + ASN + hosting flag)
• risk_score 0–100 and risk_level (none | low | medium | high | critical)
• summary — one-liner human-readable

This is the raw fuel for account-takeover detection, executive protection, KYC/onboarding risk, fraud investigations, and journalistic OSINT — all in a single dataset row.

---

Why it's worth paying per request

The actor is not a commodity lookup. Each query:

1. Pays upstream. CheckLeaked.cc subscriptions start at ~$19 / month for ~500 lookups — roughly $0.038 of raw wholesale cost per query, and osint_report consumes 3–5 upstream calls to produce one dossier.
2. Fans out across six paid data layers (Dehashed, Snusbase, LeakCheck.io, CheckLeaked rainbow tables, IP2Location + MaxMind + whois, Google GHunt) that would cost $200+/month combined as direct subscriptions.
3. Runs correlation logic — deduping breach sources, detecting types, computing a risk score, flattening Dehashed's nested entry payload, recovering the password most likely to still be in use.
4. Returns hundreds of fields per hit — each of which downstream analysts charge hourly to surface manually.

Most competitors charge $0.25–$2.00 per breach lookup (Dehashed pay-per-use starts at $5/20 queries = $0.25, HaveIBeenPwned Enterprise starts at $0.05 per search but is email-only and has no password/hash data, IntelX starts at $3,000/year). This actor undercuts every one of them while returning more data in fewer calls.

---

Pricing

The actor uses Apify's Pay-Per-Event billing. You only pay for events that actually return value. Failed upstream calls, 401s, and empty responses are free.

Per-event prices

Event	Apify charge	What triggers it
osint_report.dossier	$0.25	One merged report row with breach_count, risk_score, summary.
osint_report.gmail_profile	$0.30	A Gmail identity surface (Maps, reviews, services) was recovered.
dehashed.record	$0.05	One Dehashed breach record (email/password/hash/PII fields).
experimental.record	$0.04	One Snusbase / experimental-index breach record.
leak_check.record	$0.02	One LeakCheck.io breach record (email/username hit).
crack_hash.plaintext	$0.10	A hash was successfully reversed to plaintext.
ip_lookup.record	$0.01	Geo + ASN + whois returned for one IP.
ghunt.profile	$0.35	Standalone GHunt Gmail profile (only when mode=ghunt is called directly).

Events are only counted for successful responses. 401, 429, timeout, empty response → no charge.

Typical dossier cost

Scenario (one osint_report call)	Breaches	Gmail profile?	Billed events	You pay
Email (heavy breach history)	12	✅	1 dossier + 1 gmail + 12 records	$0.94
Email (light breach history)	2	✅	1 dossier + 1 gmail + 2 records	$0.65
Email, non-Gmail	6	—	1 dossier + 6 records	$0.55
IP address	2	—	1 dossier + 2 records + 1 ip_lookup	$0.36
MD5 hash (cracked)	0	—	1 dossier + 1 plaintext	$0.35
Name lookup	20	—	1 dossier + 20 records	$1.25

Clean 404-style query (no breaches, no profile): $0.25 (dossier-only).

Monthly subscription alternatives

If you're running > 100 queries per month, rent the actor flat-rate:

Plan	Monthly rent	Included queries / month	Overage per dossier	Best for
Starter	$29	150 dossiers	$0.22	Single analyst, spot checks
Professional	$99	600 dossiers	$0.18	KYC / fraud teams, weekly VIP monitoring
Business	$299	2 500 dossiers	$0.12	SOC, continuous employee breach monitoring
Scale	$999	12 000 dossiers	$0.08	Data brokers, threat-intel vendors
Enterprise	custom	unlimited + SLA + SAML	—	Government, MSSPs, cyber-insurance

All tiers include:

• Full access to every mode (osint_report, dehashed, experimental, leak_check, crack_hash, ip_lookup, ghunt)
• Cracked passwords, hashed passwords, Gmail profiles unlocked
• Apify Scheduler + webhooks + integrations (Zapier, Make, n8n)
• Dataset export (CSV / JSON / Excel / RSS) + direct API pulls
• Automatic retries, exponential backoff, proxy support

What your payment actually covers

• Upstream data subscriptions — CheckLeaked.cc (Pro tier, required for plaintext passwords + GHunt + loadAll), Snusbase, LeakCheck.io gateway access. These alone cost the operator ~$19–$99/month per key, and this actor uses aggregated keys across multiple tiers.
• Rainbow-table compute — crack_hash hits CheckLeaked's own rainbow-table infrastructure, which is billed by query.
• Apify platform compute — container startup, memory, bandwidth.
• Engineering + maintenance — the actor keeps up with upstream schema changes (Dehashed reshuffles entry fields frequently), new breach imports, and adds new sources as they appear.

