How to Find Email Addresses Using OSINT?

OSINT Email Address Investigation

In OSINT investigation, any information can be helpful. Especially if it’s an email as you can find much valuable data from it, including:

  • Social media profiles
  • Person’s name and address
  • Phone number
  • Some legal records

The amount and accuracy of information depend on your skills and the steps the person has taken to protect themselves. The tools of OSINT investigation you use are also crucial as they have different algorithms and goals.

So, in this article, we will tell you how to find the complete information knowing only the email, and vice versa, and how to find out the email of a person if it is hidden.

How to find an email address

Let’s start with how to find an email address if you don’t know it. In this case, you should use some guesswork and tools to search more accurately.


If you know a person’s username in some social network, forum, or even online game, try using it by adding the domain name of popular email services such as or Yahoo! Email Validator will help you check your guess.

Social media

While social media can provide information on its own, email can be much more helpful. Use the available tools to find a person’s email if you have access to their social network.

For example, use Linkedin: find a person’s page in the contact list, click on “show more,” and the email will appear on the screen.

If a person is not in the contact list, but you can find their colleagues’ email, try to guess the email by domain. For example, if other employees have an email address of [email protected], then perhaps John Snow’s email address is [email protected]. Or use Email Permutator, which will pick up a few of the most likely options for you.

Facebook can also be used to search for email. You need:

  • Find a person’s profile on Facebook and copy the username from the URL.
  • Click “forgot profile” or “forgot password” in the login window.
  • Enter the copied name without the domain (without the part after @) and press enter.
  • If the first part of the email is correct, Facebook will want to send you a confirmation and show you the domain part, like c*******

You can also use online tools like Swordish that find emails and other information if you have a link to a person’s social media profile.


A simple Google search won’t turn up any results most of the time, but you can try. Although it’s better to use Google Dorks, which will make the search more accurate. Here are some of them:

  • “” finds all available email names on the site.
  • HR “email” filetype:csv | filetype:xls | filetype:xlsx finds contact lists of HR employees in a specific site.
  • filetype:xls searches for email IDs for a domain from Google.
  • intext:resume “john smith” finds resumes that can contain an email address.

Online tools

Many online tools can find email addresses, but I will only tell you about some of them. is a very cool site to find corporate emails of company employees. It will not see emails from popular services like @gmail, but it works with all companies with their own domain. The most exciting thing is that it also shows the pages where the found email has been published.

WhoIs is a search engine that works on the same principle as but shows much more information, including email addresses, contacts, and even IPs.

ThatsThem is a reverse search tool. It can search for email by person’s name, address, phone number, IP, and even vehicle identification number. It’s handy if you need to find who scratched your car.

There are many more similar sites, and they differ in cost and access to databases of different countries. So please pay attention to these aspects before using one of them.

How to use an email address in OSINT investigation

Now you have an email address, and it’s time to use it. We will show you how with specific tools as an example.

This service gives a ton of useful information related to an email account and checks its age. For example, it can:

  • Check if the email is related to phishing or malware activities
  • Check the reputation of the email address
  • Find social networks connected to this email (but it does not provide a link)
  • Find out if the email credentials have been leaked
  • Check registered domains for this email
  • You can go deeper in your search knowing this data. For example, if the data has been leaked, you should search for it on the dark web.


This service also shows whether the data was leaked from the sites connected to the email. The difference from the previous one is that the service names these sites. So, you can use them to find profiles. For example, you can find that a person used some kind of dating site and learn something new about their private life.


This site is a convenient American reverse search service. It can find much email-related data, including addresses and phone numbers. However, the subscription to the service is paid and has access to US databases only. So, if you are searching in Europe, this tool will not work due to privacy laws. In this case, you can look for leaked bases on the dark web, but this is a topic for a separate article.

In this way, these three sites or their analogs will give you almost all the necessary data related to email if the owners have not blocked them precautiously.

To sum up

As you can see, an email address can help find information about a person: where they work and live, what social networks they use, and even where they shop or meet other people. An email address is often easy enough to find if a person is not worried about their privacy.

Unfortunately, there is little you can do if they have taken action, such as creating separate work and private email accounts and blocking them from appearing on most sites. Still, it’s always worth a try.