// how it works

Our methodology

How DataLeakz checks for breaches, what data we store, where our data comes from, and why you can trust the results while still understanding the limits.

01 How a breach check works

When you enter an email address into DataLeakz, this is what happens:

Step 1

Your email stays protected

Your email is processed in your browser and on our server. It is not sent to any third party in plain text.

Step 2

Local database query

We first check our own indexed breach database that is built from publicly disclosed leak data.

Step 3

Privacy based API lookup

For broader coverage, we may query the HaveIBeenPwned API using only the first 5 characters of an SHA 1 hash of your email. The full email does not leave our server.

Step 4

Results are returned

We combine and remove duplicate results, then show which breaches matched, what data was exposed, and what to do next.

For public searches by visitors who are not signed in, we do not store the email address entered. For monitored emails inside your account, we store the email so we can alert you when new breaches are found.

02 The k anonymity model

k anonymity is a privacy technique that lets us check your email against a remote database without revealing your actual email to that database. This is how it works:

# 1. Hash the email with SHA 1
email = "you@example.com"
hash  = sha1(email)  → "a7fcf79b..." (40 hex chars)

# 2. Send only the first 5 characters
prefix = hash[:5]   → "a7fcf"
response = GET https://api.hibp.com/range/a7fcf

# 3. The response contains many matching hashes
# We compare locally to see if the full hash is present
# The API never learns your actual email
    

This means even if the API were ever compromised, it would only show that someone checked a hash prefix, not the real email address. The same privacy idea is used by major browsers for password checking.

03 Our data sources

Our breach database is built from multiple sources:

Primary

Public breach disclosures

Breaches that were publicly confirmed and disclosed by affected organizations or security researchers.

Aggregated

Paste site monitoring

We monitor public paste sites for credential dumps. We only index data that appears to come from real breach activity.

Extended

HaveIBeenPwned API

For broader coverage, we use the HIBP API through a privacy based lookup method. This gives access to Troy Hunt's large breach database.

Researcher

Submitted breaches

Security researchers can submit breaches for review. We verify them before indexing.

04 How we score breach severity

Each breach gets a risk score from 1 to 99 based on:

Data types exposed such as passwords, financial data, usernames, or email addresses
Recency because newer breaches often create more immediate risk
Verification status because confirmed breaches should not be treated the same as unverified dumps

This score helps organize your dashboard so you can focus on what matters most instead of treating every breach the same way.

05 Limits and transparency

No breach checker is complete. Here is what ours can and cannot do:

We can tell you if your email appeared in a known indexed breach
We cannot tell you if your data was taken in a breach that has never been publicly disclosed
We cannot tell you exactly what an attacker currently has
We cannot guarantee that our database contains every public breach

A clean result means your email was not found in the breaches we currently know about. It does not mean your data is fully safe. That is why ongoing monitoring is better than checking only once.

06 Responsible use of breach data

We index breach data to help people protect themselves. We do not:

Sell breach data to third parties
Allow bulk downloads of our breach database
Provide data in a way that could support harm
Index data from breaches that have not been publicly disclosed

If you have concerns about how we handle breach data, or if you believe data should be removed from our database, please contact us at privacy@dataleakz.com.