# CheckLeaked.cc — Breach & OSINT Suite (`eduair94/checkleaked-cc`) Actor Full CheckLeaked.cc API as an Apify actor: Dehashed, Experimental (Snusbase), LeakCheck, Crack Hash, IP Lookup, Google Hunt (GHunt), plus a combined OSINT report mode that fans out every identifier across every service in a single run. - **URL**: https://apify.com/eduair94/checkleaked-cc.md - **Developed by:** [Eduardo Airaudo](https://apify.com/eduair94) (community) - **Categories:** Social media, Other, Developer tools - **Stats:** 2 total users, 0 monthly users, 71.4% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $250.00 / 1,000 osint dossiers This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## CheckLeaked.cc — Breach & OSINT Intelligence Suite > **The most comprehensive breach-lookup + OSINT enrichment actor on Apify.** > One API call. Six upstream data sources. Cracked passwords, Gmail profiles, > geo-located IPs, and a 0–100 risk score per identifier. A single `osint_report` query against a real email returns **12+ breach records, 12 distinct leak sources, full Google profile (maps, reviews, photos, services), and a computed risk score** — the kind of dossier that costs enterprise OSINT vendors $500+/month to produce. This actor delivers it for a tiny fraction of that, billed per request. --- ### What you actually get per query Run `osint_report` on one email, one name, one IP, one hash — the actor fans it out across every compatible CheckLeaked endpoint and emits one enriched record per hit plus one merged dossier: | Identifier input | Records returned | |-------------------------|--------------------------------------------------------------------------------------------------------------------| | `name@gmail.com` | 12+ breach records · cracked passwords · hashed passwords · usernames · IPs · full Google profile · maps reviews | | `john.doe@company.com` | Breach dumps across Dehashed + Snusbase + LeakCheck · historical passwords · linked usernames · last-seen IPs | | `Eduardo Airaudo` (name)| 20+ cross-database person records · emails · phones · addresses · linked breach sources | | `8.8.8.8` (IP) | Geo (city + street + lat/lon) · ASN · ISP · WHOIS · proxy/hosting flags · threat data | | `5f4dcc3b…` (MD5) | Plaintext recovery via rainbow tables · additional password reuse context | | `airaudoeduardo` (user) | Cross-platform breach entries · email links · social surface area | Every run also emits a **combined dossier** with: * `breach_count`, `breach_sources[]` * `cracked_password` (plaintext, when Snusbase / rainbow tables recover it) * `gmail_profile` (names, photos, linked Google services — Maps, Photos, Meet, YouTube — plus public reviews) * `ip_geo` (city-level geo + ASN + hosting flag) * `risk_score` 0–100 and `risk_level` (`none | low | medium | high | critical`) * `summary` — one-liner human-readable This is the raw fuel for account-takeover detection, executive protection, KYC/onboarding risk, fraud investigations, and journalistic OSINT — all in a single dataset row. --- ### Why it's worth paying per request The actor is not a commodity lookup. Each query: 1. **Pays upstream.** CheckLeaked.cc subscriptions start at ~$19 / month for ~500 lookups — roughly **$0.038 of raw wholesale cost per query**, and `osint_report` consumes 3–5 upstream calls to produce one dossier. 2. **Fans out across six paid data layers** (Dehashed, Snusbase, LeakCheck.io, CheckLeaked rainbow tables, IP2Location + MaxMind + whois, Google GHunt) that would cost $200+/month combined as direct subscriptions. 3. **Runs correlation logic** — deduping breach sources, detecting types, computing a risk score, flattening Dehashed's nested `entry` payload, recovering the password most likely to still be in use. 4. **Returns hundreds of fields per hit** — each of which downstream analysts charge hourly to surface manually. Most competitors charge **$0.25–$2.00 per breach lookup** (Dehashed pay-per-use starts at $5/20 queries = $0.25, HaveIBeenPwned Enterprise starts at $0.05 per search but is email-only and has no password/hash data, IntelX starts at $3,000/year). This actor undercuts every one of them while returning **more data in fewer calls**. --- ### Pricing The actor uses **Apify's Pay-Per-Event billing**. You only pay for events that actually return value. Failed upstream calls, 401s, and