“People-Search Websites” (list of tools to search names, addresses, phones)

This image has an empty alt attribute; its file name is data-analysis.jpeg

The following is a list of websites that can search for US-based people if you know the individuals name, phone number, or address:

Search name, phone, or address

truepeoplesearch.com – name, address, phone (NAP)

searchpeoplefree.com – email, (NAP)

cyberbackgroundchecks.com – email, (NAP)

thatsthem.com – email, (NAP)

advancedbackgroundchecks.com – email, (NAP)

fastpeoplesearch.com – (NAP)

nuwber.com – (NAP)

familytreenow.com – (NAP) – focuses on genealogy

radaris.com – (NAP)

whitepages.com – (NAP)

clustrmaps.com – name, address

truthfinder.com – only for searching phones

Johndoe.com – better results for associates

xlek.com – name

howmanyofme.com – name

spytox.com – https://www.spytox.com/firstname-lastname

spokeo.com – https://www.spokeo.com/Firstname-Lastname?loaded=1

zabasearch.com – only use then name-based search

classmates.com – name

social-searcher.com – focuses on usernames and mentions in social media

yasni.com

homemetry.com – address

Property and other public records

Publicaccountability.org – name, address

Publicrecords.directory – name

https://publicrecords.netronline.com/ – this is a database listing the websites for county governments public records – especially the county appraiser or assessor, which have property records

Phone CallerID Lookup

https://calleridtest.com/

calleridservice.com

https://apeiron.io/cnam

https://www.spydialer.com/

telnyx.com

serviceobjects.om

Crowd-Sourced Phone Search

https://www.truecaller.com/

https://sync.me/

Remove Your Personal Information from the Internet

There are several companies and websites that make use of your personal information but they are required to allow you to opt out. Here is a list of the places and relevant links for you to find where your information is collected and opt out so that it cannot be used by these companies.

Data Brokers

The following links will let you opt out of the major marketing data brokers selling your information

  1. Acxiom
  2. Experian
  3. Oracle
  4. Lexis Nexis and 
  5. Epsilon.

Credit Data

Stop credit reporting agencies from sell your data (the source of junk mail offering “Pre-approved credit offers”) using Opt Out Prescreen:

optoutprescreen.com

Financial Data

Banks also share data about their customers. Choose the bank from the list below to opt out of having your data shared

  1. JP Morgan Chase
  2. Citi
  3. Wells Fargo, and 
  4. Bank of America.

Credit Card

Do a Google search of “[insert credit card company name here] opt out of sharing my information”

You will likely be brought to a page that tells you that you need to actually call them and request to “opt out of sharing my information”. This is inconvenient but most companies make the process relatively convenient. As two examples, see the info below for Capital One and Discover

Capital One – 1-888-817-2970 – click here

Discover Card – 1-800-225-5202 – webpage is here

You can take your name out of Caller ID databases. You should have an account on your carrier’s website. When you log in you will see there is a name listed next to your phone number. If you have more than one phone on the same account there will be a different name listed next to each number. If you change this name it will eventually be reflected in caller ID databases. You can test by calling a phone that does not have your number in its contacts.

Mailing Lists

You can opt out of some of these offers if you:

  • Visit DMAchoice.org to create an account with the Direct Marketing Association (DMA) and decide which mail you want to receive from DMA members. There’s a $2 processing fee, which will cover you for 10 years.
  • Request to be taken off non-DMA mailing and marketing lists, such as those run by RetailMeNot and Valpak.

No Call Lists

You can register for the National Do Not Call Registry – donotcall.gov – which is limited in its effect but still useful

As a backup to the Do Not Call Registry, you can also go to No Mo Robo – nomorobo.com –

Do Not Contact for Caretaker’s Registration – https://ims-dm.com/cgi/dncc.php

Remove your personal data (name, address, phone, birthday) from people-searching websites:

According to Inteltechniques.com: “The ‘MOST BANG FOR YOUR BUCK’ removals: Spokeo, Mylife, Radaris, Whitepages, Intelius, BeenVerified, Acxiom, Infotracer, Lexis Nexis, TruePeopleSearch”

Inteltechniques.com provides and exhaustive list of such websites and the urls for opting out of each of them – https://inteltechniques.com/workbook.html

You may choose to simply google your name and see which websites show up in your results with your personal information and focus on those.

Remove Google Street Views of Your Home

1 -Go to Google Streetview and look at your home. (note that the address has been blocked out with red for privacy)

2 – Click on the three dots (circled here in yellow) and then in the drop down choose “Report a Problem”

This brings you to a new page where you can adjust the photo to center the red and black square over your home

You choose from a list of options what you want to blur (in this case we chose “my home”)

And then you have to input a justification, such as “I am concerned for my privacy”

Don’t forgot two more issues, the first is that even after you have blurred the one image, you can move down the street one space and turn and see the same house, so you have to blur the house from a few different locations and angles

Second, don’t forget about Google Maps’ time machine feature.

