Quick n' dirty loop to check breaches against Have I Been Pwned API

Using Have I Been Pwned to see if your email address has been breached? Most of us have more than one email address which can make plunking each address into the site painful. But, fear not, there’s an API here

There’s a million ways to use it and a crappy little bash script works just fine.

Here’s mine:

Main points

File with email addresses
The script
Loop it all together
Did it work?

File with email addresses

Create a text file with one email address per line. I called mine emailaddys. Something like:

email1@domain.com
email2@domain.com
email3@domain.com

email1@domain.com

email2@domain.com

email3@domain.com

The script

Write a one-liner like this. I called mine check_haveibeepwned.sh:

curl -A "Some identifying user agent" https://haveibeenpwned.com/api/v2/breachedaccount/$1?truncateResponse=true

1	curl -A "Some identifying user agent" https://haveibeenpwned.com/api/v2/breachedaccount/$1?truncateResponse=true

Loop it all together

for addy in `cat emailaddys`;do ./check_haveibeepwned.sh $addy; sleep 2;done

1	for addy in `cat emailaddys`;do ./check_haveibeepwned.sh $addy; sleep 2;done

Note: The rate limiting is not specified in the API docs, but I found that sleep 2 was necessary to avoid tripping it. A User Agent is also required.

Did it work?

Breaches look like this (that’s 4 separate breaches):

[{"Name":"Gawker"},{"Name":"LinkedIn"},{"Name":"MySpace"},{"Name":"Tumblr"}]

1	[{"Name":"Gawker"},{"Name":"LinkedIn"},{"Name":"MySpace"},{"Name":"Tumblr"}]

Clean addys return nothing at all.

Enjoy.