empty responses are free. #### Per-event prices | Event | Apify charge | What triggers it | |------------------------------------|--------------|----------------------------------------------------------------------------------| | `osint_report.dossier` | **$0.25** | One merged report row with `breach_count`, `risk_score`, `summary`. | | `osint_report.gmail_profile` | **$0.30** | A Gmail identity surface (Maps, reviews, services) was recovered. | | `dehashed.record` | **$0.05** | One Dehashed breach record (email/password/hash/PII fields). | | `experimental.record` | **$0.04** | One Snusbase / experimental-index breach record. | | `leak_check.record` | **$0.02** | One LeakCheck.io breach record (email/username hit). | | `crack_hash.plaintext` | **$0.10** | A hash was successfully reversed to plaintext. | | `ip_lookup.record` | **$0.01** | Geo + ASN + whois returned for one IP. | | `ghunt.profile` | **$0.35** | Standalone GHunt Gmail profile (only when `mode=ghunt` is called directly). | > Events are only counted for **successful** responses. 401, 429, timeout, > empty response → **no charge**. #### Typical dossier cost | Scenario (one `osint_report` call) | Breaches | Gmail profile? | Billed events | You pay | |--------------------------------------|----------|----------------|-------------------------------------------|-----------| | Email (heavy breach history) | 12 | ✅ | 1 dossier + 1 gmail + 12 records | **$0.94** | | Email (light breach history) | 2 | ✅ | 1 dossier + 1 gmail + 2 records | **$0.65** | | Email, non-Gmail | 6 | — | 1 dossier + 6 records | **$0.55** | | IP address | 2 | — | 1 dossier + 2 records + 1 ip_lookup | **$0.36** | | MD5 hash (cracked) | 0 | — | 1 dossier + 1 plaintext | **$0.35** | | Name lookup | 20 | — | 1 dossier + 20 records | **$1.25** | Clean 404-style query (no breaches, no profile): **$0.25** (dossier-only). #### Monthly subscription alternatives If you're running > 100 queries per month, rent the actor flat-rate: | Plan | Monthly rent | Included queries / month | Overage per dossier | Best for | |-------------------|--------------|--------------------------|---------------------|-------------------------------------------| | **Starter** | **$29** | 150 dossiers | $0.22 | Single analyst, spot checks | | **Professional** | **$99** | 600 dossiers | $0.18 | KYC / fraud teams, weekly VIP monitoring | | **Business** | **$299** | 2 500 dossiers | $0.12 | SOC, continuous employee breach monitoring| | **Scale** | **$999** | 12 000 dossiers | $0.08 | Data brokers, threat-intel vendors | | **Enterprise** | custom | unlimited + SLA + SAML | — | Government, MSSPs, cyber-insurance | All tiers include: * Full access to every mode (`osint_report`, `dehashed`, `experimental`, `leak_check`, `crack_hash`, `ip_lookup`, `ghunt`) * Cracked passwords, hashed passwords, Gmail profiles unlocked * Apify Scheduler + webhooks + integrations (Zapier, Make, n8n) * Dataset export (CSV / JSON / Excel / RSS) + direct API pulls * Automatic retries, exponential backoff, proxy support #### What your payment actually covers * **Upstream data subscriptions** — CheckLeaked.cc (Pro tier, required for plaintext passwords + GHunt + `loadAll`), Snusbase, LeakCheck.io gateway access. These alone cost the operator ~$19–$99/month **per key**, and this actor uses aggregated keys across multiple tiers. * **Rainbow-table compute** — `crack_hash` hits CheckLeaked's own rainbow-table infrastructure, which is billed by query. * **Apify platform compute** — container startup, memory, bandwidth. * **Engineering + maintenance** — the actor keeps up with upstream schema changes (Dehashed reshuffles `entry` fields frequently), new breach imports, and adds new sources as they appear. #### Why not self-host? You *can* — CheckLeaked.cc publishes a REST API. But you'd need: 1. A $19–$99/month CheckLeaked.cc subscription. 2. A $49/month Snusbase account for `experimental`. 3. A LeakCheck.io API key ($10–$50/month) **plus** a static IP whitelisted on LeakCheck's dashboard (they don't support dynamic IPs). 4. Proxy rotation for rate limits. 