Quick N' Dirty Loop to Check Breaches Against Have I Been Pwned API

Using Have I Been Pwned to see if your email address has been breached? Most of us have more than one email address which can make plunking each address into the site painful. But, fear not, there’s an API here There’s a million ways to use it and a crappy little bash script works just fine. Here’s mine:

File with email addresses

Create a text file with one email address per line. I called mine emailaddys. Something like:

email1@domain.com email2@domain.com email3@domain.com

The script

Write a one-liner like this. I called mine check_haveibeepwned.sh:

curl -A "Some identifying user agent" https://haveibeenpwned.com/api/v2/breachedaccount/$1?truncateResponse=true

Loop it all together

for addy in `cat emailaddys`;do ./check_haveibeepwned.sh $addy; sleep 2;done

Note: The rate limiting is not specified in the API docs, but I found that sleep 2 was necessary to avoid tripping it. A User Agent is also required. Did it work? Breaches look like this (this is 13 separate breaches of my own email address):


Clean addys return nothing at all. Enjoy.