See the little clock on the bottom left

When you click on it, you will see the same location from different times in the past. You will also have to blur them individually.

There are similar options for removing photos from Bing Maps, Mapillary.com, and https://kartaview.org/.

And that is it for now!

What you can do with a “right-click”

You can often find good data from a website if you use a right-click.

Here is a quick example, below is a screenshot of a people-searching website. The results from a name search show that the website knows the person’s Facebook account, but you may have to pay for this info.

Instead, you can just right-click on the “Facebook” button and choose “inspect”

Now we see the publicly accessible coding that exists behind the website’s front facing page. A window pops up below showing the site’s coding and if we hover our cursor over a part of the code, we see that the corresponding part of the website will be highlighted so that we know what we are looking at. So you cannot see my cursor, but it is hovering over the highlighed part of the coding text that includes the word “Facebook” and now you see that this is the part of the code that tells the website to show the word “Facebook” on the screen.

What is more important is that 4 lines up from the highlighted line of code, you see a line of code that starts with:

<a class=”detail” href=

The term “href” signals that a link will follow it (In case you are curious, “href” stands for Hypertext REFerence)

As you see in the screenshot below, if we highlight the “href” line we see that it corresponds to the “Facebook” button on the webpage. So when the coding says “href=”, it means that the link in the button on the webpage screen will take you to the url that follows “href=”.

I you want to be overly literal about it, the code is communicating that the href is the location that the button takes you, so the code is saying that the href “=” (or “is”) the following url. Though I have obscured the full link, you see below that the link is for a specific Facebook account and therefore you now know the location of the Facebook account without actually haveing to click on the button itself.

This is just one example. You may notice that some company websites will have a page with photos of all of its staff members but you need to hover your cursor over a photo for the name and info of the staff member to appear. This is an increasingly common trend in corporate websites. If you encounter such a page, you can right-click and hit inspect. Doing so will bring you to the coding behind the website, which will include all of the info for each staff member, thereby allowing you to avoid the cumbersome process of hovering your cursor over each photo one at a time. This is especially useful if you are looking for a specific name.

If you find yourself needing to access, download, and manipulate (on your own computer) the data from a website (such as info on staff members), you can consider using the tool Parsehub. There is a great explanation of how you can use this tool even if you are a complete novice. See the guide “Saving time and rearranging websites” written by Samantha Sunne on ToolsForReporters.com (one of my favorite websites).

Find Information About Email Addresses in Data Breach Websites

When researching an email account, you can use Data Breach Websites to find a variety of information such as, but not limited to, websites where the email registered an account, alternate emails / phone numbers, coworkers, and social media accounts.

This post explains what Data Breach Websites are and discusses several sites that are available as of May 2021 (these sites regularly disappear and then are replaced by new ones).

What is a data breach website?

Data breaches occur in almost any website and the leaked information is often posted on dark web forums or discovered elsewhere before ultimately being taken down.

Before that information is taken down, breach data websites will obtain the information, verify it, and identify which breach it came from. Data breach websites will let you search for your own email address and find out which breaches had your email address in them, as well as other information listed along with it. You can then request that the breach data website remove your data from their holdings.

If you are researching an email address that is not your own, it can be helpful to research it in one of these websites so find out more information about it. For example, if the email was listed in a data breach of account information for LinkedIn accounts, you will know that the email address is registered to a LinkedIn account.

It is important to note that data breach websites maintain deep web databases so you can only obtain their information by going to the site itself.

List of Websites

The following is a list of Data Breach Websites and the information you can search as an input:

Data Breach Websites

leak-lookup.com – email

intelx.io – email

haveibeenpwned.com – email, phone

dehashed.com – email, username, phone, password, domain, IP

Phonebook.cz – email domain

leakpeek.com – email, username, password, keyword, email domain

The following are okay, but not great:

breachchecker.com – email

leakcheck.net – email, username

cybernews.com/personal-data-leak-check – email

Email Reputation / Survey of Breach Websites

EmailRep.io – email

Breach-Specific Websites

publicemailrecords.com – email

haveibeenzucked.com – email

checkashleymadison.com/ – email

Hash Decryption

hashes.com

dehash.me

github.com/HashPals/Search-That-Hash

Pastebin

open a browser tab and copy and paste:

https://psbdmp.ws/api/search/

…followed by the email you are searching (for example, to search for the email “moreinfo@search-ish.com”, you would type the following – https://psbdmp.ws/api/search/moreinfo@search-ish.com

you can follow up on any unique id / username discovered in your results by copy and pasting:

https://pastebin.com/

…followed by the username. So for example when search a username (such as “myusername”) you would use the url – https://pastebin.com/myusername

And here are some other US-focused email search websites (not data breach sites) while you are at it:

https://thatsthem.com/reverse-email-lookup

https://www.searchpeoplefree.com/email

https://www.manycontacts.com/en/mail-check

Back to data breach info…

Explanation for Standard Data Breach Websites

Standard breach databases (haveibeenpwned.com, and breachchecker.com) will let you search for an email address and the website will tell you which data breaches had the email in them. The screenshot below is a classic example of search results. The email that was searched was found in two different breaches and the breach website gives an explanation of each breach.

