A summary of completed actions, breach closures, xonPlus kickoff, and new initiatives launched.
A Quick Look Back
Grateful to everyone who has used XposedOrNot and helped shape its journey from a simple breach lookup into a full-fledged breach alerting and intelligence platform used by end users up to cyber threat intel providers.
XposedOrNot began in 2017 as an exposed password checking tool. The idea was straightforward: test a hypothesis and see whether such a service could genuinely help others.
What started as a single check gradually evolved into breach alerts, domain monitoring, privacy shield, a structured breach repository, visualizations, personalized dashboards, and more.
Each addition was driven by direct feedback and real operational needs from the community.
The entire platform, including both the web interface and the backend APIs, remains 100 percent open source and is publicly hosted on GitHub. Alongside the community edition, we also introduced a commercial offering for teams that need higher throughput, advanced search capabilities, domain monitoring, MSSP whitelabel, and deeper integrations.
This evolution led to the creation of xonPlus.
Looking back, 2025 marked a clear inflection point. This was the year XposedOrNot shifted from answering “was this exposed” to enabling continuous visibility and response.
The focus moved toward speed and scale, actionable alerts instead of static data, integrations over isolated dashboards, and a continued commitment to transparency and community trust.
Some of the key additions shipped in 2025 include:
- SDKs for npm and PyPI
- Phishing and typosquat detection
- MCP support for AI tool integrations
- VIP monitoring for high-risk accounts
- Launch of xonPlus as the commercial edition
- New breach datasets added throughout the year
- Real-time alert management and acknowledgement
- Transparency and quarterly reporting improvements
- A rebuilt API designed for significantly higher throughput
2. Our Evolution: From Checks to Continuous Monitoring
This evolution showed up most clearly in a set of platform improvements that were particularly well-received by users and customers during the year.
These changes were guided by a single goal: move from simply notifying users about breaches to helping them respond quickly and consistently when exposure occurs.
2.1 Real-Time Breach Alerting and Acknowledgement Workflows
Real-time alert management and acknowledgement moves XposedOrNot beyond simple breach notifications into a practical response workflow.
Instead of relying on scattered email alerts, all breach notifications are now visible inside the dashboard, where they can be reviewed, acknowledged, and tracked in one place.
This helps teams ensure that every alert is seen and acted upon, without important notifications getting lost in busy inboxes.
Each alert includes a clear status and an acknowledgement record, creating accountability and a reliable history of actions taken.
Once alerts are addressed, the dashboard reflects this clearly, giving teams confidence that no exposure has been overlooked.
This makes breach response more structured and consistent, whether an organization manages a single domain or multiple brands.
2.2 CXO and Leadership-Friendly Dashboards
CXO and leadership-friendly dashboards were built to translate breach data into clear, decision-ready insights.
Instead of overwhelming leaders with raw lists and technical details, the dashboards present exposure status, trends, and risk areas in a simple, visual format that is easy to understand at a glance.
Reports can be exported and sliced or analyzed further to support leadership reviews, compliance monitoring, audits, and deeper internal investigations, without pulling data from multiple tools.
2.3 VIP and High-Risk Account Prioritization
VIP Monitoring was built out of a very real frustration I have seen repeatedly during breach response.
When a breach hits, not all exposed accounts carry the same risk, yet security teams are often forced to treat them equally. This feature was designed to surface executive and other high-risk exposures immediately, so teams can answer the most important question first: are any of our leadership accounts affected?
By automatically identifying and prioritizing executives across verified domains, VIP Monitoring removes hours of manual searching and guesswork.
It gives teams the speed and clarity they need to act early, contain threats, and prevent minor credential exposures from turning into major incidents.
While these platform improvements focused on how teams see and respond to breaches, they depend heavily on the quality of the data underneath.
In 2025, a significant amount of work also went into strengthening the breach intelligence itself, improving how data is ingested, structured, and presented.
3. Breach Intelligence: Data Added and Improved
We ingested 59 new breaches into XposedOrNot in 2025 with improved deduplication, attribution, and timeline accuracy.
The current count of individual emails has risen to 10.6 billion. As the breach intelligence layer matured, the next logical step was making it easier for developers and security teams to use this data in their own systems.
That focus led directly to our work on SDKs and developer enablement, allowing breach intelligence to move beyond dashboards and into real workflows.
4. SDKs and Developer Enablement
As breach intelligence became more central to real workflows, we focused on making it easier for developers to consume and integrate that data. We released official XposedOrNot SDKs for JavaScript and Python to make breach checks simple for developers.
Instead of dealing with raw APIs, retries, and error handling, you can now install a package, call a method, and get clear results in seconds.
The SDKs handle rate limits, retries, and common errors for you, and also provide access to detailed breach analytics and the full breach catalog.
They are open source, developer-friendly, and designed to drop straight into real applications without extra setup or boilerplate.
Publishing the SDKs on npm and PyPI was an important step for us.
It means developers can use XposedOrNot in the same way they use their other trusted libraries, with standard install commands, versioning, and documentation.
This lowers the barrier to adoption and makes it easier to integrate breach intelligence into everyday workflows, whether that’s a security dashboard, a sign-up flow, or an internal audit script.