5. Retry + pagination + auto-detect + risk-score code. 6. Maintenance for every upstream schema change. This actor bundles all of it, billed only when a query actually returns intelligence. --- ### Quick start ```json { "apiKey": "YOUR-CHECKLEAKED-BOT-KEY", "mode": "osint_report", "queries": [ { "entry": "john.doe@gmail.com" }, { "entry": "8.8.8.8" }, { "entry": "5d41402abc4b2a76b9719d911017c592" } ] } ```` That single run: - auto-detects each entry's type (email / IP / hash / phone / username / name), - calls every compatible CheckLeaked endpoint in parallel with retry + backoff, - emits one dataset row per sub-service hit plus one merged dossier row per identifier with `breach_count`, `risk_score`, and `summary`. Typical wall-clock time: **1–3 seconds per identifier**. #### One-shot (Zapier / Make / webhook style) ```json { "apiKey": "…", "mode": "osint_report", "singleEntry": "ceo@acme.io" } ``` *** ### Modes | Mode | Upstream endpoint | Purpose | |-------------------|----------------------------|---------------------------------------------------------| | `osint_report` ★ | combined fan-out | **Flagship.** Runs every compatible endpoint, emits merged dossier | | `dehashed` | `POST /api/dehashed` | Paginated Dehashed lookups, plaintext + hashed passwords | | `experimental` | `POST /api/experimental` | Snusbase-backed index. `loadAll=true` expands truncated rows | | `leak_check` | `GET /api/leak_check` | Fast LeakCheck.io breach hits (needs `leakCheckKey`) | | `crack_hash` | `POST /api/crack_hash` | Reverse MD5 / SHA hashes against rainbow tables | | `ip_lookup` | `GET /api/ip` | City-level geo + ASN + WHOIS + threat flags | | `ghunt` | `GET /api/ghunt` | Google / Gmail OSINT — names, photos, Maps, reviews, services | ★ = the headline mode. Use it unless you specifically need one endpoint. #### Allowed `type` values per mode ``` dehashed : email, username, ip_address, name, address, phone, vin, free experimental : email, username, mass, password, name, hash, lastip leak_check : auto, email, username, keyword, domain, phone, hash, password, origin, phash (+ legacy: mass, login, pass_email, domain_email, pass_login) crack_hash : (type ignored — entry must be the hash itself) ip_lookup : (type ignored — IPv4/IPv6; empty to look up outbound IP) ghunt : (type ignored — entry must be a Gmail address) osint_report : any of the above, auto-detected if type omitted ``` #### Auto-detect rules | Entry shape | Detected type | |----------------------------------------|---------------| | `foo@bar.com` | `email` | | `1.2.3.4` / `2001:db8::1` | `ip_address` | | 32 / 40 / 64 hex chars | `hash` | | Digits only, 7–15 chars, optional `+` | `phone` | | Short alnum token | `username` | | Everything else | `keyword` | Gmail routing for GHunt checks for the `@gmail.com` suffix. *** ### Input reference | Field | Type | Default | Purpose | |-------|------|---------|---------| | `apiKey` | secret string | — | CheckLeaked.cc bot key. Required except for pure `leak_check`. | | `leakCheckKey` | secret string | — | LeakCheck.io key. Required for `leak_check`; optional extra source in `osint_report`. | | `mode` | enum | `osint_report`| Which endpoint(s) to call. | | `queries` | `[{entry, type?}]` | `[]` | One row per lookup; `type` auto-detects if omitted. | | `singleEntry` / `singleType` | string / string | — | Shortcut for one-shot runs. | | `startPage` | int | 1 | First page for `dehashed`. | | `maxPages` | int | 5 | Max pages per query (`dehashed`). Stops early on empty page. | | `loadAll` | bool | false | Add `?loadAll=true` to experimental calls. Pro/Plus only. | | `maskPasswords` | bool | false | Redact `password`, `hashed_password`, `hash` before writing. | | `includeRawResponse` | bool | false | Keep `raw` field with upstream JSON (doubles dataset size). | | `maxConcurrency` | int | 3 | Parallel upstream requests. | | `delayMs` | int | 0 | Sleep after each request per worker. | | `maxRetries` | int | 4 | Retries on 429 / 5xx / network errors. | | `requestTimeoutSecs` | int | 180 | Per-request timeout. Dehashed cold cache needs ≥ 120. | | `proxyConfiguration` | Apify proxy | off | Optional outbound proxy. | | `stopOnError` | bool | false | Abort on first hard 4xx. Otherwise errors become dataset rows. | *** ### Output Every hit and every run-level summary is pushed to the default **dataset**. The actor also writes a `RUN_STATS` object to the **key-value store** with totals and per-query error breakdown. #### Dossier row (`osint_report`) ```json { "mode": "osint_report", "entry": "john.doe@gmail.com", "type": "email", "breach_count": 