Email Reputation

EmailRep.io gives an overview of data on an email address that includes, whether it has been seen in breaches and the timeframe. This is a great place to start so you have an idea of what sort of information is out there.

See a standard set of results below

reputation – means likelihood that it is a legit, not spam email address

references – refers to the number of places the website has spotted the email, see below for more info on where the website gets its data.

blacklisted – self explanatory

credentials_leaked – presumably referring to a breach data leak

data_breach – gets right to the point and tells you if the email is in any breaches and the dates below are the earliest and latest dates of the breaches

valid_mx – refers to an mx lookup, which is basically a test to see if the domain of the email ( or website associated with the domain) is currently capable of hosting email addresses.

profiles – this is where it will list if the email is registered to a Linkedin or Twitter account.

EmailRep claims that it does not rely soley on databreaches but also uses “hundreds of data points from social media profiles, professional networking sites, dark web credential leaks, data breaches, phishing kits, phishing emails, spam lists…” etc.

The website also has a free api available.

Search More Than Emails

Some Breach Websites will let you search for other things in breach data. For example, leak-lookup.com will give you a limited number of lookups for free when you register and it lets you also search for phone numbers, IP addresses, Passwords, and Usernames. But in this case the results will only identify the data breaches. So if you search for an email domain, it will not show you the email addresses with the domain.

Raw Data

Intelx.io and Leakpeek.com will often give you limited access to the raw data from a breach. This is a great way to find new email accounts owned by the same user. This is especially helpful for finding the true identity of internet trolls who will often set up a “burner” email account for troll-like activities but there is often a link to their true email which could link to their true identity.

Decryption

Companies will often store users’ data internally “hashed” or encrypted in case it is breached. When you see a random string of about 25 characters in a data breach, that usually means that it is hashed data. Depending on the kind of hash, it might be possible to decrypt it with Hashes.com. Just paste the string and hit the “Submit & Search” button.

Email Domains

Searching for email domains (at sites like phonebook.cz)will let you search a website domain for email addresses with the same domain. So in the example below, I wanted to research the website Snov.io so I searched for email addresses with the same name. This listed several work email addresses. If you click on one, it automatically opens a search for the email in intelc.io

Another site that can be used for this purpose is leakpeek.com. This website is notable because it will also let you search for email addresses by domain (though it will not identify the full email addresses) and because it will often give partial information from the breach itself.

Breach-Specific

Several websites provide information for only one data breach. They are usually only worth checking if you have other reason to believe that the email is located in that database.

publicemailrecords.com – River City Media Breach

haveibeenzucked.com – Facebook breach

checkashleymadison.com/ – Ashley Madison breach

Note that the breach for publicmailrecords.com, River City Media Breach, is unlike the other two breach-specific sites because this breach may appear in the results of a standard data breach website’s search. See the example search results above for a regular breach site, which indicates that you should look for the same email at publicmailrecords.com.

That’s it!

Identify a Company’s Employees, Use Recruiter Websites

This post explains how to find a company’s employees by using publicly available OSINT tools.

A previous post explained how to find employees’ work email addresses for any company. That process simply required that you search for the company’s website domain in the tools Phonebooks.cz, Snov.io, and Hunter.io to look for email addresses that have the same domain as the company’s website. This process gave a list of work email addresses used by employees.

This current post will address how to identify the users of those email addresses in addition to other company employees as well.

Who Owns the Email?

Using the list of work email addresses that we gained from the aforementioned tools, we can identify the person that uses the email address. We start with the email username which will be a partial identification of the person’s name. Usually there will be an established pattern where “John Smith” working at “Fake Company” will be something like “jsmith@Fake_Company.com”.

From here we go to the website aihitdata.com.

AIHIT identifies company employees from corporate registrations, domain registrations, social media, company websites, and other sources. It logs each name and title and even continues to monitor its sources in case a new name appears on a registration and replaces an old one. For any company in a country with public corporate registries (like the United States) you can assume it will appear in this database.

We search for our company by name in the search bar and then in the results page we click on “people” and we receive a list of employee names, titles, and sometimes their work email addresses.

From here we can take an educated guess about who owns which email address. For example, you can see on the right that an employee named Alexander has the username “al” for their email address. From here we can search for the personal contact information for each employee using professional recruitment websites like Apollo.io, Contactout.com, and Rocketreach.co.