Why not self-host?

You can — CheckLeaked.cc publishes a REST API. But you'd need:

1. A $19–$99/month CheckLeaked.cc subscription.
2. A $49/month Snusbase account for experimental.
3. A LeakCheck.io API key ($10–$50/month) plus a static IP whitelisted on LeakCheck's dashboard (they don't support dynamic IPs).
4. Proxy rotation for rate limits.
5. Retry + pagination + auto-detect + risk-score code.
6. Maintenance for every upstream schema change.

This actor bundles all of it, billed only when a query actually returns intelligence.

---

Quick start

{
    "apiKey": "YOUR-CHECKLEAKED-BOT-KEY",
    "mode": "osint_report",
    "queries": [
        { "entry": "john.doe@gmail.com" },
        { "entry": "8.8.8.8" },
        { "entry": "5d41402abc4b2a76b9719d911017c592" }
    ]
}

That single run:

• auto-detects each entry's type (email / IP / hash / phone / username / name),
• calls every compatible CheckLeaked endpoint in parallel with retry + backoff,
• emits one dataset row per sub-service hit plus one merged dossier row per identifier with breach_count, risk_score, and summary.

Typical wall-clock time: 1–3 seconds per identifier.

One-shot (Zapier / Make / webhook style)

{
    "apiKey": "…",
    "mode": "osint_report",
    "singleEntry": "ceo@acme.io"
}

---

Modes

Mode	Upstream endpoint	Purpose
osint_report ★	combined fan-out	Flagship. Runs every compatible endpoint, emits merged dossier
dehashed	POST /api/dehashed	Paginated Dehashed lookups, plaintext + hashed passwords
experimental	POST /api/experimental	Snusbase-backed index. loadAll=true expands truncated rows
leak_check	GET /api/leak_check	Fast LeakCheck.io breach hits (needs leakCheckKey)
crack_hash	POST /api/crack_hash	Reverse MD5 / SHA hashes against rainbow tables
ip_lookup	GET /api/ip	City-level geo + ASN + WHOIS + threat flags
ghunt	GET /api/ghunt	Google / Gmail OSINT — names, photos, Maps, reviews, services

★ = the headline mode. Use it unless you specifically need one endpoint.

Allowed type values per mode

dehashed      : email, username, ip_address, name, address, phone, vin, free
experimental  : email, username, mass, password, name, hash, lastip
leak_check    : auto, email, username, keyword, domain, phone, hash, password,
                origin, phash (+ legacy: mass, login, pass_email,
                domain_email, pass_login)
crack_hash    : (type ignored — entry must be the hash itself)
ip_lookup     : (type ignored — IPv4/IPv6; empty to look up outbound IP)
ghunt         : (type ignored — entry must be a Gmail address)
osint_report  : any of the above, auto-detected if type omitted

Auto-detect rules

Entry shape	Detected type
foo@bar.com	email
1.2.3.4 / 2001:db8::1	ip_address
32 / 40 / 64 hex chars	hash
Digits only, 7–15 chars, optional +	phone
Short alnum token	username
Everything else	keyword

Gmail routing for GHunt checks for the @gmail.com suffix.

---

Input reference

Field	Type	Default	Purpose
apiKey	secret string	—	CheckLeaked.cc bot key. Required except for pure leak_check.
leakCheckKey	secret string	—	LeakCheck.io key. Required for leak_check; optional extra source in osint_report.
mode	enum	osint_report	Which endpoint(s) to call.
queries	[{entry, type?}]	[]	One row per lookup; type auto-detects if omitted.
singleEntry / singleType	string / string	—	Shortcut for one-shot runs.
startPage	int	1	First page for dehashed.
maxPages	int	5	Max pages per query (dehashed). Stops early on empty page.
loadAll	bool	false	Add ?loadAll=true to experimental calls. Pro/Plus only.
maskPasswords	bool	false	Redact password, hashed_password, hash before writing.
includeRawResponse	bool	false	Keep raw field with upstream JSON (doubles dataset size).
maxConcurrency	int	3	Parallel upstream requests.
delayMs	int	0	Sleep after each request per worker.
maxRetries	int	4	Retries on 429 / 5xx / network errors.
requestTimeoutSecs	int	180	Per-request timeout. Dehashed cold cache needs ≥ 120.
proxyConfiguration	Apify proxy	off	Optional outbound proxy.
stopOnError	bool	false	Abort on first hard 4xx. Otherwise errors become dataset rows.