12, "breach_sources": [ { "Name": "Trello", "BreachDate": "2024-01-16T00:00:00.000Z" }, { "Name": "Canva", "BreachDate": "2019-05-24T00:00:00.000Z" }, { "Name": "CutoutPro", "BreachDate": "2024-02-26T00:00:00.000Z" }, { "Name": "BreachForums", "BreachDate": "2022-11-29T00:00:00.000Z" } ], "cracked_password": "hunter2", "gmail_profile": { "personId": "111786650662019758699", "names": { "fullname": "John Doe" }, "profilePhotos": { "url": "https://lh3.googleusercontent.com/..." }, "inAppReachability": { "apps": ["Youtube", "Photos", "Maps", "Meet"] }, "maps": { "reviews": [ { "rating": 5, "comment": "...", "location": { "name": "Blend Bar", "address": "..." } } ] } }, "ip_geo": null, "risk_score": 86, "risk_level": "critical", "summary": "12 breach records; 12 distinct sources; plaintext password recovered; Google profile found", "sub_results": { "experimental": { "ok": true, "count": 8, "durationMs": 2149 }, "dehashed": { "ok": true, "count": 4, "durationMs": 234 }, "ghunt": { "ok": true, "count": 1, "durationMs": 205 } }, "errors": [], "scrapedAt": "2026-04-24T00:50:50.066Z" } ``` #### Breach-record row (flattened from each sub-service) ```json { "mode": "osint_report", "sub": "dehashed", "source": "checkleaked.cc/dehashed", "entry": "john.doe@gmail.com", "database_name": "Canva", "email": "john.doe@gmail.com", "username": "johnd", "password": "hunter2", "hashed_password": "$2y$10$...", "ip_address": "200.58.154.82", "name": "John Doe", "scrapedAt": "2026-04-24T00:50:50.066Z" } ``` #### Risk score formula ``` score = min(breach_count, 50) * 2 // up to 100 + min(breach_sources, 20) * 2 // up to 40 + 40 if cracked_password is truthy + 5 if gmail_profile present clamped to [0, 100] risk_level: 0=none · 1-24=low · 25-49=medium · 50-74=high · 75-100=critical ``` Tune it for your org — the formula is transparent JS you can fork. *** ### Integrations - **Apify Scheduler** — weekly VIP breach monitoring, daily employee audits. - **Webhooks** — fire a POST when `risk_level in ("high", "critical")`. - **Zapier / Make / n8n** — drop a `singleEntry` into the actor, receive the dossier row in your automation. - **Slack / Teams / Discord** — push the `summary` field as a message on high risk; the full dossier as an attachment. - **Google Sheets / Airtable** — stream the dataset directly via Apify's native connectors. - **BI / SIEM** — pull the dataset over HTTPS as JSON / CSV; every row has stable keys so it maps cleanly to Splunk, Sentinel, Datadog, or a data warehouse. *** ### Recipes #### Weekly VIP email monitor ```json { "mode": "osint_report", "queries": [ { "entry": "ceo@acme.io" }, { "entry": "cfo@acme.io" }, { "entry": "security@acme.io" } ], "maskPasswords": true } ``` Wire the dataset to Slack via webhook. Filter `risk_level in ("high", "critical")`. #### Bulk MD5 / SHA hash cracking ```json { "mode": "crack_hash", "queries": [ { "entry": "5d41402abc4b2a76b9719d911017c592" }, { "entry": "098f6bcd4621d373cade4e832627b4f6" } ], "maxConcurrency": 10 } ``` #### IP enrichment (geo + breach + last-seen) ```json { "mode": "osint_report", "queries": [ { "entry": "185.220.101.1" }, { "entry": "45.33.32.156" } ] } ``` Each IP gets `ip_lookup` + `experimental` (type=`lastip`) + `dehashed` (type=`ip_address`) in one run. #### Domain-wide employee breach audit ```json { "mode": "dehashed", "queries": [{ "entry": "acme.io", "type": "email" }], "maxPages": 50, "maskPasswords": true } ``` Pulls up to ~5 000 rows per query; pagination stops on the first empty page. #### One-shot via Apify HTTP API ```bash curl -X POST "https://api.apify.com/v2/acts/~checkleaked-cc/runs?token=$APIFY_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "apiKey": "'"$CHECKLEAKED_KEY"'", "mode": "osint_report", "singleEntry": "ceo@acme.io" }' ``` *** ### Use cases - **Account takeover (ATO) prevention** — screen new signups against leaked credentials before onboarding. - **KYC / AML enrichment** — cross-check customer identity against breach dumps, public Gmail footprint, and flagged IPs. - **Executive protection** — weekly monitoring of C-suite and board-member emails, phones, and home IPs. - **Incident response** — when a credential leak alert fires, run `osint_report` on every exposed user in under a minute. - **Fraud + chargeback** — score each transaction IP by ASN, hosting flag, and past abuse history. - **Cyber insurance underwriting** — quantify breach exposure for a domain's email pattern at quote time. - **Threat intelligence** — enrich Maltego / ShadowDragon graphs with password-reuse context and cracked hashes. - **Journalistic OSINT** — source-verification, dark-web-forum identity correlation, public-record cross-checks. *** ### Security & ethics - **Authorization required.