// tool reference · Vulnerability & Assessment
Account & Exposure Check Free + Pro
Check breached passwords/emails and domain spoofability.
Open Account & Exposure Check →
What it does
Checks whether an email address or password appears in known breach corpora. The password path is built so that your password never leaves the browser in a usable form.
When to use it
- Onboarding, to check a reused password before it becomes your problem.
- After a third-party breach, to see whether your domain appears.
Inputs
Field names are the actual form parameters, verified against source.
| Field | Type | Required | Notes |
|---|---|---|---|
| optional | Address to check. | ||
| password | password | optional | Checked via k-anonymity — see method. |
| domain | text | optional | Domain-wide exposure. |
| authorized | checkbox | required | You confirm the address/domain is yours. |
| action | hidden | optional | Which check to run. |
What you get back
Breach appearances with dates and what was exposed, plus what to do.
How it works
k-anonymity for passwords: the password is SHA-1 hashed locally and only the FIRST FIVE characters of that hash are sent. The range of matching hashes comes back and the comparison happens on our side of the wire — the remote service never sees enough to identify your password. Outbound requests go to fixed, hardcoded hosts.
Limits
Read live from the platform configuration.
| Free | — check |
| Pro | — checks |
| Timeout | —s |
Privacy
Passwords are never stored, never logged, and never transmitted whole.
Standards
NIST SP 800-63B (breached-password screening)