Professional Recruitment Websites

These websites have databases full of the names, titles, and contact information for employees of various companies large and small. The sources of their data are not clear. Rocketreach.co vaguely states that their information comes from “publicly sourced data,” and their leads are  “generated by tying together 100s of pieces of data using learning algorithms”. What IS for certain, is that there are a lot of complaints by people on sites like Reddit and Trustpilot (see here and here) claiming that these sites are publishing personal contact information that was not intended to be public.

Professional recruitment websites have databases that are specifically built so that you cannot find someone by their name. Instead, you have to search using someone’s employer and title. Now that we have linked a number of work email addresses to a name, title, and employer, we can search for them in these websites. Note that these websites will require that you sign up for a free account if you want to see the person’s contact information.

Here we see the same employee on Apollo.io and the site offers to give you their work email and personal phone number if you get a free account.

And here on ContactOut.com we see the employee’s Gmail address is available

You can find more information about the employee by searching for their email address in Breach Data websites, which were explained in a previous post.

Some more tools below for searching random employees:

Aleph.occrp.org – and – littlesis.org – are good for random searches of an email, name, or phone number as they use a variety of unusual data sources.

Bearsofficialstore.com – scrapes LinkedIn and other sources, let’s you search by name or employer

Openpayrolls.com – search government employees

That’s it, you’re done!

Protect Your Privacy

There are several companies and websites that make use of your personal information but they are required to allow you to opt out. Here is a list of the places and relevant links for you to find where your information is collected and opt out so that it cannot be used by these companies.

Data Brokers

The following links will let you opt out of the major marketing data brokers selling your information

  1. Acxiom
  2. Experian
  3. Oracle
  4. Lexis Nexis and 
  5. Epsilon.

Credit Data

Stop credit reporting agencies from sell your data (the source of junk mail offering “Pre-approved credit offers”) using Opt Out Prescreen

optoutprescreen.com

Financial Data

Banks also share data about their customers. Choose the bank from the list below to opt out of having your data shared

  1. JP Morgan Chase
  2. Citi
  3. Wells Fargo, and 
  4. Bank of America.

Credit Card

Do a Google search of “[insert credit card company name here] opt out of sharing my information”

You will likely be brought to a page that tells you that you need to actually call them and request to “opt out of sharing my information”. This is inconvenient but most companies make the process relatively convenient. As two examples, see the info below for Capital One and Discover

Capital One – 1-888-817-2970 – click here

Discover Card – 1-800-225-5202 – webpage is here

You can take your name out of Caller ID databases. You should have an account on your carrier’s website. When you log in you will see there is a name listed next to your phone number. If you have more than one phone on the same account there will be a different name listed next to each number. If you change this name it will eventually be reflected in caller ID databases. You can test by calling a phone that does not have your number in its contacts.

Mailing Lists

You can opt out of some of these offers if you:

  • Visit DMAchoice.org to create an account with the Direct Marketing Association (DMA) and decide which mail you want to receive from DMA members. There’s a $2 processing fee, which will cover you for 10 years.
  • Request to be taken off non-DMA mailing and marketing lists, such as those run by RetailMeNot and Valpak.

No Call Lists

You can register for the National Do Not Call Registry – donotcall.gov – which is limited in its effect but still useful

As a backup to the Do Not Call Registry, you can also go to No Mo Robo – nomorobo.com –

Do Not Contact for Caretaker’s Registration – https://ims-dm.com/cgi/dncc.php

Remove your personal data (name, address, phone, birthday) from people-searching websites:

According to Inteltechniques.com: “The ‘MOST BANG FOR YOUR BUCK’ removals: Spokeo, Mylife, Radaris, Whitepages, Intelius, BeenVerified, Acxiom, Infotracer, Lexis Nexis, TruePeopleSearch”

Inteltechniques.com provides and exhaustive list of such websites and the urls for opting out of each of them – https://inteltechniques.com/workbook.html

You may choose to simply google your name and see which websites show up in your results with your personal information and focus on those.

Remove Google Street Views of Your Home

1 -Go to Google Streetview and look at your home. (note that the address has been blocked out with red for privacy)

2 – Click on the three dots (circled here in yellow) and then in the drop down choose “Report a Problem”

This brings you to a new page where you can adjust the photo to center the red and black square over your home

You choose from a list of options what you want to blur (in this case we chose “my home”)

And then you have to input a justification, such as “I am concerned for my privacy”

Don’t forgot two more issues, the first is that even after you have blurred the one image, you can move down the street one space and turn and see the same house, so you have to blur the house from a few different locations and angles

Second, don’t forget about Google Maps’ time machine feature.

