Open Source Intelligence (OSINT) — is information gathering from publicly available sources and its analysis to produce an actionable intelligence. Email addresses are an important part of Email OSINT, providing a wealth of information about a subject. The information available about an e-mail address depends on a number of different factors, like how old is the e-mail address, how widely the owner has published it on the internet, and whether the provider is a common e-mail provided like Gmail or others, or whether the e-mail address is tied to its own company domain name.

Email OSINT Tools:

The Harvester:

Its a simple and effective tool. It can gather email addresses, subdomains, banners, and other similar information using multiple public data sources.
Example: theHarvester -d -b google


Its an email OSINT tool to find passwords through different breach and reconnaissance services, and torrent.
Example: h8mail -t emails.txt -c h8mail_config.ini

Email OSINT Sites:

Google dorks
Here we use Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. We can customise our queries to hunt for email addresses from target website or other sources like data dumps.
Use filters like : intitle, inurl, filetype, intext, site
filetype:xls inurl: “email.xls”


HIBP is a good resource for checking if an e-mail has been involved in a data breach, but it can also be of use for email OSINT purposes. When you find an e-mail that’s been in a breach, HIBP will also show which data breaches it’s been in. This will give some idea as to how old an e-mail address is, which sites and services the target has (or had) accounts for and even their username.
EmailRep uses hundreds of data points from social media profiles, professional networking sites, dark web credential leaks, data breaches, phishing kits, phishing emails, spam lists, open mail relays, domain age and reputation, deliverability, and more to predict the risk of an email address.
Use it from its website or with cli/python to verify and see where that address has been used.

Get-EmailRep -EmailAddress

Its used for finding emails for a domain and verifying them. It doesn’t work with common e-mail providers like Gmail, but where an e-mail address is linked to an organisation’s own domain then Hunter is extremely useful.

  • Platforms like Facebook, LinkedIn can also be useful to give us personal email accounts of the target.
  • On LinkedIn, people put their email addresses in their bio and/or comments.
  • In the case of Facebook, some have their accounts set to public where people can see all their posts, bio, comments.
  • Also, next step after the surface web OSINT is “dark web OSINT“, which is a topic for another day.


We can see that most of the emails are leaked due to human errors like misconfigured account settings or data leaks or from 3rd party sites which collect user PII.
To better protect your data, you can change account privacy settings and don’t post your personal email address on public posts.


Vishal Thakur

Network Security Analyst Intern

Table of Contents

Social Media