** Running breach lookups on identifiers you don't own requires prior written authorization. CheckLeaked.cc's Terms of Service restrict use to lawful purposes (security research, incident response, your own assets, or data subjects who have consented). - **Mask by default.** Turn on `maskPasswords: true` when the dataset will be shared with anyone who doesn't need plaintext credentials (board dashboards, Slack alerts, compliance exports, third-party analysts). - **Run-level secrets.** `RUN_STATS` records query strings. Treat every run as sensitive — restrict access via Apify team permissions, and purge old datasets on a short retention schedule. - **LeakCheck.io gateway.** IP `192.126.161.211` must be whitelisted on your LeakCheck.io dashboard for `leak_check` mode. CheckLeaked.cc routes those requests through that gateway. - **GDPR / CCPA.** The raw output may contain personal data of EU / CA residents. Log lawful basis, minimize retention, and honor deletion requests promptly. *** ### Tuning & performance | CheckLeaked.cc tier | `maxConcurrency` | `delayMs` | Typical throughput | |---------------------|------------------|-----------|--------------------| | Free | 1 | 10 000 | ~6 queries / min | | Plus (~$7–19/mo) | 10 | 2 000 | ~300 queries / min | | Pro | 25 | 0 | ~1 500 queries / min | Going over these ranges just earns 429s, which the actor retries with exponential backoff automatically — you won't lose data, just throughput. *** ### Troubleshooting | Symptom | Likely cause | Fix | |--------------------------------------------------|---------------------------------------------|-----| | `Your bot api key is required` | Empty `apiKey` | Paste your token from . | | `Max number of checks reached` | Daily lookup quota exhausted | Wait until next UTC day or upgrade tier. | | `You need pro / plus access for this feature` | `ghunt` / `loadAll` / plaintext on Free | Upgrade tier on CheckLeaked.cc. | | `Waiting for a spot in the queue` | Upstream browser queue saturated (Dehashed) | Actor retries automatically; drop `maxConcurrency` to 1. | | Repeated 429 | Over cooldown | Drop `maxConcurrency`, raise `delayMs`, or upgrade tier. | | `leakCheckKey is required` | `leak_check` with no LeakCheck.io key | Paste your LeakCheck.io key in the actor input. | | `GHunt requires a Gmail address` | Non-Gmail entry in `ghunt` mode | Only `@gmail.com` addresses work for `ghunt`. | | Actor times out | Long paginated run | Raise `requestTimeoutSecs`, split into multiple runs, or lower `maxPages`. | *** ### Local development ```bash git clone cd apify-checkleaked-actor npm install mkdir -p storage/key_value_stores/default cat > storage/key_value_stores/default/INPUT.json <. *** ### License MIT — see repository LICENSE. # Actor input Schema ## `apiKey` (type: `string`): Your bot token from https://checkleaked.cc/botLinks — sent as the `api-key` header on every request. Required for: dehashed, experimental, crack\_hash, ip\_lookup, ghunt and osint\_report modes. ## `leakCheckKey` (type: `string`): Your third-party LeakCheck.io key. Required only for the `leak_check` mode. NOTE: the CheckLeaked.cc upstream also requires you to whitelist IP `192.126.161.211` in your LeakCheck.io dashboard (the actor uses that gateway). ## `mode` (type: `string`): Which CheckLeaked.cc endpoint to call. - **dehashed** — POST /api/dehashed (paginated, Pro/Plus unlocks passwords & hashes) - **experimental** — POST /api/experimental (Snusbase-backed, `loadAll` auto-expands truncated rows) - **leak\_check** — GET /api/leak\_check (fast breach lookup; needs LeakCheck.io key) - **crack\_hash** — POST /api/crack\_hash (rainbow-table style MD5/SHA hash reverse) - **ip\_lookup** — GET /api/ip (geolocation + ASN + threat data) - **ghunt** — GET /api/ghunt (Gmail OSINT, Pro/Plus only) - **osint\_report** — **combined mode**: for every input identifier run every compatible endpoint above and emit one merged record per identifier. Highest-value