---

Output

Every hit and every run-level summary is pushed to the default dataset. The actor also writes a RUN_STATS object to the key-value store with totals and per-query error breakdown.

Dossier row (osint_report)

{
  "mode": "osint_report",
  "entry": "john.doe@gmail.com",
  "type": "email",
  "breach_count": 12,
  "breach_sources": [
    { "Name": "Trello",     "BreachDate": "2024-01-16T00:00:00.000Z" },
    { "Name": "Canva",      "BreachDate": "2019-05-24T00:00:00.000Z" },
    { "Name": "CutoutPro",  "BreachDate": "2024-02-26T00:00:00.000Z" },
    { "Name": "BreachForums", "BreachDate": "2022-11-29T00:00:00.000Z" }
  ],
  "cracked_password": "hunter2",
  "gmail_profile": {
    "personId": "111786650662019758699",
    "names": { "fullname": "John Doe" },
    "profilePhotos": { "url": "https://lh3.googleusercontent.com/..." },
    "inAppReachability": { "apps": ["Youtube", "Photos", "Maps", "Meet"] },
    "maps": { "reviews": [ { "rating": 5, "comment": "...", "location": { "name": "Blend Bar", "address": "..." } } ] }
  },
  "ip_geo": null,
  "risk_score": 86,
  "risk_level": "critical",
  "summary": "12 breach records; 12 distinct sources; plaintext password recovered; Google profile found",
  "sub_results": {
    "experimental": { "ok": true, "count": 8, "durationMs": 2149 },
    "dehashed":     { "ok": true, "count": 4, "durationMs": 234 },
    "ghunt":        { "ok": true, "count": 1, "durationMs": 205 }
  },
  "errors": [],
  "scrapedAt": "2026-04-24T00:50:50.066Z"
}

Breach-record row (flattened from each sub-service)

{
  "mode": "osint_report",
  "sub": "dehashed",
  "source": "checkleaked.cc/dehashed",
  "entry": "john.doe@gmail.com",
  "database_name": "Canva",
  "email": "john.doe@gmail.com",
  "username": "johnd",
  "password": "hunter2",
  "hashed_password": "$2y$10$...",
  "ip_address": "200.58.154.82",
  "name": "John Doe",
  "scrapedAt": "2026-04-24T00:50:50.066Z"
}

Risk score formula

score  =  min(breach_count, 50) * 2        // up to 100
       +  min(breach_sources, 20) * 2      // up to 40
       +  40  if cracked_password is truthy
       +  5   if gmail_profile present
       clamped to [0, 100]

risk_level: 0=none · 1-24=low · 25-49=medium · 50-74=high · 75-100=critical

Tune it for your org — the formula is transparent JS you can fork.

---

Integrations

• Apify Scheduler — weekly VIP breach monitoring, daily employee audits.
• Webhooks — fire a POST when risk_level in ("high", "critical").
• Zapier / Make / n8n — drop a singleEntry into the actor, receive the dossier row in your automation.
• Slack / Teams / Discord — push the summary field as a message on high risk; the full dossier as an attachment.
• Google Sheets / Airtable — stream the dataset directly via Apify's native connectors.
• BI / SIEM — pull the dataset over HTTPS as JSON / CSV; every row has stable keys so it maps cleanly to Splunk, Sentinel, Datadog, or a data warehouse.

---

Recipes

Weekly VIP email monitor

{
  "mode": "osint_report",
  "queries": [
    { "entry": "ceo@acme.io" },
    { "entry": "cfo@acme.io" },
    { "entry": "security@acme.io" }
  ],
  "maskPasswords": true
}

Wire the dataset to Slack via webhook. Filter risk_level in ("high", "critical").

Bulk MD5 / SHA hash cracking

{
  "mode": "crack_hash",
  "queries": [
    { "entry": "5d41402abc4b2a76b9719d911017c592" },
    { "entry": "098f6bcd4621d373cade4e832627b4f6" }
  ],
  "maxConcurrency": 10
}

IP enrichment (geo + breach + last-seen)

{
  "mode": "osint_report",
  "queries": [
    { "entry": "185.220.101.1" },
    { "entry": "45.33.32.156" }
  ]
}

Each IP gets ip_lookup + experimental (type=lastip) + dehashed (type=ip_address) in one run.

Domain-wide employee breach audit

{
  "mode": "dehashed",
  "queries": [{ "entry": "acme.io", "type": "email" }],
  "maxPages": 50,
  "maskPasswords": true
}

Pulls up to ~5 000 rows per query; pagination stops on the first empty page.

