Last updated: June 2026

Acceptable Use Policy

LeakJar provides tools exclusively for defensive security purposes. This policy defines how our services may and may not be used.

This policy is actively enforced

We enforce this Acceptable Use Policy proportionately to the nature and severity of the violation. Depending on the circumstances, violations may result in suspension or termination of your account, and, where warranted, legal action or reporting to relevant authorities.

Permitted Uses

LeakJar services are designed for and may only be used for the following legitimate, defensive security purposes:

Defensive Security Screening
Checking passwords submitted by your own users (at signup, login, or password reset) against known breached datasets to prevent the use of compromised credentials within your application.
Password Policy Enforcement
Integrating breach detection into your password policies to comply with NIST SP 800-63B, SOC 2, ISO 27001, or other security frameworks that recommend screening against known breached passwords.
Compliance & Audit
Using LeakJar's reporting and monitoring capabilities to demonstrate compliance with regulatory requirements and security standards related to credential hygiene.
Exposure Monitoring
Monitoring your organization's domains for credential exposure in data breaches to proactively protect your users and employees.

In all cases, your use of LeakJar must be lawful and must comply with all applicable laws and regulations, including applicable data-protection and privacy laws (such as the GDPR and CCPA/CPRA). You are responsible for having a valid legal basis for processing any personal data you submit to or obtain through the Services.

Prohibited Uses

The following uses of LeakJar services are prohibited. Attempting to use our services for any of these purposes may result in enforcement action proportionate to the violation.

Credential Stuffing

Using LeakJar data or APIs to attempt unauthorized access to accounts on any service by testing breached credential pairs.

Unauthorized Access

Using our services to gain unauthorized access to any system, network, or account that you do not own or have explicit permission to test.

Offensive Security & Red Teaming

Using LeakJar services as part of offensive security operations, penetration testing against third-party systems without authorization, or any form of attack simulation without explicit written consent from the target organization.

Reselling or Redistributing Data

Reselling, sublicensing, or redistributing any data, results, or outputs obtained through LeakJar services to any third party, except where an authorized data partner is expressly permitted under a written agreement with LeakJar to provide approved data or results to its customers for defensive account-security purposes.

Building Competing Services

Using LeakJar services to build, train, or improve a competing breached credential detection product or service, except for authorized data partners using approved LeakJar data or results under a written agreement to support their customers' account-security workflows.

Harassment or Doxxing

Using breach data to harass, threaten, blackmail, or expose individuals. This includes correlating breach data to identify or target specific individuals.

Bulk Data Extraction

Systematically querying our APIs to reconstruct, enumerate, or extract our underlying breached credential datasets.

Circumventing Security Controls

Bypassing, disabling, or circumventing our security controls, rate limits, access restrictions, or k-anonymity and other privacy protections, or otherwise attempting to defeat the safeguards that keep sensitive data confidential.

Enforcement

LeakJar takes violations of this policy seriously. We actively monitor for abuse and investigate reports of policy violations.

Investigation

Upon becoming aware of a potential violation, LeakJar will investigate the matter. During investigation, we may suspend access to the Services as a precautionary measure.

Consequences

Depending on the severity and nature of the violation, consequences may include:

  • Written warning and required corrective action.
  • Temporary suspension of API access and account privileges.
  • Permanent termination of your account without refund.
  • Reporting to law enforcement or other relevant authorities.
  • Legal action to recover damages or enforce compliance.

Security Research & Responsible Disclosure

SEW INC welcomes good-faith security research that helps us keep LeakJar and our users safe. If you discover a vulnerability and act in good faith and within the scope and conditions described below, we will not pursue or support legal action against you under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or these terms, and we will treat your research as authorized.

Safe Harbor Conditions

To qualify for this safe harbor, you must:

  • Report the issue promptly to security@leakjar.com.
  • Give us a reasonable time to investigate and remediate before publicly disclosing the issue.
  • Only access, modify, or exfiltrate the minimum amount of data necessary to demonstrate the vulnerability, and never more.
  • Avoid violating the privacy of others, destroying data, or interrupting or degrading our Services (including any denial-of-service testing).
  • Comply with all applicable laws and refrain from any activity outside the scope of good-faith research.

This authorization applies only to systems we own or operate and does not extend to third-party systems, services, or data. If you are unsure whether your research is in scope, contact us at security@leakjar.com before proceeding.

Reporting Violations

If you become aware of any violation of this Acceptable Use Policy, we encourage you to report it immediately. Reports can be submitted to:

Please include as much detail as possible, including the nature of the violation, any supporting evidence, and the account or API key involved. All reports are treated confidentially.