HEROIC API Reference (7.3.0)
Download OpenAPI specification:
HEROIC offers a powerful suite of enterprise-grade APIs designed to detect and investigate exposed data across billions of breach records. With tens of billions of compromised records indexed, the HEROIC API allows you to search and retrieve breach data across multiple identity types and sources.
To use the HEROIC API, you must have an active HEROIC Enterprise Account. Click here to sign up.
Base URL
The Base URL for our APIs is https://api.heroic.com/v7
Obtaining the API key
To obtain a key:
- Log into your HEROIC Enterprise account.
- Go to API Key Management.
- Create or manage your API keys.
Authentication
All requests must include an API key in the header: x-api-key: YOUR_API_KEY
| Code | Error category | Description | Resolution |
|---|---|---|---|
| 403 | Authentication Failed | Invalid API credentials. | Ensure a valid API key is specified. |
| 404 | Path not found | The API path does not exist. | Check the API route. |
| 405 | Invalid input | Invalid input provided. | Check your input. |
| 422 | Validation Error | Validation failed. | Read the error message and correct your data. |
| 500 | Internal server error | Server error. | Contact HEROIC support. |
Contact support@heroic.com for assistance.
HEROIC is committed to protecting sensitive personal information (PII) in all API responses. To ensure privacy and compliance, all PII fields such as credit card numbers, SSNs, and passwords are masked or redacted in the data returned by our APIs.
- Credit card numbers: Randomly masked to show up to 6 digits (e.g.,
543210XXXXXX1234). - SSNs: Only last 2 digits are visible (e.g.,
123-456-78**). - Passwords: Only last 2 characters are visible (e.g.,
admin@12**).
This masking ensures that sensitive data cannot be reconstructed or misused, while still allowing for effective breach investigation and analysis. If you require access to unmasked data for legitimate security or compliance reasons, please contact HEROIC support for more information on our data access policies.
The breach catalog includes general information about what was exposed, when the breach occurred, and what type of data was involved. It's useful for displaying or investigating breach events at a high level.
Response samples
- 200
[- {
- "uuid": "f5d77b03-44b4-11eb-9442-1d5c76d5a106",
- "site_name": "Ledger",
- "site_domain": "ledger.com",
- "date_leaked": "25-Jun-2020",
- "site_categories": "Crypto",
- "site_country": "United States",
- "site_language": "English",
- "password_types": "None",
- "leaked_data_types": "Email Address, Phone",
- "heroic_article_url": null,
- "description": "The hacker responsible for Ledger's security breach in July dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses.",
- "pwned_count": 1075382
}
]
Get breach details
Provides information associated with a breach. Requires UUID as a parameter.
path Parameters
| uuid required | string <uuid> UUID of the data breach. |
Responses
Response samples
- 200
{- "uuid": "f5d77b03-44b4-11eb-9442-1d5c76d5a106",
- "site_name": "Ledger",
- "site_domain": "ledger.com",
- "date_leaked": "25-Jun-2020",
- "site_categories": "Crypto",
- "site_country": "United States",
- "site_language": "English",
- "password_types": "None",
- "leaked_data_types": "Email Address, Phone",
- "heroic_article_url": null,
- "description": "The hacker responsible for Ledger's security breach in July dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses.",
- "pwned_count": 1075382
}Breach search
Search for breach details by email, IP address, phone number, etc.
Search Filters
In addition to the required type and account parameters, you can use any of the supported breach type values as additional filter parameters. These filters accept "yes" or "no" values to refine your search results.
Example Usage
To search for an email address that also has a password exposed:
GET /breach-search?type=email&account=mohammad@gmail.com&password=yes
This will return all breach records for mohammad@gmail.com where a password was also exposed.
Supported Filter Types
You can use any of these values as filter parameters:
email- Filter for records with email addressesemail_domain- Filter for records with email domainsphone_number- Filter for records with phone numbersusername- Filter for records with usernamesip_address- Filter for records with IP addressessocial_security_number- Filter for records with SSNspassword- Filter for records with passwordspassword_hash- Filter for records with password hashesbitcoin_address- Filter for records with bitcoin addresses
Filter Values
yes- Include only records that have this data typeno- Exclude records that have this data type
query Parameters
| type required | string Enum: "email" "email_domain" "phone_number" "username" "ip_address" "social_security_number" "password" "password_hash" "bitcoin_address" Account type filter. |
| account required | string Value for the selected account type. |
| paging_token | string Token for pagination (from previous response). |
| number_of_records | integer Limit the number of records returned. |
| [breach_type] | string Enum: "yes" "no" Additional filter parameters. You can use any of the supported breach type values (email, email_domain, phone_number, username, ip_address, social_security_number, password, password_hash, bitcoin_address) as parameter names with "yes" or "no" values to filter results. Example: |
header Parameters
| x-api-key required | string API key for authentication. |
Responses
Response samples
- 200
{- "records_found": 12,
- "pagination_token": "0053001032e271c0ddeb11ed8a50195359d257484062633566646662383939636438356362623630343361663638656663353038393939333131346166633061393937306331626132643632623633623065383132f07ffffff5f07ffffff110",
- "data": [
- {
- "breached_data": {
- "user_name": "kmatch7",
- "first_name": null,
- "last_name": null,
- "email": "kmatch7@yahoo.com",
- "email_domain": "yahoo.com",
- "phone_number": null,
- "ip_address": null,
- "bitcoin_address": null,
- "password": null,
- "password_hash": "71bb2e8e85702bc6dc8fe49bc2ca2664",
- "other_attributes": "{\"DATE_REG\": \"2012-01-31 03:50:51\"}"
}, - "breach_details": {
- "uuid": "f5d77b03-44b4-11eb-9442-1d5c76d5a106",
- "site_name": "Ledger",
- "site_domain": "ledger.com",
- "date_leaked": "25-Jun-2020",
- "site_categories": "Crypto",
- "site_country": "United States",
- "site_language": "English",
- "password_types": "None",
- "leaked_data_types": "Email Address, Phone",
- "heroic_article_url": null,
- "description": "The hacker responsible for Ledger's security breach in July dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses.",
- "pwned_count": 1075382
}
}
]
}HEROIC's Credit Card Search API provides access to both legacy (free) and active (paid) stolen credit card data found across darknet markets and hacker forums. Free cards typically originate from older leaks and are useful for identifying previously compromised information, while paid cards are current, often functional, and marketed on underground platforms. HEROIC collects associated metadata such as BINs, expiration dates, issuing countries, prices, and seller reputations. Users can perform single BIN lookups, submit bulk queries, configure automated monitoring, and download results in formats including CSV, Excel, or JSON.