One-shot via Apify HTTP API

curl -X POST "https://api.apify.com/v2/acts/<USER>~checkleaked-cc/runs?token=$APIFY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "apiKey": "'"$CHECKLEAKED_KEY"'",
    "mode": "osint_report",
    "singleEntry": "ceo@acme.io"
  }'

---

Use cases

• Account takeover (ATO) prevention — screen new signups against leaked credentials before onboarding.
• KYC / AML enrichment — cross-check customer identity against breach dumps, public Gmail footprint, and flagged IPs.
• Executive protection — weekly monitoring of C-suite and board-member emails, phones, and home IPs.
• Incident response — when a credential leak alert fires, run osint_report on every exposed user in under a minute.
• Fraud + chargeback — score each transaction IP by ASN, hosting flag, and past abuse history.
• Cyber insurance underwriting — quantify breach exposure for a domain's email pattern at quote time.
• Threat intelligence — enrich Maltego / ShadowDragon graphs with password-reuse context and cracked hashes.
• Journalistic OSINT — source-verification, dark-web-forum identity correlation, public-record cross-checks.

---

Security & ethics

• Authorization required. Running breach lookups on identifiers you don't own requires prior written authorization. CheckLeaked.cc's Terms of Service restrict use to lawful purposes (security research, incident response, your own assets, or data subjects who have consented).
• Mask by default. Turn on maskPasswords: true when the dataset will be shared with anyone who doesn't need plaintext credentials (board dashboards, Slack alerts, compliance exports, third-party analysts).
• Run-level secrets. RUN_STATS records query strings. Treat every run as sensitive — restrict access via Apify team permissions, and purge old datasets on a short retention schedule.
• LeakCheck.io gateway. IP 192.126.161.211 must be whitelisted on your LeakCheck.io dashboard for leak_check mode. CheckLeaked.cc routes those requests through that gateway.
• GDPR / CCPA. The raw output may contain personal data of EU / CA residents. Log lawful basis, minimize retention, and honor deletion requests promptly.

---

Tuning & performance

CheckLeaked.cc tier	maxConcurrency	delayMs	Typical throughput
Free	1	10 000	~6 queries / min
Plus (~$7–19/mo)	10	2 000	~300 queries / min
Pro	25	0	~1 500 queries / min

Going over these ranges just earns 429s, which the actor retries with exponential backoff automatically — you won't lose data, just throughput.

---

Troubleshooting

Symptom	Likely cause	Fix
Your bot api key is required	Empty apiKey	Paste your token from https://checkleaked.cc/botLinks.
Max number of checks reached	Daily lookup quota exhausted	Wait until next UTC day or upgrade tier.
You need pro / plus access for this feature	ghunt / loadAll / plaintext on Free	Upgrade tier on CheckLeaked.cc.
Waiting for a spot in the queue	Upstream browser queue saturated (Dehashed)	Actor retries automatically; drop maxConcurrency to 1.
Repeated 429	Over cooldown	Drop maxConcurrency, raise delayMs, or upgrade tier.
leakCheckKey is required	leak_check with no LeakCheck.io key	Paste your LeakCheck.io key in the actor input.
GHunt requires a Gmail address	Non-Gmail entry in ghunt mode	Only @gmail.com addresses work for ghunt.
Actor times out	Long paginated run	Raise requestTimeoutSecs, split into multiple runs, or lower maxPages.

---

Local development

git clone <this repo>
cd apify-checkleaked-actor
npm install

mkdir -p storage/key_value_stores/default
cat > storage/key_value_stores/default/INPUT.json <<EOF
{ "apiKey": "YOUR-KEY", "mode": "osint_report",
  "queries": [{ "entry": "test@example.com" }] }
EOF

npm start

Outputs appear in storage/datasets/default/*.json.

---

Changelog

1.0.1

• Fix: validation errors now correctly mark the run as FAILED instead of silently exiting 0 (Actor.fail() on thrown errors before Actor.exit()).

1.0.0

• Initial release with 6 CheckLeaked.cc endpoints + combined osint_report.
• Auto-pagination, retry with exponential backoff, concurrency control.
• Auto type detection (email / ip / hash / phone / username / name).
• Password masking, optional raw-response passthrough.
• Per-run stats in key-value store.

---

Support

• Issues / feature requests — open one on the actor's Issues tab.
• Enterprise / custom SLA / SAML — contact via Apify messaging.
• Upstream (CheckLeaked.cc) — account + subscription issues go to https://checkleaked.cc/pricing.

---

License

MIT — see repository LICENSE.