mode. ## `queries` (type: `array`): One row per lookup. Each row has an `entry` (the value to look up) and a `type` (how to interpret it). In `osint_report` mode the `type` is optional — if omitted, the actor detects it automatically (email / ip / hash / phone / username). Allowed `type` values per mode: - dehashed: email, username, ip\_address, name, address, phone, vin, free - experimental: email, username, mass, password, name, hash, lastip - leak\_check: auto, email, username, keyword, domain, phone, hash, password, origin, phash (plus legacy: mass, login, pass\_email, domain\_email, pass\_login) - crack\_hash: (type ignored — `entry` must be the hash itself) - ip\_lookup: (type ignored — `entry` must be an IPv4/IPv6 address; leave entry empty to look up the actor's own IP) - ghunt: (type ignored — `entry` must be a Gmail address) - osint\_report: any of the above; auto-detected if type omitted ## `singleEntry` (type: `string`): Convenience field — if `queries` is empty, the actor treats this as a single query with the `singleType` below. Ideal for one-shot API calls / Zapier / Make integrations. ## `singleType` (type: `string`): Type for `singleEntry`. Leave empty for auto-detect (only valid in `osint_report` / `leak_check`). ## `startPage` (type: `integer`): First page to fetch in `dehashed` mode. Ignored by every other mode. ## `maxPages` (type: `integer`): Hard cap on pages fetched per query in `dehashed` mode. The actor stops earlier if a page returns zero entries. Set to 1 to disable auto-pagination. ## `loadAll` (type: `boolean`): When true and mode is `experimental` or `osint_report`, the actor appends `?loadAll=true` so CheckLeaked.cc auto-expands every truncated row into its full breach record. Requires a Pro/Plus subscription on CheckLeaked.cc. ## `includeRawResponse` (type: `boolean`): If true, every dataset item keeps a `raw` field with the untouched upstream JSON. Handy for debugging / schema discovery; doubles dataset size. ## `maskPasswords` (type: `boolean`): Redact `password`, `hashed_password` and `hash` fields before writing to the dataset. Use this when the Apify run output will be shared with non-privileged viewers. ## `maxConcurrency` (type: `integer`): How many upstream requests run in parallel. CheckLeaked.cc enforces per-plan cooldowns; keep this ≤ 3 for Free, ≤ 10 for Plus, ≤ 25 for Pro. See pricing section of the README. ## `delayMs` (type: `integer`): Sleep added after each completed request per worker. Use to stay under the per-plan cooldown (Free = 10s, Plus = 2s, Pro = 0s). ## `maxRetries` (type: `integer`): On 429 / 5xx / network errors the actor retries with exponential backoff. ## `requestTimeoutSecs` (type: `integer`): Per-request HTTP timeout. Dehashed can be slow on cold cache — keep ≥ 120. ## `proxyConfiguration` (type: `object`): Optional Apify proxy. CheckLeaked.cc does not require one (auth is by API key), but a proxy can help if your plan has IP-based cooldowns or you want to rotate outbound IPs. ## `stopOnError` (type: `boolean`): If true, the actor aborts the run on any 4xx that isn't 404/429. If false, errors are written to the dataset as records of type `error` and the run continues. ## Actor input object example ```json { "mode": "osint_report", "queries": [ { "entry": "test@example.com", "type": "email" } ], "startPage": 1, "maxPages": 5, "loadAll": false, "includeRawResponse": false, "maskPasswords": false, "maxConcurrency": 3, "delayMs": 0, "maxRetries": 4, "requestTimeoutSecs": 180, "proxyConfiguration": { "useApifyProxy": false }, "stopOnError": false } ``` # Actor output Schema ## `results` (type: `string`): Every row pushed to the default dataset during this run — merged OSINT dossiers, flattened breach records from Dehashed / Snusbase / LeakCheck, IP intelligence rows, cracked-hash results, Gmail profiles, per-page summaries and error rows. Mode and sub fields disambiguate row types. ## `dossiers` (type: `string`): Only the merged osint\_report rows — one per identifier with breach\_count, breach\_sources, cracked\_password, ip\_geo, gmail\_profile, risk\_score (0-100), risk\_level, summary and the per-sub-service outcome map. Ideal feed for SOC dashboards and webhook alerting. ## `breaches` (type: `string`): Flattened breach entries from Dehashed, Snusbase (experimental) and LeakCheck.io. One row per