Search Capabilities and Limitations The API enables structured searches, including masked or SHA-256-hashed card numbers, owner names, CVV codes, and expiration dates. Users can apply advanced filters and syntax to refine results and maintain privacy. Monitoring options are available for ongoing updates. While powerful, the system is affected by common challenges—such as disappearing data, duplicate listings, low-quality or fake records, and the migration of card sales to newer platforms like Telegram and Discord. HEROIC continues to improve its scraping and detection capabilities, with regular updates and expanding coverage to adapt to the evolving threat landscape.
What types of credit cards are indexed by HEROIC? HEROIC tracks two primary categories of compromised credit card data uncovered across the deep and dark web:
- Free Cards – These are stolen credit card records that have been made publicly available without cost on underground forums and leak sites. While HEROIC's systems have cataloged millions of such entries, the majority are from older breaches and are typically no longer valid for transactions. You can explore this data through the database search feature in the HEROIC Control Center.
- Paid Cards – These are active, for-sale credit cards commonly listed on darknet marketplaces. Sold much like regular merchandise, these records are often fresh and functional, requiring a payment to access. HEROIC continuously scans and logs these listings to provide real-time intelligence on emerging threats.
Credit card search
This endpoint enables you to search for exposed credit card records discovered in data breaches and leaks. You can use query parameters to filter results by cardholder, issuing bank, or other criteria. The response includes masked card numbers, CVVs, expiration dates, issuing bank details, and breach-related metadata.
Advanced Search Syntax
Available Fields:
| Field | Details |
|---|---|
| createdAt | Creation date & time. |
| number | Credit card number (default field), masked with X in the middle except first 6 and last 4 digits. |
| Hash | SHA-256 of a credit card number |
| expireDate | Expiration date |
| cvv | Card verification value |
| owner | Owner name |
| bank | Issuer bank name |
| leakId | Leak ID |
Operators: AND, OR, NOT
Examples:
- Search cards starting with 411111:
411111* - Search cards starting with 400012 and ending with 7890, containing 16 digits:
400012XXXXXX7890 - Search cards starting with 400012 and ending with 7890, containing any number of digits:
400012*7890 - Search cards with Alice Smith as owner and Chase Bank as bank:
owner:"Alice Smith" AND bank:"Chase Bank" - Search cards starting with 411111 and belonging to Bob Lee:
number:411111* AND owner:"Bob Lee" - Search cards that have a CVV 555 and that expire on or after January 1, 2023:
cvv:555 AND expireDate:[2023-01-01 TO *]
The credit card search API supports both pagination and advanced search capabilities. Sensitive information, such as full card numbers, is never exposed—only masked versions are included in the response.
query Parameters
| page | integer Example: page=0 Page number (zero-based). |
| size | integer Example: size=10 Number of records per page. |
| sort | string Example: sort=createdAt,desc Sort order (e.g., createdAt,desc). |
| query | string Example: query=owner:Johnson AND bank:Citibank Search query (e.g., owner, bank, etc). Supports logical operators (AND, OR). |
header Parameters
| x-api-key required | string API key for authentication. |
Responses
Response samples
- 200
{- "number": 0,
- "size": 10,
- "totalElements": 352,
- "totalPages": 36,
- "numberOfElements": 10,
- "first": true,
- "last": false,
- "hasContent": true,
- "content": [
- {
- "id": "70852ff0-fab3-3c49-87c7-9545fefcb02c",
- "createdAt": "2025-03-13 05:42:36",
- "bank": "FARMERS STATE BANK",
- "number": "424744XXXXXX0328",
- "owner": "Chad Wells",
- "cvv": "045",
- "expireDate": "2025-02-01",
- "cvssScore": 10,
- "leakId": "0f53e4b1-8c6a-3e38-96ac-c90909faf678",
- "leakName": "stealer log 11.02.2025",
- "leakPublishDate": "2025-02-11",
- "leakDiscoverDate": "2025-02-19",
- "leakSize": 59634800800,
- "leakTags": "password,log,credit-card,ip,email,hash,url,account,username"
}
]
}