cyber revision

People, identity and social media OSINT

Email discovery, username enumeration, LinkedIn and social media intelligence, reverse image search and phone number lookup.

~6 min read

Why people are the target

Infrastructure OSINT finds doors. People OSINT finds the keys. Employees are simultaneously an organisation's most valuable asset and its most exploitable attack surface. An attacker who knows the CFO's full name, their assistant's mobile number, the format of company email addresses and which employees recently left is well-equipped for spear phishing, pretexting or credential stuffing, without having touched a single company system.

Email discovery and harvesting

The standard way to reach a target's employees is via corporate email. Once you know the email format (typically firstname.lastname@company.com or f.lastname@company.com), you can synthesise addresses for anyone whose name you find.

Hunter.io (hunter.io): enter a domain and Hunter returns all email addresses it has found for that organisation, the confidence score for each, and, critically, the email format pattern. If it finds j.smith@acme.com and a.jones@acme.com, it infers the format and shows you what it predicts for any name you provide.

theHarvester: a command-line tool that queries multiple sources (search engines, LinkedIn, PGP keyservers, Shodan) for emails, names and hosts linked to a target domain:

theHarvester -d example.com -b google,linkedin,shodan,hunter

Phonebook.cz (phonebook.cz) and Skymem (skymem.info): additional email search databases with different breach and indexing coverage.

Email validation

Finding an address is step one; confirming it exists is step two. Email validation tools perform an MX lookup and SMTP handshake without sending a message. Tools like verify-email.org handle single-address checks; smtp-user-enum (CLI) runs SMTP enumeration using VRFY, EXPN or RCPT TO probes against a mail server. Be aware: most large providers (Google Workspace, Microsoft 365) don't confirm or deny existence at the SMTP level, so validation is unreliable there.

Holehe

Holehe is a Python tool that checks whether an email address is registered on over 120 platforms (Twitter, Instagram, Facebook, Snapchat, Spotify, GitHub, Airbnb and many more) using each site's "forgot password" or account-lookup flow. Because these flows typically say "email found" or "email not found" rather than "wrong password", they reveal account existence without needing credentials:

holehe target@example.com

The output maps one email to potentially dozens of accounts, instantly revealing the subject's online presence and username patterns. It also helps identify the platforms worth investigating further.

Username enumeration

A username found on one platform is likely reused across others. These tools check presence simultaneously:

  • Sherlock (github.com/sherlock-project/sherlock): checks a username across 300+ sites. Fast, open-source, command-line: sherlock username
  • WhatsMyName.app (whatsmyname.app): web interface backed by a large maintained open-source platform list, the easiest starting point
  • Maigret (github.com/soxoj/maigret): similar to Sherlock but also extracts profile data (full name, location, linked accounts) from found profiles and builds a relationship graph

Note username variations: a target who uses j0hn_d03 on Reddit may use johndoe_93 on Instagram. Profile photos, bios and linked accounts cross-reference and confirm identity.

LinkedIn OSINT

LinkedIn is the richest corporate OSINT database in existence. A company's employee list, org chart, technology stack (from job postings), recent hires and departures, and internal project names all live there.

  • Company page → People: shows all employees with public profiles, filterable by department, location and seniority
  • Job postings: technical requirements in active postings reveal current and planned technology stacks. "Experience with CrowdStrike Falcon preferred" names the EDR platform.
  • Alumni: former employees (filter by "Past" employment) often have less loyalty about discussing past projects, and their profiles may mention internal system names
  • Email format inference: find two or three employee email addresses from other sources and you can confirm the format for the whole organisation

LinkedIn aggressively rate-limits unauthenticated searches. Use a sock puppet account for sustained research, or tools like CrossLinked that enumerate employee names via Google dorking (site:linkedin.com "at Acme Corp") without logging in.

Twitter / X advanced search

Twitter's search operators allow precise filtering even without an account:

from:username                          # tweets by a specific account
to:username                            # replies to a user
"company name" -filter:retweets        # original mentions only
geocode:51.5,-0.1,10km                # tweets within 10 km of a location
since:2024-01-01 until:2024-06-01     # date-bounded results
"internal" OR "staging" from:targetuser

Historical tweet data (before deletion or account going private) is often preserved in web archives. The Wayback Machine and third-party archives occasionally hold cached tweet copies.

Other social platforms

  • Facebook: public profile information, group membership and check-ins. Geotagged posts reveal routines and locations. The Graph API is now restricted, but many profiles remain publicly browsable.
  • Instagram: profile bio, tagged photos and geotag data expose location patterns. Linked accounts in the bio often lead to other platforms.
  • GitHub: both a social network and a code host; developer identities link to commits, and commits often contain real names and email addresses.
  • Reddit: username-based search. Users are often much more candid on Reddit than on professional profiles; look for the target username here after finding it elsewhere.

People search engines

Aggregators that combine public records, voter registration, court records and social profiles:

  • Pipl (pipl.com): professional deep-web people search, primarily US-focused, used by investigators. Returns identity clusters (email, phone, address, social profiles) tied to a name.
  • Spokeo (spokeo.com): aggregates US public records, social profiles and contact details
  • BeenVerified and Intelius: US people search with phone numbers and address history

For UK subjects, more reliable public record sources exist:

  • Companies House (find-and-update.company-information.service.gov.uk): free lookup of UK company directors, with registered addresses and filing history, far more reliable than US-style aggregators for UK targets
  • Electoral Register: full copies available to approved organisations; used by credit reference agencies for identity verification
  • HMCTS court records: judgment debt records and some court proceedings are publicly accessible

Given a photo, reverse image search finds where else it appears online, useful for verifying identity, finding a subject's other online presence, or exposing when someone has stolen another person's photo for a fake persona.

  • Google Images (images.google.com): click the camera icon and upload or paste a URL. Best for widely circulated images, landmarks and celebrities.
  • TinEye (tineye.com): specialises in exact and near-exact image matching across an independent index. Better than Google at finding the first appearance of an image and tracking where it was copied.
  • Yandex Images (yandex.com/images): consistently outperforms Google for face-matching due to superior facial recognition in its search algorithm. When Google fails to identify a face, try Yandex first.
  • PimEyes (pimeyes.com): dedicated facial recognition search engine that finds photos of the same person across the web. Powerful but raises significant privacy concerns; use only within authorised investigations.

Phone number OSINT

  • TrueCaller (truecaller.com): crowdsourced caller-ID database. Many numbers are registered with names from users who granted contacts access. A reliable first check.
  • NumLookup (numlookup.com): free phone lookup with carrier, location and owner data
  • Sync.me: social media-linked phone number lookup

Phone OSINT is significantly less reliable than email or username enumeration. Many numbers simply won't appear in any database, and GDPR gives subjects rights to remove personal data from these services.

Quick recall

  • Email discovery: Hunter.io for format patterns and address lists, theHarvester for multi-source harvesting. Holehe maps one email to 120+ platform accounts via forgot-password flows; no credentials needed.
  • Username enumeration: Sherlock (CLI, 300+ sites), WhatsMyName.app (web). Maigret also extracts profile data. Watch for cross-platform reuse.
  • LinkedIn: company People page, job postings (reveal tech stack and EDR), alumni. Use CrossLinked for unauthenticated Google-based enumeration.
  • Reverse image: TinEye for exact match and provenance, Yandex for faces, PimEyes for face search at scale.
  • UK people search: Companies House (directors, free, reliable) beats US-style aggregators for UK targets. Pipl/Spokeo for US.
PreviousNext