Investigate the data-breach exposure of email addresses directly on a Maltego graph, powered by the free, keyless XposedOrNot API (760+ breaches).
No API key. No registration. An optional commercial key raises rate limits.
| Transform | Input | Output | What it does |
|---|---|---|---|
| Email to Breaches | maltego.EmailAddress |
xon.Breach |
One entity per breach, fully styled (see legend) with records, dates, exposed data classes, password-storage risk |
| Email to Exposure Summary | maltego.EmailAddress |
xon.ExposureSummary |
Overall risk score, totals, first/latest exposure, password-strength breakdown and a year-by-year timeline in the notes |
| Breach to Exposed Data | xon.Breach |
xon.DataClass |
Pivot a breach into the data classes it leaked — zero API calls (reads the entity's properties) |
- Link color = password-storage risk: 🔴 plaintext · 🟠 easy-to-crack · 🟢 strong hash · ⚪ unknown
- Link thickness = breach scale (≥1M records thicker, ≥100M thickest); link label = breach year
- Entity weight = log-scaled records exposed, so mega-breaches rank first in list views
- Bookmark color mirrors the risk; a "plaintext passwords" text overlay flags the worst offenders
- Detail view (double-click) carries the full dossier table; notes carry the breach description
- Breach entities use the breached site's logo as icon where available
Runs on your machine; API calls originate from your IP, so the free keyless limits (2 req/s, 25/hour) are yours alone.
git clone https://github.com/XposedOrNot/XposedOrNot-Maltego.git
cd XposedOrNot-Maltego
python3 -m pip install -r requirements.txtThen in Maltego: Import | Export → Import Config, and import — in this order:
dist/xon-entities.mtz— the XposedOrNot entity types and iconsdist/xon-local-transforms.mtz— the three transforms (they invokepython3 project.pyin this folder; re-generate withpython3 tools/build_mtz.pyif you cloned to a non-default path and the transform working directory needs fixing)
Right-click any Email Address entity → Run Transform → Email to Breaches [XposedOrNot].
Optional API key in local mode: export XON_API_KEY=... in the environment Maltego
is launched from.
docker compose up -d # serves the TRX API on :8080Point your Maltego iTDS at https://<your-host>/run/<transform-name> for the three
transform names (python3 project.py list prints them), or import via your TDS
management console using the generated transforms.csv / settings.csv. The optional
API key is exposed as a transform setting (api_key) for TDS deployments, or the
XON_API_KEY environment variable server-side.
Note: on a shared server, all users egress from one IP — configure a server-side API key rather than relying on keyless per-IP limits.
Keyless community API: 2 requests/second, 25/hour, 100/day per IP — comfortable for
casework, tight for bulk runs. On a 429 the transform retries once when the API's
Retry-After fits Maltego's time budget, otherwise it returns a clear slow-down
message. A commercial key from console.xposedornot.com
raises the limits.
The queried email address is sent over TLS to xposedornot.com — nothing else. Email
addresses are never written to logs (masked forms only, e.g. t***@example.com).
Breach exposure tied to an email address is personal information: use it only within
lawful, authorised investigations. Privacy policy: https://xposedornot.com/privacy.
python3 -m pytest tests/ # unit + XML-injection fuzz tests
python3 project.py local xonemailtobreaches test@example.com # live run
python3 project.py runserver # dev TRX server
python3 tools/build_mtz.py # rebuild dist/*.mtz- "No exposed-data information on this entity" — run Email to Breaches first; it attaches the data classes each
xon.Breachentity carries. - Rate-limit message — wait a minute (keyless: 25/hour/IP) or configure the key.
- Transforms missing after import — import
xon-entities.mtzbeforexon-local-transforms.mtz, and check the transform's working directory points at your clone.