Last Updated on April 9, 2025 by devaxposedornotcom
How It All Started
I was always fascinated by forensics since I started using computers way back in 1998. Systems fascinated me. I read extensively to understand how systems worked. Online articles were invaluable resources.
With that interest, in 2004 I was introduced to the world of CTF(Capture The Flag), where players compete with each other and solve technical problems. The sheer thrill of solving a challenge was super good and I got addicted to it.
Slowly with time, our team got placed higher and higher in ranks and finally we reached #1 rank in India which was a major achievement. Within our team, we had very good friends who had various specialisations. One could talk in binary, another specialized in reverse engineering, and another was a wizard with web technologies.
I stood apart by focusing exclusively on forensics. I liked solving them.
This journey of CTF showed me my interest and desire towards solving forensic challenges.
While analyzing breaches that were exposed publicly, I noticed a big problem. Most people had no easy way of knowing if their own personal information—like emails, passwords, or even domain-related data—had leaked online.
Even worse, many weren’t aware their data had been compromised until it was too late. Some tools existed, but none gave a complete picture. The other side of it was the commercial tools, which were not affordable to the general public.
For example, a user with an email is exposed in data breaches. Existing tools could indicate if your email appeared in a breach, but that’s no longer sufficient today.
What about your exposure? What is your risk score? What should you do after a breach?
Can I visualise it for common users? Can we do the same for company domains?
That’s when the idea struck me: What if there was a simple, free tool that anyone could use to check their data breach exposure easily? And with that seed idea, XposedOrNot was born.
At first, it was straightforward—check if any password was in a breach. Then I added email address checks, domain-level checks, risk scores, impact assessment, and much more. It grew way beyond my initial plans, quickly becoming a trusted platform for thousands of users globally.
The entire codebase and backend API are open source and hosted on GitHub. First version of the site in 2018: Web Archive
The entire project is community driven and is provided free of charge to general users. And it will remain so with no conditions till the end. This has been helping thousands of users check for their breach exposure.
At the same time, companies also verify their domain in three simple steps using DNS or HTML verification methods and get their breach exposure of their employees.
But recently, we faced a big challenge—our website couldn’t keep up with the growing user demand. Our backend, initially built with Python Flask, started showing limitations.
I knew something had to change. So I decided to migrate everything to something better and faster.
Growing Pains and Scaling Issues
Adding to that, there were commercial users like MSSPs, Threat Intel Providers who consume this data through APIs directly. Their demands are high. Requests come in large numbers.
Now with more community users and commercial users making use of the API, the problem started growing larger and larger.
What used to be a once-in-a-blue-moon event, one API request would exceed 1 second, moved into an everyday occurence, and we started seeing requests exceeding 3 seconds and 5 seconds, which are much less desirable times for an API request.
Flask was fantastic at the beginning. It’s straightforward, easy to understand, and works great when your traffic isn’t very high. But as more people began using XposedOrNot daily, things got complicated quickly.
Flask handles requests synchronously. In simpler terms, it deals with each user’s request one after another, like people lining up to buy tickets at a single counter. This means when traffic spikes, everyone experiences delays. Users would sometimes wait a few extra seconds or, in worst cases, face request timeouts, which is bad.
Ever checked if your email or domain users were part of a big data breach, only to have the site load super slowly? Yeah, that’s pretty frustrating — and honestly, a bit embarrassing for us. As more people started using the site, stuff like that started happening more often.
I tried everything from code optimizations, implemented all best practices, caching, and upgrading infrastructure, but the core issue was Flask itself—it wasn’t designed for the kind of traffic and concurrency we were experiencing.
Something needed to change.
Key Features of XposedOrNot and How They Benefit You
For Individuals:
- Email Breach Checks: Instantly find out if your email address has appeared in data breaches.
- Risk Scores: Quickly gauge your personal risk level and take proactive security steps.
- Breach Exposure Impact Assessment: Receive immediate assessment on your exposed emails impact
- Privacy Shield: Keep your information private by opting out of public data breach searches.
For Domain Owners:
- Domain-Level Checks: Confirm your domain ownership and access comprehensive breach analytics.
- Real-time Alerts: Get instant notifications whenever your domain shows up in new data breaches.
- CXO Dashboard: Effortlessly manage and monitor breach statuses across multiple domains from one intuitive dashboard.
For Organizations:
- Industry Insights: Understand industry-specific breach trends to better protect your organization.
- API Integration: Seamlessly incorporate XposedOrNot data into your internal security tools and workflows using our robust API.
For Developers & Researchers:
- Full API Access: Freely utilize our comprehensive API to create custom solutions or integrate breach data into your existing projects. [ tools built using our API]
- Open Source Collaboration: Dive into our open-source GitHub repository, inspect the codebase, and contribute to enhancing security and functionality for everyone.
Why FastAPI Became Our Choice
While exploring alternatives, FastAPI quickly grabbed my attention. It was becoming popular due to its impressive performance and simplicity.
FastAPI also comes with excellent built-in documentation thanks to automatic OpenAPI schema generation. It provides clear, self-generating documentation via OpenAPI. This will help the developers who are going to consume it in their applications.
From their website: “FastAPI framework, high performance, easy to learn, fast to code, ready for production”
The more I read about it, the clearer the choice became. FastAPI was exactly what XposedOrNot needed—a powerful, scalable, and efficient backend solution.