See the little clock on the bottom left

When you click on it, you will see the same location from different times in the past. You will also have to blur them individually.

Removing images from Bing Maps

Bing Maps is similar, as seen below, you go to a location and click on the bottom left side “Report a privacy concern with this image”

You will be brought to this screen where you fill out some informaiton about yourself and the image you want blurred and you will see a panoramic view of the location where you will click on the part you want blurred and a red dot will appear.

Karta View

Karta View – https://kartaview.org/ – is a lesser known service that uses crowd-sourced dash cam videos to provide street level imagery. As seen in the screenshot below, it similarly offers users the option to blur segments.

Realtor Photos

Another issue worth addressing if you own a home is the plethora of real estate photos showing your home from inside and out. A later post will address how to remove those photos as well. Generally, you will need to contact the real estate agent that sold the house and ask them to remove the photos from a database that is only accessible to real estate agents. Anecdotal evidence suggests that this is usually an easy process and most real estate agents are very cooperative on this front.

Social Media Profile

You may also choose to create a fake profile photo for your various accounts in social media and other mediums. to do so, try using ImageMagick

According to journaliststoolbox.org,

You can use Image Magic to “Create, edit, compose, or convert digital images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, WebP, HEIC, SVG, PDF, DPX, EXR and TIFF. ImageMagick can resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves”

And that is it for now!

How to Search Pastebin (new tools for 2022)

URL-based Search For Data Breaches

  1. Open a browser tab and copy and paste:

https://psbdmp.ws/api/search/

…followed by the email you are searching (for example, to search for the email “moreinfo@search-ish.com”, you would type the following – https://psbdmp.ws/api/search/moreinfo@search-ish.com

2. You can follow up on any unique id / username discovered in your results by copy and pasting:

https://pastebin.com/

…followed by the username. So for example when search a username (such as “myusername”) you would use the url – https://pastebin.com/myusername

Search Multiple Sites at Once

Go to – https://Pastebin.ga

This is a new tool that searches a list of Pastebin sites at once and was updated as of May 2021.

See list of sites searched below:

That’s it!

Genealogy – Find Heritage Quest (and other resources) At Your Local Library

This is a very simple post that seeks to raise awareness about genealogy resources at your local library and explains in 3 easy steps how to find access to them. Due to the popularity of genealogy, your local public library will almost certainly have some sort of online resource, like a subscription to a genealogy service.

My local library allows patrons to use Heritage Quest for free via the steps that should apply to your local library as well.

Heritage Quest is a genealogy site that normally requires a paid account but is often available at local libraries.

3 Step Process

The process for finding library resources on genealogy is usually the same at different libraries and works as follows:

1) (assuming you have a library card) Go to library website and login.,

In this case we are going to – https://www.montgomerycountymd.gov/library/

2) Look for options and the libraries online resources.

In this case click on the 3 lines symbol to see a drop down menu and then choose “Online Resources”

3) There will be a section on genealogy that will have Heritage Quest and possibly other resources too.

That’s it!

Find Local News From Far Away

(tools for company-specific news, googling from elsewhere in other languages, and searching most common search terms)

When researching a company, local news stories are a great source of obscure information that likely will not be at the top of your search results when you google the company’s name.

Company-Specific News

IBM’s Watson News Explorer is a great source for finding any news affiliated with a company, even smaller companies.

To find these stories, first look up the company’s Annual Statement, which will list its subsidiaries and where they are located. A separate post explains how to find and read a company’s Annual Statement.

“I Search From…”

Use isearchfrom.com to make your google searches appear to come from other locations including foreign counties, specific cities and search for results in specific languages.

Foreign Language News – MarketScreener.com

You can also use marketscreener.com to find foreign language news about the company. Just search for the company’s name and when you go to the website’s page that is specifically for the company, scroll down and there is a section titled “News in Other Languages”. This is a good time to get the Google Translate browser extension so it can translate the page for you.

While you are using Market Screener, it is also a great tool for getting an initial impression about a company because the website will give you a general summary about the company, list news stories, and list analyst recommendations regarding how well the company is doing.

Search for the most common search terms

Finally, you can get a feel for how the public views the company and if there are any rumors (which might turn out to be well-founded) by looking up the most common searches regarding the company in Google or Twitter. The website keywordtool.io will list the most common searches or autofill phrases associated with any term, such as a company name. The website offers this service for different search engines and social media, but anecdotal evidence suggests that it is enough to just search Google and Twitter.

How to Research a U.S. Phone Number

This post (that is intended for educational purposes only) is about ways of investigating U.S. phone numbers by using different sources of information that are reliable but generally invisible to Google searches.

Why Are U.S. Phone Numbers Special?

U.S. phone numbers are unique, compared to other countries, because of the kinds of publicly available information affiliated with their registered owners.

