search-leaks
OSINT CLI tool to query data breach/leak statistics by domain or email using public threat-intel APIs. Supports stdin and target lists, automatic type detection, forced modes, and structured output.
search-leaks is an open-source, OSINT-focused command-line tool maintained by a member of Haltman.io. It queries public threat-intelligence endpoints from Hudson Rock (Cavalier OSINT) to retrieve statistical indicators related to data leaks, credential exposure, and infostealer activity.
The tool consumes statistical JSON responses only and prints structured, greppable output suitable for reports, internal reviews, and automated pipelines.
Typical use cases:
-
Vendor and third-party risk assessment
-
Corporate exposure checks (domain-level)
-
Mailbox exposure validation during incident response
-
High-level breach risk reporting without handling raw stolen data
Installation
Requirements
- Go 1.22+
- Network access to cavalier.hudsonrock.com
git clone https://github.com/haltman-io/search-leaks.git
cd search-leaks
go mod tidy
go build -o search-leaks ./cmd/search-leaks
./search-leaks -h
go install github.com/haltman-io/search-leaks/cmd/search-leaks@latest
search-leaks -h
If the binary is not found, ensure $GOBIN (or $(go env GOPATH)/bin) is in your PATH.
Configuration
No configuration is required.
- No API keys
- No environment variables
- No config files
All behavior is controlled via CLI flags and execution mode.
Usage
Basic usage
Single domain:
search-leaks -t example.com
Single email:
search-leaks -t user@example.com
Target input methods
Supported input sources:
--target / -t(repeatable, comma-separated)--target-list / -tL(file paths, repeatable)stdin/ pipeline
search-leaks -t google.com,twitter.com
search-leaks -tL targets1.txt -tL targets2.txt
cat targets.txt | search-leaks
Execution modes
Only one mode can be active per run.
Automatically detects target type — email → email endpoint, anything else → domain endpoint.
search-leaks -t example.com -t user@example.com
All targets are treated as domains. If an email is provided, its domain is extracted.
search-leaks -d -t user@corp.com
All targets are treated as emails. If a domain is provided, it is expanded into common mailbox aliases (postmaster@, abuse@, admin@, etc.).
search-leaks -e -t example.com
Statistics-only mode (domain)
For quick reporting, use statistics-only output:
search-leaks --statistics -t tesla.com
Prints only high-signal fields: total, employees, users, third_parties, last_employee_compromised, last_user_compromised.
Output format
Output is structured and line-oriented, designed for easy parsing:
[target] [request_url]
[target] [key: value]
[target] [arrayItem(n)] [key: value]
Example (email query):
[user@example.com] [total_corporate_services: 5]
[user@example.com] [stealer(1)] [operating_system: Windows 10]
Disable ANSI colors:
search-leaks --no-color
Possible Problems / Important Notes
Rate limiting
- Enforced limit: 50 requests per 10 seconds
- The tool automatically throttles requests
- Execution aborts after 3 consecutive API errors
Privacy & data handling
- Only statistical metadata is retrieved
- No breach payloads, passwords, or raw dumps are stored
- Output is printed directly to stdout
Intended use
This tool is intended for authorized security testing, corporate exposure assessment, and vendor risk analysis. Do not use it to target individuals or organizations without authorization.
External References
Last updated Feb 12, 2026
Built with Documentation.AI