Ethical Hacking How to Find Personal Information about anyone via OSINT

How to Find Personal Information about anyone via OSINT

Today we’ll disucss on how to discover an individual’s digital footprint and gather personal data of anyone over the web through the use of open-source intelligence (OSINT). So, in its easiest way, OSINT is described as a process by which we collect information from publicly available sources. These sources aren’t limited to online searches or Google, however from newspapers, tv, blogs, tweets, social media, images, podcasts, or videos as long as it’s public, free, and authorized.

The scope of OSINT is just not limited to the cybersecurity field. But corporate, navy intelligence, sales, advertising, and product administration are all utilizing OSINT techniques to be more productive whereas delivering their services to the public.

The scope of OSINT

The Steps to perform OSINT

Now you’re wondering how an individual can use this method to get the advantages of the data that may be accessed publicly. Well it isn’t a rocket science to learn how you may perform OSINT, just a few important points you want to remember before initiating a search:

  • At first, you want to start with what information , i.e., email, username, etc.
  • Then you’ll define your requirements, i.e., what you need to get
  • Now start gathering the data through the use of OSINT Tools (which we’ll discuss later)
  • After collecting data start analyzing it
  • Pivot as needed utilizing new gathered data
  • Validate your assumptions
  • At last, generate the report

Based upon these steps, let’s discuss what information we will collect related to the known components (i.e., username, email addresses, cellphone numbers etc.) and what are the available resources on the web to serve the aim.

Username Search – OSINT

Let suppose I’ve a target’s username on which I’ve to collect as a lot information as doable from the publicly available sources. The below flowchart shows that from a single username, how will you access data related to that username.

Username Search - OSINT

From a username of the target, you may attain to its email address because many instances usernames derived from the e-mail addresses. If that isn’t the case, then you may assume an address and search it on Have I been pwned, a web site allows you to search throughout multiple data breaches to see in case your email address has been compromised. If you assumed it right, it certainly resides on Have I been pwned database because there’s a possibility your target’s email account compromised shortly.

Simply typing username on search engines also gathers hundreds of thousands of information, and you’ll attain to its social media account.

There are also some username search tools from where you may easily attain to its social media account. Social media platforms also let personal information like real name, Home address, age, gender, hobbies, check-ins, etc. That means reaching to the social media account is the final flag, that reveals plenty of personal information.

You can even strive manual attempts on social media platforms to get the e-mail address of the username and other personally identifiable information. Apart from online services, you should utilize a Github project WhatsMyName, a repository that has the unified data required to perform user enumeration on varied web sites. One thing you will have to take into account that whereas doing searching on multiple sites, you would possibly get false positives as another person can use the identical username, be ready for that. 

How to Perform OSINT on Email Address

Let say I’ve an email address of my target; the below flowchart shows how I can use that single information to reveal the non-public data related to it.

How to Perform OSINT on Email Address

The very first thing to do is to verify the e-mail address you will have. For this purpose, there are some online tools available that are described below:

  1. Hunter

enables you to find email addresses in seconds. You just have to type a domain name to launch the search. The Domain Search will list all of the people working in an organization with their names and email addresses found on the web.

  1. Proofy

Proofy is a strong email validation tool that permits bulk email validation having an accuracy of over 96%. By utilizing this tool, you may verify emails in volume, with email deduplication, syntax checker, MX Records verifier, and other validations.

  1. Email permutator

This tool will generate tons of valid email addresses whenever you enter the name and domain of an individual you search.

  1. OSINT browser extension

Browser extensions are having plenty of helpful links, including ones for email search and verification. They are appropriate with Firefox and Chrome.

After verifying the e-mail address, now you may remove its domain to get the username and attain its social media account. You can even search that email address directly on social media platform let’s imagine Facebook that may list the employer, perhaps an actual name or other related information.

By searching that address on search engines might allow you to attain to the web sites of blogs from where you may get their username or social media account.

The most fun thing from this flow chart we will see is how you may assume a private email address of an individual by their username, verify that address and reset password its social media account password. This could seem impossible by studying it, however a lot of the time, social media accounts are hacked by this method.

OSINT Investigation utilizing Phone Numbers

OSINT Investigation using Phone NumbersThere is a common mistake by users of social media accounts, for instance, Facebook, to link a cellphone number to their Facebook profile. Even on the Facebook search, you would find personal numbers if the privacy is moderate.

Other than that, user-supplied databases of cellphone numbers like or that collects hundreds of thousands of data by selling their services can be utilized to get the outcomes.

There is a really famous tool PhoneInfoga to scan cellphone numbers utilizing only public resources. At first, the primary focus is on gathering necessary information like nation, area, service, and line type on any international cellphone numbers with glorious accuracy. After that, it tries to find the VoIP provider or search for footprints on search engines to strive to identify the owner. It provides comfort by checking several numbers directly and perform OSINT reconnaissance utilizing external APIs, Google Hacking, cellphone books, & search engines.

Domain name OSINT

Domain name OSINT

If a web site of an individual owns that you’re investigating, then it can quickly reveal important information related to it, such because the operating system getting used, software version, personal contact info, and more. Many utilities can perform this job for you:


It provides information about all of the registered users or assignees of an Internet resource i.e., domain name, an IP address, or an autonomous system. It contains a widely used Internet record listing that recognizes who owns a domain and how to get involved with them.

Reverse whois

It is a helpful tool that may allow you to search for domains by the name, address, cellphone number, email address, or physical address of the registrant listed in current or outdated Whois records. When you perform a Reverse Whois, you’ll merely enter any of the registrant’s personal information, and all domains with a Whois record containing that piece of data might be returned.

The Top 3 OSINT Tools

Many automated tools are dedicated to this purpose and can ease the duty to solve more complex issues. If your query is just to find related information in your data, then you should utilize the above options. Still, these manual searches will be time-consuming should you are performing a digital investigation or gather information for penetration testing. For complex OSINT investigation, the next tools are convenient to get the on-demand results.


Maltego is an Open Source Intelligence and forensics software developed by Paterva. This tool is used to solve more complex questions by taking it a single piece of information, then discovering links to more items of data relating to it. Finally, it provides an entire large picture when it comes to graphs to visualize the output.

It has multiple features which are said to be Transforms, which pull the related information via API pulls after which comparing the gathered data that tends to give significant information.


A easy and useful tool will fetch the proper information of the target. It is beneficial for scanning domains and gathering information like emails, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines, PGP key servers, and SHODAN computer database. It also uses some common platforms like Yahoo, LinkedIn, Facebook, etc.


Recon-ng is a command-line reconnaissance tool with an interface similar to Metasploit. Initiating Recon-ng will allow you to enter a shell-like environment where you may configure options, perform recon, and output results to different report types. This tool is preloaded with a great deal of modules that use online search engines, plugins, and API that may assist in gathering the information of the target.

This article mainly focuses on how an individual can collect information through the use of open source intelligence. Even a non-technical one which has zero knowledge about cybersecurity, he can use online sources and, with few clicks to collect a number of data that’s publicly posted on the surface web. You can even realize how easy it’s to get anybody’s personal information, which is floating on this digital world. These techniques will also be used for a malicious purpose and would possibly cause damage, so one ought to use them rigorously.


Please enter your comment!
Please enter your name here