Marketing databases, US public records, and the existence of people trying to profit off of that information have made US numbers uniquely useful from a research perspective (or, depending on your view, a stalker’s perspective).

The process for researching a US number involves using one piece of information to find a second bit of information that leads to a third and then again.

So the researcher looks up the number to find the owner’s name/address, other people that lived with them (roomates, current and former spouse), and their email address. Along the way, the researcher will also pick up a few more bits of information too.

This research will involve finding other phone numbers and their owners, which could be confused with the original phone number’s owner. For sake of clarity, the owner of the original phone will be referred to as “Lex” from here on out.

Where To Begin

The first and easiest step is to search the number in a people-searching websites, such as:

These sites were also addressed in a previous post (Find Email Addresses Linked to U.S. Phone Numbers).

These sites have access to large databases that link a phone number to its owner and their address. So if the number is listed at these sites the results will usually include, for starters, Lex’s name, home address, and possibly email address.

These results will often also include the Lex’s past addresses, the phones and names of others registered at those addresses, and a rough approximation of when all of those people had those phones and addresses. Sometimes these results are a jumble of names, numbers, addresses with only tenuous links. However, if a researcher spends a bit of time looking over this data it can often be possible to determine where and when Lex grew up, his siblings and parents, where he moved, who he lived with, and his current and former romantic partners.

What If There Were No Results?

If these sites gave you no results or conflicting results then there are a few alternative options that will at least find or confirm Lex’s name (which you still don’t know yet because you only have his phone number). These methods originate from episode 160 (click here to see it) of Michael Bazzell’s podcast, The Privacy, Security, and OSINT Show.

A.) You can lookup the phone number in a caller ID database on websites such as opencnam.com and calleridservice.com. The sites do require that you sign up for a free account. These websites will only give you the name of the person that owns the phone. However, anecdotal experience has shown that these sites ALWAYS had results.

Caller ID databases are a great way to confirm the owner’s name when you have conflicting information. Sometimes the people-searching sites mentioned above will provide conflicting results. This is often because one site identifies the phone’s current owner (Lex) while another site only identifies the previous owner of the same number. The owner identified in a caller ID website is usually the right one.

B.) Truecaller.com is another easy alternative but you do have to sign up for free. This is a interesting resource. The popular Truecaller app logs all of its users’ contacts. Once again, anecdotal experience suggests that there is a high likelihood that you will get results with this.

The website lets you search a phone number, like Lex’s, and if you get a result that means that Lex has the app or someone with Lex in their contacts list has the app. What is even more interesting is that when the website gives you the name of the phone’s owner, it is actually giving you the name that Lex’s associate had typed in their contacts list for Lex.

Maybe a coworker lists Lex as “Lex – IT guy,” or maybe Lex has a nickname and his friends call him “Lex Luther,” finally maybe a friend of his wife

C.) oldphonebook.com has a database of phone books from before 2015.

The Name

Now that you have the person’s name, you can use it to try to find their email. There are several websites that can identify someone’s email address based on the information you have obtained by this point. Specifically, their U.S. -based name, address, phone number. Try using the following:

search function for publicemailrecords.com

Now you will hopefully have an email address which should round out your research on this phone number.

Phone-Email Divide

One issue that can arise when you are researching an individual living in the U.S. is the Phone-Email Divide. If you have a phone number, at least in the U.S., you can use various people-searching websites to find additional information like the name and address. Similarly, an email address can be used to find affiliated social media accounts. But it is difficult to connect a phone number to an email, or vice versa. This post is about how to cross that gap between phones and emails.

The answer is to first use the email address to find a social media account that reveals the owner’s name. Once you have a name you can search it in a people-searching website that will find the phone affiliated with that name. This process also works in reverse.

People-Searching Websites

There are five people-searching websites in particular that can be used for this process. Each website has its own inputs (data you can search on) and outputs (results).

It is important to note that if you do not want your personal information listed on these sites, they each have an “opt out” option available.

True People Search (truepeoplesearch.com) is by far the most reliable site for researching a phone number. The site uses name, address, and phone number as search inputs or outputs. The site will sometimes give the person’s email as an output.

That’s Them (thatsthem.com) and Search People Free (searchpeoplefree.com) are not always consistent with their results but they use name, address, phone, and email as inputs and outputs. These people-searching websites have the obvious potential to solve the whole problem by linking a phone directly with an email, thus negating the need for the rest of this process. Therefore, it makes sense to start with these sites.

Xlek.com and Radaris.com will only let you search by name to find the phone, but not let you search in reverse. Public Email Records (publicemailrecords.com) uses email, name, and address as both inputs and outputs.

The Email

There are a few things we can learn about an email aside from social media accounts. The website hunter.io can tell us if it is a real, functional email or not. The website emailrep.io will guess how long the email has been active.

