Email OSINT techniques

Introduction

I think it’s safe to say that we all have at least one email address, but what most people don’t realize is the sheer extent of how much information a bad actor might find about you with just your email address.

In this article, I’m going to cover possible ways of discovering someone’s email, what information it might reveal about the owner, and the best ways to limit how much information is revealed to the public.

Validating emails

To find someone’s email, first you need to be able to determine whether an email exists or not. Here are the most effective ways to do that.

Email validation websites

There are a lot of websites that can check if an email exists or not accurately, but if you want to check over 50 emails, this method would get pretty cumbersome.

Here are sites, that I’ve used:

• https://tools.emailhippo.com/
• https://verifalia.com/validate-email
• https://email-checker.net/

Validating via password resets

If you know the person uses a certain platform, you can submit a password reset request and see if the site tells you an account under that email doesn’t exist.

Note: Some websites do not disclose information on whether the account exists or not, and password reset emails will definitely alert the target of your presence.

Also while it’s against many platform’s TOS, you can try automating this process using something like Python’s request package.

Send emails

Gmail allows you to send 100 emails per day (last time I checked). You can use the Python SMTP library to make an email validator that tries to send an email to all the emails you want to validate and displays the addresses where the email was delivered successfully to.

This is a very fast way to check emails, but it does ruin your OPSEC.

Sending Emails in Python with Gmail [2024 Tutorial]

Just google

Maybe the email is mentioned somewhere on the webs; just Google the email and you might get lucky.

Finding someone’s email

Guessing emails

If you know the person’s full name and possible date of birth, you can manually check the following mutations:

firstname.lastname@domain.tld
lastname.firstname@domain.tld
FirstnameLastname@domain.tld
LastnameFirstname@domain.tld

^ above ones but with their birth year (96, 92, 02) added at the end like this:
firstname.lastname<birt year>@domain.tld

For usernames:

coolusername@domain.tld

leet version: c00lus3rn4m3@domain.tld

^ the above one but with their birth year (96, 92, 02) added at the end

Work/school email

Work and school emails are usually following one of these formats:

firstname.lastname@domain.tld <-- most popular

lastname.firstname@domain.tld

firstname<lastname first letter>@domain.tld

To find the domain of the school or work place, search the name of it, navigate to the info/contact page, and see if they have an email linked there.

Personal account

Gmail is the most popular personal email provider in the world. When you register an email that already exists, Gmail will recommend you emails with two numbers added at the end of them.

If the target doesn’t have that unique of a username and you think he might want to use the same username as his email address, you should try to find out if he has accepted any of the Gmail recommended emails. For ways to validate these without manually going through each one, read the “Send emails” section in “validating emails”.

Information gathering

Now for the fun part. Actually finding information about the email.

Gmail

a Google account ID is a unique identifier for a Google account. It consists of 21 numbers, and it can be used to get the following information about the Google account in question:

• Creation date
• Last modified
• Name
• Google reviews page
• Google Plus page
• Profile picture

The goal of this section is to explore how and where Google exposes the account ID and how to get information from it.

When you go to compose an email and type in someone’s email address or view someone on Google Hangout’s contact page, the HTTP requests that Gmail/Hangouts makes exposes the target user’s Google account ID. These methods require that you have a Google account.

Here’s a full tutorial on how to do it manually: https://medium.com/hacking-info-sec/how-to-gmail-osint-like-a-boss-1ca4f55f55e2

Knowing how to get the Google account ID manually is important, but using a website like epieos.com is way easier and less time consuming. Also, you won’t need a Google account for Epieos.

Epieos, the ultimate OSINT tool

Epieos basically automates the process of finding the Google account ID and doing OSINT on it. Epieos not only gets the Google account information, but also fetches data from other platforms like Skype, Chess.com, Trello and Gravatar to name a few.

Example Epieos result

The only problem with this site is that much of the info is hidden behind a paywall.

Social media/Accounts

Finding out what sites an email address is signed up for might help you figure out if the email actually belongs to your target. For example, if we know the target lives in the United States, it would be very unlikely that he would sign up for an European food delivery service.

Sites:

• https://seon.io/fraud-detection-services/email-lookup-service-api/
• https://epieos.com

Tools:

• https://github.com/megadose/holehe (BEST)
• https://github.com/iojw/socialscan

Holehe output

Data brokers

Especially if the target lives in the USA, different data broker websites might have the target’s info available for free. Just like that.

Free:

• https://thatsthem.com
• https://nuwber.com/search

Paid:

• https://beenverified.com
• https://spokeo.com

Data leaks

Another good source of information is data leaks. Usually, if the target’s email has been used actively for more than 3 years, the email has been part of at least one data leak.

If you can find the raw database dump or get the raw data from some website, it can greatly aid in your investigation. Not only do most leaks contain usernames that help correlate aliases and emails, but they sometimes also contain phone numbers and addresses, which opens up new leads.

Intelligence X

Good:

• Gives raw data if you have made and account and enabled the free trial.
• Good data sources.

Bad:

• Not completely free.
• Doesn’t like VPNs.

https://breachdirectory.org

Good:

• Completely free.
• Gives SHA-1 hashes of passwords which you can then crack yourself and also the first few letters of the password.

Bad:

• Bad data sources and rarely finds any results.

Have I Been Pwned: Check if your email has been compromised in a data breach

Good:

• Completely free.
• Very good results.

Bad:

• Does not provide any data.

Password resets

Especially if the target has 2FA set up via SMS, a lot of platforms will show the last or first few numbers of the target’s phone number.

That info coupled with, for example, a data breach that contains phone numbers or a already narrowed down list of possible phone numbers, might be a big breakthrough.

Here’s a list of what info the biggest platforms leak in password resets:

X/Twitter: Email, Phone number end, Username

Google: Phone number end, Device model (like Oneplus 8 pro)

Microsoft: Phone number end

Instagram: Phone number end

Protecting yourself

General tip: Don’t use your personal details for anything online unless you ABSOLUTELY have to, sign up for the bare minimum number of websites; and delete accounts on sites you don’t use.

• Use one-time passwords as 2FA instead of a phone number and disable “tap on device to login” from Google account settings.
• Don’t make Google reviews, and if you do, don’t make them public for god sake.
• Don’t use Google and Gmail at all; if possible, use Protonmail/Startmail/Mailfence instead.