hit with email, username, plaintext password (when plan unlocks it), hashed password, name, phone, address, last-seen IP, database name and sources metadata. ## `ips` (type: `string`): ip\_lookup rows with city-level geolocation, ASN, ISP, WHOIS, proxy / hosting / mobile flags and reverse-geo street address for every queried IPv4 / IPv6. ## `errors` (type: `string`): Every dataset row where the upstream returned an error or the run-level handler captured a thrown exception. Includes the upstream HTTP status, raw error body and the original query that produced it. ## `runStats` (type: `string`): Aggregated RUN\_STATS record written to the default key-value store when the run finishes. Contains mode, totalQueries, completed, failed, totalHits, errors\[], startedAt, finishedAt, durationSec. ## `liveView` (type: `string`): Auto-refreshing HTML status page served by the actor container on $APIFY\_CONTAINER\_PORT (default 4321). Shows mode, query count, completed / failed counters and total hits in real time while the run is still in progress. See .actor/webserver\_openapi.json for the full JSON API (/stats, /input, /health). # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "queries": [ { "entry": "test@example.com", "type": "email" } ] }; // Run the Actor and wait for it to finish const run = await client.actor("eduair94/checkleaked-cc").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "queries": [{ "entry": "test@example.com", "type": "email", }] } # Run the Actor and wait for it to finish run = client.actor("eduair94/checkleaked-cc").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "queries": [ { "entry": "test@example.com", "type": "email" } ] }' | apify call eduair94/checkleaked-cc --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=eduair94/checkleaked-cc", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "CheckLeaked.cc — Breach & OSINT Suite", "description": "Full CheckLeaked.cc API as an Apify actor: Dehashed, Experimental (Snusbase), LeakCheck, Crack Hash, IP Lookup, Google Hunt (GHunt), plus a combined OSINT report mode that fans out every identifier across every service in a single run.", "version": "1.0", "x-build-id": "REwgYQ9KyVFbETnur" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/eduair94~checkleaked-cc/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-eduair94-checkleaked-cc", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/eduair94~checkleaked-cc/runs": { "post": { "operationId": "runs-sync-eduair94-checkleaked-cc", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/eduair94~checkleaked-cc/run-sync": { "post": { "operationId": "run-sync-eduair94-checkleaked-cc", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "mode" ], "properties": { "apiKey": { "title": "CheckLeaked.cc bot API key", "type": "string", "description": "Your bot token from https://checkleaked.cc/botLinks — sent as the `api-key` header on every request. Required for: dehashed, experimental, crack_hash, ip_lookup, ghunt and osint_report modes." }, "leakCheckKey": { "title": "LeakCheck.io API key (only for `leak_check` mode)", "type": "string", "description": "Your third-party LeakCheck.io key. Required only for the `leak_check` mode. NOTE: the CheckLeaked.cc upstream also requires you to whitelist IP `192.126.161.211` in your LeakCheck.io dashboard (the actor uses that gateway)." }, "mode": { "title": "Search mode", "enum": [ "dehashed", "experimental", "leak_check", "crack_hash", "ip_lookup", "ghunt", "osint_report" ], "type": "string", "description": "Which CheckLeaked.cc endpoint to call.\n\n- **dehashed** — POST /api/dehashed (paginated, Pro/Plus unlocks passwords & hashes)\n- **experimental** — POST /api/experimental (Snusbase-backed, `loadAll` auto-expands truncated rows)\n- **leak_check** — GET /api/leak_check (fast breach lookup; needs LeakCheck.io key)\n- **crack_hash** — POST /api/crack_hash (rainbow-table style MD5/SHA hash reverse)\n- **ip_lookup** — GET /api/ip (geolocation + ASN + threat data)\n- **ghunt** — GET /api/ghunt (Gmail OSINT, Pro/Plus only)\n- **osint_report** — **combined mode**: for every input identifier run every compatible endpoint above and emit one merged record per identifier. Highest-value mode.", "default": "osint_report" }, "queries": { "title": "Queries to run", "type": "array", "description": "One row per lookup. Each row has an `entry` (the value to look up) and a `type` (how to interpret it). In `osint_report` mode the `type` is optional — if omitted, the actor detects it automatically (email / ip / hash / phone / username).