If It Is a Work Email Address

If the email is a work email address, we can look up the domain to see where the user works. We can also do a “domain lookup” at the website Snov.io and it will lookup for (usually successfully) email addresses with the same domain. These emails essentially identify the user’s coworkers.

If the domain is in Snov.io’s pre-existing list of known domains, it will identify the company and provide information from LinkedIn on individual employees. You can also do a domain search at Hunter.io and Normshield to find employees. If you are interested, this subject is addressed in greater detail here.

Identify Social Media Accounts Registered to the Email

We can identify social media and other online accounts registered to a specific email address in a very straightforward process of 6 steps.

CREDIT WHERE IT IS DUE: This process does not require a knowledge of Python but the explanation must address the computer language a bit. The Github user account Megadose hosts an amazing Python script named Holehe and deserves a lot of credit for this creation.

The script will find the different social media networks where the email is registered to an account. However, because many people do not know anything about Python, I’ve come up with a process intended for people that do not know anything about python and do not want to learn about it. It is a rote process requires no knowledge of python, no downloads, and no thinking at all.

Instructions for First Time Using Holehe

Step 1 (the hardest) – Click here and sign up for an account on Github . Sorry, that is more than one step but the process is simple and it gets easy afterward.

Step 2 – Login to Gitpod. You do not need to sign up for Gitpod if you already have a Github account. Go here (https://gitpod.io/login/) and you will see an option on the left to sign in with your Github account even though you don’t have a Gitpod account. See below:

Once you have logged in your page will probably look like this:

Step 3 – Copy and paste this url into your browser and hit Enter:

gitpod.io/#https://github.com/megadose/holehe

Why? – Basically, you are making a url that consists of the gitpod website url, a hashtage, and the url of the github page for the script.

Here is the explanation. We want to run a Python script but to do so we need a development environment. Normally you would download it but in this case, Gitpod provides a development environment online where you can run Python scripts. When you identify a script posted on Github you create a url of the Gitpod website’s url, a Hashtag, and the url for the page hosting the Python script. So with our script hosted at https://github.com/megadose/holehe, we create a url like this:

gitpod.io + /# + https://github.com/megadose/holehe

Gitpod will create a workspace, a virtual computer, specifically for running the script. The script and its affiliated files will be downloaded though you will likely still have to run the setup.py file, or its equivalent. If you go to the script’s page on Github there should be instructions for downloading and running the script.

Wait for Gitpod to do some processing and then your computer should look like this:

Step 4 – At the bottom of the screen find where it says “/workspace/holehe $”.

Click to the right of these words and type “python3 setup.py install” and then hit enter.

Step 5 – Wait for the install to complete and then right click on the folder on the type left that is named “holehe” (not the one titled “holehe.egg-info”). When you right click on the folder a drop down menu appears, choose “open in terminal”.

A new tab has appeared in the terminal, notice the new tab that reads “gitpod /workspace/holehe/holehe” and the cursor is located next to a similarly named prompt.

Step 6 – Finally, choose your email that you want to research, in our case we will use the fake example email “fake@example.com”

Now the last thing to do is type in the final sequence with your email in place of our fake example. So find the prompt “gitpod /workspace/holehe/holehe $” and next to it you will type the following and hit enter:

“holehe fake@example.com”

Results: Separately, I ran a real email address for an example to show how the results should look. The output is a list of 50 or so social media networks and other websites. If the name of the site/network is purple, there was no account on it, green means there is an account registered with the email address and red means the script could not check the site. Hopefully you got something like this:

Now that you’ve done this once, the process will be much easier in the future.

Next time

Login to Gitpod and there will be a workspace named for the script. It should look like the image below. Just click “Open” on the workspace.

From here, you repeat steps 4, 5, and 6. You install setup.py, open a new terminal tab, and run the command.

n the future, login to ur accountclick on workspacesfind the workspace for that script (the only one), and click on start (maybe its a dif word) then, repeat the last 3 steps from the initial guide (install setup.py, open the specified folder, type in the command)

UPDATE: Epieos has created a new tool (click here) that runs the holehe script for you.

What Next? Use Breach Data Websites

Breach data websites will let you search if an email address (or other personal information) was listed in a specific data breach. For our purposes here, many data breaches are not useful. However, for example, there was a Linkedin data breach in the past and therefore if you search for an email address and find it was listed in that databreach, that means the email was registered to an unidentified Linkedin account. Now you know to look for an account in Linkedin for that email.

search function in haveibeenpwned listing some known data breaches that it searches

You can use these websites that may find additional accounts that were not discovered by Holehe. There is a lot of overlap between these sites so I would only search one or two.

How to Find Specific Accounts

Now that you hopefully have a list of social media sites where the email is/was registered, you can use a few tricks to find the specific accounts.