5. Expanding Integrations and Alert Delivery
In the Community Edition of XposedOrNot, email remains the primary method by which users receive breach alerts. That works well for individuals and smaller teams, but as organizations grow, email alone is not enough.
With xonPlus, we focused on meeting teams where they already work.
Alerts can now be delivered and managed through multiple native integrations, including in-app real-time alerting with acknowledgement, Slack channel alerts, Microsoft Teams notifications, and Splunk SIEM integration.
This allows customers to receive breach information directly in the tools they already use every day, rather than relying on yet another inbox.
Once alerts land in the right place, teams can act immediately.
Many customers use these signals to trigger password resets, enforce access restrictions, enable or tighten MFA, or kick off incident response workflows.
Behind the scenes, everything is powered by a fast, API-first backend running on Google infrastructure, with average response times under 100 milliseconds.
Most commercial customers now consume breach data primarily through the API and treat it as a live threat intelligence feed, integrating it directly into their security workflows and applications.
We also designed xonPlus with MSSPs and partners in mind.
The API-first approach makes it easy to embed breach intelligence into managed services and downstream platforms.
We are currently in the final stages of integrating Azure Sentinel, which will enable even more teams to consume and act on breach signals directly from their SIEM.
6. Open Source, Scale, and Continuous Improvements
From the very beginning in 2018, the focus has been simple and consistent: keep XposedOrNot fully open source.
The entire project is publicly hosted on GitHub to encourage transparency, collaboration, and trust.
Keeping the architecture open also allows more eyes on the code, which naturally strengthens security when combined with a defense-in-depth approach.
6.1 Open Source First, Always
Both the web application and backend APIs remain 100 percent open source.
This makes it easier for the community to understand how the platform works, review changes, and contribute improvements.
While the project has grown significantly, the open model has helped keep the platform secure, auditable, and aligned with real-world needs rather than closed assumptions.
Over the past year, development activity increased noticeably across both the API and website.
Commits were intentionally kept small and focused to improve visibility, simplify reviews, and make debugging easier.
This approach helped maintain stability even as the pace of change picked up.
In total, we shipped 1355 commits in the API and the website during 2025.
6.2 Backend Modernization and Performance Gains
One of the most significant technical improvements in 2025 was the migration of the backend from Flask to FastAPI.
As usage grew, especially from API-driven workloads, the earlier architecture began to show its limits under higher concurrency. The move to FastAPI enabled better parallel request handling and more efficient use of infrastructure.
As a result, response times dropped, infrastructure load reduced, and performance became far more predictable during traffic spikes. This upgrade directly benefited both community users and commercial customers who depend on consistent, low-latency access.
6.3 MCP and Developer-Centric Security Workflows
Another major addition this year was MCP support, driven by strong demand from developers, the AI-assisted coding community, and indie builders.
MCP was built to bring breach intelligence directly into the tools developers already use, removing the need to context-switch between dashboards, APIs, and documentation.
By connecting XposedOrNot to AI coding assistants, teams can check breached credentials, pull analytics, and assess risk in real time without leaving their editor.
This allows compromised accounts to be identified earlier, stronger authentication to be applied selectively, and security decisions to happen naturally during development rather than after deployment.
6.4 Phishing Domain Detection
Phishing attacks often start long before the first malicious email is sent, with attackers registering lookalike or deceptive domains that imitate legitimate brands.
To address this blind spot, we introduced typosquatting and phishing domain detection to help organizations identify these threats early, before they are used for credential harvesting or impersonation.
By continuously monitoring for suspicious domain registrations and deceptive variations, XposedOrNot provides actionable intelligence that teams can use to block, take down, or respond proactively.
This closes a gap that traditional, email-focused phishing defenses often miss.
Alongside these additions, we also ingested 59 new breach datasets during the year, significantly expanding overall coverage.
Both community and commercial users are automatically notified through their configured alerting channels when new data is added, keeping visibility current without manual effort.
7. Performance, Scale, and Reliability
With the core architecture modernized, the focus in 2025 shifted to operational reliability at scale.
The improvements made earlier in the year allowed XposedOrNot to handle growing traffic and API usage with far more consistency, even during spikes caused by large breach disclosures or bulk queries.
We introduced smarter caching through middleware, along with more deliberate rate limiting, to reduce unnecessary load and keep response times predictable under high-frequency access patterns.
These changes improved both platform responsiveness and overall stability, especially for customers who depend on the API as part of their daily security workflows.
The impact of this work was felt quickly. Users reported faster responses, fewer timeouts, and a more reliable experience across both the dashboard and API. This reinforced an important lesson for us: investing in performance and reliability is not separate from product development.
It is what makes continued growth and new capabilities possible without compromising trust.
8. What Comes Next
The next phase is less about adding surface-level features and more about deepening how different teams use breach intelligence in practice.
Looking ahead, the focus remains on direction rather than promises.
We also plan to strengthen automation and response hooks while maintaining a strong commitment to transparency and data quality. There are no fixed timelines to announce, just a clear intent to keep building what genuinely helps users respond faster and more effectively.
None of this would be possible without the community.
Thank you to the users, early customers, partners, and contributors who continue to share feedback, suggest integrations, and challenge assumptions.
Your input directly shapes how the platform evolves, and that collaboration remains central to where we go next.
As always, we’ll keep listening, building, and sharing progress openly.