\n\nAllowed `type` values per mode:\n- dehashed: email, username, ip_address, name, address, phone, vin, free\n- experimental: email, username, mass, password, name, hash, lastip\n- leak_check: auto, email, username, keyword, domain, phone, hash, password, origin, phash (plus legacy: mass, login, pass_email, domain_email, pass_login)\n- crack_hash: (type ignored — `entry` must be the hash itself)\n- ip_lookup: (type ignored — `entry` must be an IPv4/IPv6 address; leave entry empty to look up the actor's own IP)\n- ghunt: (type ignored — `entry` must be a Gmail address)\n- osint_report: any of the above; auto-detected if type omitted", "default": [] }, "singleEntry": { "title": "Single entry (shortcut)", "type": "string", "description": "Convenience field — if `queries` is empty, the actor treats this as a single query with the `singleType` below. Ideal for one-shot API calls / Zapier / Make integrations." }, "singleType": { "title": "Single entry type (shortcut)", "type": "string", "description": "Type for `singleEntry`. Leave empty for auto-detect (only valid in `osint_report` / `leak_check`)." }, "startPage": { "title": "Start page (dehashed)", "minimum": 1, "maximum": 10000, "type": "integer", "description": "First page to fetch in `dehashed` mode. Ignored by every other mode.", "default": 1 }, "maxPages": { "title": "Max pages per query (dehashed)", "minimum": 1, "maximum": 10000, "type": "integer", "description": "Hard cap on pages fetched per query in `dehashed` mode. The actor stops earlier if a page returns zero entries. Set to 1 to disable auto-pagination.", "default": 5 }, "loadAll": { "title": "Load all (experimental)", "type": "boolean", "description": "When true and mode is `experimental` or `osint_report`, the actor appends `?loadAll=true` so CheckLeaked.cc auto-expands every truncated row into its full breach record. Requires a Pro/Plus subscription on CheckLeaked.cc.", "default": false }, "includeRawResponse": { "title": "Include raw upstream response", "type": "boolean", "description": "If true, every dataset item keeps a `raw` field with the untouched upstream JSON. Handy for debugging / schema discovery; doubles dataset size.", "default": false }, "maskPasswords": { "title": "Mask passwords & hashes in output", "type": "boolean", "description": "Redact `password`, `hashed_password` and `hash` fields before writing to the dataset. Use this when the Apify run output will be shared with non-privileged viewers.", "default": false }, "maxConcurrency": { "title": "Max concurrent requests", "minimum": 1, "maximum": 50, "type": "integer", "description": "How many upstream requests run in parallel. CheckLeaked.cc enforces per-plan cooldowns; keep this ≤ 3 for Free, ≤ 10 for Plus, ≤ 25 for Pro. See pricing section of the README.", "default": 3 }, "delayMs": { "title": "Delay between requests (ms)", "minimum": 0, "maximum": 600000, "type": "integer", "description": "Sleep added after each completed request per worker. Use to stay under the per-plan cooldown (Free = 10s, Plus = 2s, Pro = 0s).", "default": 0 }, "maxRetries": { "title": "Max retries per request", "minimum": 0, "maximum": 10, "type": "integer", "description": "On 429 / 5xx / network errors the actor retries with exponential backoff.", "default": 4 }, "requestTimeoutSecs": { "title": "Request timeout (seconds)", "minimum": 10, "maximum": 1800, "type": "integer", "description": "Per-request HTTP timeout. Dehashed can be slow on cold cache — keep ≥ 120.", "default": 180 }, "proxyConfiguration": { "title": "Proxy", "type": "object", "description": "Optional Apify proxy. CheckLeaked.cc does not require one (auth is by API key), but a proxy can help if your plan has IP-based cooldowns or you want to rotate outbound IPs.", "default": { "useApifyProxy": false } }, "stopOnError": { "title": "Stop on first hard error", "type": "boolean", "description": "If true, the actor aborts the run on any 4xx that isn't 404/429. If false, errors are written to the dataset as records of type `error` and the run continues.", "default": false } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```