This post explains how to find a company’s employees by using publicly available OSINT tools.
A previous post explained how to find employees’ work email addresses for any company. That process simply required that you search for the company’s website domain in the tools Phonebooks.cz, Snov.io, and Hunter.io to look for email addresses that have the same domain as the company’s website. This process gave a list of work email addresses used by employees.
This current post will address how to identify the users of those email addresses in addition to other company employees as well.
Who Owns the Email?
Using the list of work email addresses that we gained from the aforementioned tools, we can identify the person that uses the email address. We start with the email username which will be a partial identification of the person’s name. Usually there will be an established pattern where “John Smith” working at “Fake Company” will be something like “jsmith@Fake_Company.com”.
From here we go to the website aihitdata.com.
AIHIT identifies company employees from corporate registrations, domain registrations, social media, company websites, and other sources. It logs each name and title and even continues to monitor its sources in case a new name appears on a registration and replaces an old one. For any company in a country with public corporate registries (like the United States) you can assume it will appear in this database.
We search for our company by name in the search bar and then in the results page we click on “people” and we receive a list of employee names, titles, and sometimes their work email addresses.
From here we can take an educated guess about who owns which email address. For example, you can see on the right that an employee named Alexander has the username “al” for their email address. From here we can search for the personal contact information for each employee using professional recruitment websites like Apollo.io, Contactout.com, and Rocketreach.co.
Professional Recruitment Websites
These websites have databases full of the names, titles, and contact information for employees of various companies large and small. The sources of their data are not clear. Rocketreach.co vaguely states that their information comes from “publicly sourced data,” and their leads are “generated by tying together 100s of pieces of data using learning algorithms”. What IS for certain, is that there are a lot of complaints by people on sites like Reddit and Trustpilot (see here and here) claiming that these sites are publishing personal contact information that was not intended to be public.
Professional recruitment websites have databases that are specifically built so that you cannot find someone by their name. Instead, you have to search using someone’s employer and title. Now that we have linked a number of work email addresses to a name, title, and employer, we can search for them in these websites. Note that these websites will require that you sign up for a free account if you want to see the person’s contact information.
Here we see the same employee on Apollo.io and the site offers to give you their work email and personal phone number if you get a free account.
And here on ContactOut.com we see the employee’s Gmail address is available
You can find more information about the employee by searching for their email address in Breach Data websites, which were explained in a previous post.
That’s it, you’re done!