Please note, I did not create any of these methods. I am merely listing them together to make it easier to use them all. I will identify specifically who deserves the proper credit and I encourage you to follow them online.

Find Linkedin Account

Side Note: Remember that a LinkedIn user can see who looked at their account.

If the email address is registered to a Linkedin account we can find the specific address and avoid having to search around for it. One of the default settings of Linkedin is to allow others to find you based on your email. Linkedin does this to encourage people to use its paid services. But it is possible to take advantage of this opening without needing to pay.

Many sites inaccurately report that a Linkedin account can be identified using the url “linkedin.com/sales/gmail/profile/viewByEmail/[example email address here]”. This no longer works. The process below that currently works might similarly stop if LinkedIn decides to block it.

A new, working method was discovered by Steve Adams of IntelligenceBySteve.com, click here to see his article (you are highly encouraged to follow his website). Below is a shortened version of what he wrote but is largely verbatim.

  1. Create a Microsoft account at https://account.microsoft.com/account?lang=en-us
  2. Sign in to the web-based version of Outlook with the url – https://outlook.live.com/owa – and using your Microsoft account.
  3. Within Outlook, go to your contacts section at – https://outlook.live.com/people
  4. Create a new contact by selecting “Add a contact” and add the email address to its details. [sidenote from search-ish: In the contact details type a random unrelated letter, like “x”, as the name. This avoids confusion later, because if the site can’t find the Linkedin account it will show a list of guesses based on the name.]
  5. Click on the profile photo or letters, next to your new contact and within the new sub-window select “LinkedIn”.
  6. Click “Continue to LinkedIn” on the pop-up and then sign in to your LinkedIn account, then finally click “Accept”. [end of info from Steve Adams]

Find More Info with LinkedIn Account URL

Once you have identified the LinkedIn account , you can copy and paste the account page’s url into the search function at Rocketreach.co. As seen below, its search function use a Linkedin url, among various other criteria.

This search on Rocketreach can potentially find phone numbers, email addresses, and social media accounts that are not publicly connected to the Linkedin account holder.

UPDATE: Epieos has created a new tool (click here) that will supposedly find if an email is linked to a LinkedIn account. The method and reliability is not currently known.

Find Their Facebook Account

CREDIT WHERE IT IS DUE: This process was explained by Technisette on the OsintCurio.us webcast from December 19th 2019, titled “20191223 The OSINT Curious Special Facebook Webcast”, available on Youtube (click here) where Kirby (website, Twitter: @kirbstr) and Technisette (website, Twitter: @technisette) explain updated methods for investigating on Facebook. You are highly encouraged to follow Kirby, Technisette, and OsintCurious.

The first step is to log into facebook and click the 3 horizontal lines that mean the “more” option, then click “pages” and then ” + create a new page”. After you’ve created a page take these steps

  1. click on “pages” once again and then click on your page, which should appear.
  2. click on the page you created
  3. click “settings”
  4. “page roles” and you will get to this page below:

5. “assign a new page role”

6. type in the email address below that

7. if a facebook account appears in the drop down menu, click on it. (if no facebook account appears, sorry but that means you have hit a dead end with this process, it is time to try something else)

8. click “network” tab

9. in the search bar that is slightly down and to the left of the “network” tab, typed in the word “account” or “ANYONE_EXCEPT_VERIFIED_ACCOUNT”

10. That should filter the results to the ones with “ANYONE_EXCEPT_VERIFIED_ACCOUNT”. click on the bottom one in the list and a “preview” tab should appear.

11. look under the “preview” tab and the account’s name and ID number should be in there (if that information is not in the preview tab, try clicking the other results in the list, it should be in one of those results).

12. Verify that you have found the account info by pasting the ID number at the end of the url “facebook.com/” and this should bring up the account that you saw in the drop down menu from step 7.

If the facebook account is completely private, there is a nice guide at osintcurio.us for researching private accounts, click here.

Google Account

CREDIT WHERE IT IS DUE: I learned of the following by listening to the OsintCurio.us podcast/webcast #45 that you can access here. I give more specific credit for individual developments where it is due in the paragraphs below.

EPIOS (https://epieos.com/) created a google account finder (click here). If someone has a google account this will find it. The results generally include their real name, a general location down to the city level, and any reviews they posted on Google Maps. This last one is a bit weird but I promise you that it is surprisingly common that people leave random reviews of places and businesses that they have used and are often revealing about the person or their location.

If you are researching an email address that is gmail, you can assume they have a google account. Other email addresses also often have associated google accounts.

ADDITIONAL RESOURCES AND CREDIT: You can also use the Python code GHUNT that is located here, on the Github account for MXRCH. In order to understand the role of Google IDs in Osint and how to obtain and use them more manually, see these articles here and here by Sector35 (website, Twitter: @Sector035)

Okay that is it, Good Luck!