-
-
Notifications
You must be signed in to change notification settings - Fork 41
Home
A passive leak enumeration tool for discovering credential exposures
Leaker is a credential leak discovery tool that aggregates results from multiple breach databases and leak sources. Using passive online queries, it searches for exposed credentials by email, username, domain, keyword, or phone number.
It only does passive queries - no direct interaction with targets. All requests go through source APIs, respecting their terms and rate limits. Useful for penetration testers and red teamers during OSINT phases.
Created by Maksim Radaev.
- 12 passive sources - aggregates results from multiple breach databases for broad coverage
- 5 search types - email, username, domain, keyword, and phone number
-
Credential verification - optional HIBP password breach check and hash type identification (
-V) - Automatic deduplication - removes duplicate results across sources
- Multiple output formats - plain text and JSONL for pipeline integration
- Built-in rate limiting - per-source rate limits to respect API quotas
- Proxy support - route all traffic through an HTTP proxy
- Multi-key load balancing - distribute requests across multiple API keys per source
- STDIN/STDOUT support - pipe targets in and results out for workflow integration
- Lightweight - single Go binary, no runtime dependencies
# Install
go install -v github.com/vflame6/leaker@latest
# Search by email
leaker email user@example.com
# Search by domain with specific sources
leaker domain example.com -s leakcheck,dehashed
# JSONL output with verification
leaker email user@example.com -j -V -o results.jsonlLeaker takes a target (email, username, domain, keyword, or phone) and queries all configured sources in parallel. Each source runs as a goroutine, returning results through channels. Results are then:
-
Filtered - only results containing the target string are kept (disable with
--no-filter) -
Deduplicated - identical results from different sources are merged (disable with
--no-deduplication) - Verified (optional) - passwords are checked against HIBP, hashes are identified by format
- Output - results are written to stdout and/or a file in plain text or JSONL format
Each result can contain any combination of the following fields:
| Field | Description |
|---|---|
email |
Email address found in the leak |
username |
Username or login |
password |
Plaintext password |
hash |
Password hash (with optional type identification) |
ip |
IP address associated with the leak |
phone |
Phone number |
name |
Full name or display name |
database |
Name of the breached database |
url |
URL associated with the leaked credential |
When verification is enabled (-V), additional fields appear:
| Field | Description |
|---|---|
hibp_count |
Number of times the password appears in HIBP breach corpus |
hash_type |
Identified hash algorithm (md5, sha1, sha256, bcrypt, etc.) |
Questions, issues, or feature requests? Open an issue on GitHub.
Follow development updates on Telegram.
- GitHub: github.com/vflame6/leaker
- Releases: github.com/vflame6/leaker/releases
- Issues: github.com/vflame6/leaker/issues
- Author: Maksim Radaev