Block breached passwords.
Cut account takeovers before they start.
LeakJar helps you screen compromised passwords during signup and reset—using privacy-preserving checks and actionable policy outcomes.
Integrates with your existing auth stack
Why this matters
Weak passwords aren't the only problem—reused breached passwords are.
Billions of credentials have been exposed in data breaches. Attackers use these lists to compromise accounts at scale. LeakJar gives you the tools to detect and respond.
Privacy-Preserving Checks
Query our breach corpus without sending full password hashes. k-Anonymity range queries keep credentials safe in transit.
Actionable Policy Outcomes
Block, step-up, force reset, or notify — choose how your application responds when a compromised password is detected.
Operational Visibility
Track how many passwords are flagged, which policies trigger most, and measure your security posture over time.
How it works
How LeakJar Password Protect works
Four steps. No plaintext exposure. Full control over policy enforcement.
Hash on your side
Compute a SHA-1 hash of the password locally. Only a short prefix leaves your infrastructure.
Query a privacy-preserving range endpoint
Send the hash prefix to the LeakJar API. We return all matching suffixes — without ever learning the full hash.
Apply policy
Compare locally. If matched, enforce your chosen policy: block the password, require MFA, force a reset, or log for review.
Track impact in the console
Monitor check volumes, match rates, and policy outcomes in real time from the LeakJar console.
Developer-first
Add breached password screening in minutes
A single API call is all it takes. Hash locally, query the range endpoint, and enforce policy.
HTTP/1.1 200 OK{ "suffixes": [ { "hash": "1E4C9...8FD8", "count": 3861493 }, { "hash": "A2B09...CA5C", "count": 12 }, ... ]}Products
Two products, one workflow
Prevent compromised passwords at the gate and monitor for new exposures after the fact.
Password Protect API
Screen passwords at signup, change, and reset against billions of known-compromised credentials. Privacy-preserving by design.
Explore Password ProtectExposure Monitoring
Get domain-scoped alerts when credentials tied to your organization appear in new breach data. Context for triage, not voyeurism.
Explore MonitoringPassword hashes checked
Uptime SLA
p95 latency
What security teams say
Trusted by teams who take
credential security seriously
“LeakJar cut our credential stuffing incidents by 73% in the first quarter. The privacy-preserving approach made it easy to get buy-in from our legal and security teams.”
Sarah Chen
Head of Security Engineering, Series B Fintech
“We integrated the Password Protect API in under an hour. The range-prefix model means we never send sensitive data, which was a hard requirement for our compliance team.”
Marcus Rivera
Staff Engineer, E-commerce Platform
“The exposure monitoring alerts gave us context we never had before. When a breach hits, we know which accounts need resets within minutes, not weeks.”
Anja Kowalski
Director of InfoSec, Enterprise SaaS
FAQ