Making the Switch: The Migration Process
Migrating an established project like XposedOrNot from Flask to FastAPI wasn’t straightforward. There were many considerations, like ensuring no downtime, maintaining data integrity, and preserving all user functionalities.
I started by carefully mapping out each Flask API endpoint and rewriting it as FastAPI endpoints. The migration wasn’t an easy task. It involved multiple tests, a bit of learning, and careful planning.
Thankfully, the clarity of FastAPI’s structure made this process smoother than expected.
One interesting learning point during this migration was that the entire code base can be made modular compared to the monolithic structure I was used to. Makes it very easy to update required components individually.
Another improvement was that we can make everything consistent. From success to error responses, everything could now be made consistent and structured. Helps avoid many of the common elements found in projects of this nature.
This is also the time I started experimenting with Cursor – IDE, which is powered by AI. The most useful aspect of Cursor was helping refactor the large monolithic Flask app into new FastAPI manageable chunks.
Adding to that, the code completions of the Agent and the interactive query of the Ask modes were used extensively.
Migration Process
With the help of Cursor, I was able to bring in more best practices to the project.
It was a time full of learning and experimentation — from aligning with Python coding guidelines to improving readability and adding extended features.
I created a separate GitHub repository for this migration and started testing in my development environment. Though my core background is in security, not development – I always liked the idea of creating something useful and beneficial to general public.
Hence, I wanted to keep this as a separate project and later merge it into the production branch.
Once everything was rewritten, the next step was rigorous testing to ensure nothing broke.
After several rounds of testing, we finally went live initially in phases. Only 50% of the traffic was forwarded to the new revisions, and the rest went to the last revision.
I wanted to keep this fall back – just in case something failed miserably.
The results were immediately noticeable. And it was positive!
🔥Fun fact is that the first version of the API and front end web was completely created using VIM.
Immediate Benefits of Switching to FastAPI
Right after migrating to FastAPI, the site’s performance improved dramatically. API requests that previously took several seconds are now completed almost instantly.
Users noticed smoother, faster, and more reliable experiences right away.
Commercial users were the first to see the response times decrease. I was constantly in touch with many customers who took great care of how fast our API responded.
Any breakage or increased delay in the response will be greatly frowned upon. Delays here could ripple into their systems, causing downstream supply chain issues.
Things were looking good. Response times started dropping considerably.
If you compare this chart with the previous data, the scale itself has changed. Previously, the X-axis was in seconds, and now it has moved to microseconds.
Average response for queries was less than 100-200 microseconds. A significant improvement, in my humble opinion.
From an operational perspective, FastAPI helped us improve the performance.
With clear code and better error handling, managing XposedOrNot became less time-consuming.
All I need to do is check the overall dashboard in Google CloudRun to look at the metrics of the last 24 hours. Quick glance and we are good.
Starting the day by reviewing FastAPI metrics on Cloud Run is a joy.
This efficiency means I can now spend more time improving the site, adding new features, and improving user experience. In fact, the last 15 days or so – the number of commits I made on my GitHub was greater than the last 3 months combined.
All thanks to this good migration. Inspired and humbled by the nature of this exercise
Additional Useful Features
Apart from the core functionalities, XposedOrNot provides additional helpful features:
Xposed Repository: Access visually engaging summaries of data breaches, simplifying complex information for easy understanding.
Detailed Breach Repository: Get straightforward, easy-to-follow lists of specific breaches and impacted data.
Data Breaches Visualization: Detailed visualizations of breaches grouped by year
- Automatic Alerts: Set instant alerts to proactively stay informed about breaches involving your emails or domains.
- Industry Classification: Quickly identify which industries and sectors are most frequently targeted, enabling informed security strategies.
These extra features ensure even non-technical users find it easy to understand and protect their data.
Why Open Source Matters
I’ve always believed that transparency is essential, especially in cybersecurity.
I have been a Linux user since 1998. Started from Redhat and currently using Ubuntu distro as my work and developer laptop operating system. To me – open source is an ideology which I embrace fully.
Benefits to me were numerous over the last 25+ years and hence I would like to keep my work in the same direction.
That’s why I decided early on to make XposedOrNot entirely open source. Anyone can view our source code on GitHub, inspect it, and understand how the platform works.
Being open source invites collaboration from cybersecurity experts, developers, and enthusiasts globally.
The more people who look over our code and offer feedback, the better and more secure the platform gets.
We’re all about working together—when everyone jumps in to share ideas and help out, we can keep making things better as a community.”
Contributions from individuals and organisations alike helps continuously enhance XposedOrNot, making it more reliable and user friendly data breach alerting system for more users and corporates.
💡 If you’re into this project and want to show some love, hit that “Like” on GitHub! It really helps us spread the word and get this tool in front of more people.
The Future: Where We’re Heading
Switching to FastAPI was a significant step forward, but it’s just the beginning. Our goal remains the same: make data breach awareness accessible to everyone, everywhere, for free.
Looking ahead, I have exciting plans to add more sophisticated analytics, deeper insights into breaches, and even easier ways for users to safeguard their personal and domain-level information.
But ultimately, this platform belongs to you—the users and contributors. Your feedback and suggestions shape the direction we take.
I’m super excited for XposedOrNot.
👉 If you would like to contribute please check our GitHub or drop me a note.
