Defensive OSINT: what you're leaking without knowing it

A client tells me “there’s nothing about me online.” Three hours later I have their extended family, their last five home addresses, the name of their private banker, and the make of their car. Every single source is public. They didn’t know what they didn’t know.

The common trap

Most people confuse two very different things: “nothing comes up when I Google myself” and “nothing findable by someone who knows what to look for.”

Googling your own name gives you a filtered, SEO-shaped view that reflects what you’ve intentionally published. That’s not what a competent attacker sees. A competent attacker uses specialized tools, cross-references breach databases, reconstructs relationship graphs, and knows that the real information often lives in metadata and secondary traces you never realized you were leaving.

Defensive OSINT means doing what an adversary would do — before they do — to know what they would know, and acting on it before they get the chance.

Why run OSINT on yourself

Three practical reasons:

Know your attack surface. An attacker preparing a SIM swap, a spear-phishing campaign, or a social engineering attempt starts by collecting information about you. If you know what they can find, you know which attack scenarios are realistic against you specifically — and you can design your defenses accordingly rather than generically.

Identify leaks to mitigate. Some information about you is online without your knowledge — from forgotten registrations, forums from a decade ago, documents you shared professionally. An OSINT audit surfaces these. A portion can be cleaned up or minimized.

Prepare for social engineering attempts. If you know an attacker can easily find your children’s names, your previous employer, and your neighborhood, you anticipate the plausible pretexts they might use and you’re less likely to be taken in. “I’m calling from the office of your former colleague at [company]…” is more convincing when the attacker knows that company name.

Involuntary leak vectors

LinkedIn — the perfect OSINT profile

LinkedIn is designed to maximize professional visibility. For OSINT, it’s a goldmine.

A typical LinkedIn profile yields: full name, photo, current title, full employment history, education, visible connections, post-dates that let you infer approximate birth year and career transitions, project names mentioned in descriptions, languages spoken, professional groups joined.

By cross-referencing a target’s LinkedIn connections with their connections’ profiles, an investigator can reconstruct your organization’s reporting chain, identify your direct manager and reports, and find people who know you well enough to serve as a plausible pretext in a social engineering call: “Hi, [mutual contact] told me to reach you directly about…”

What you can do: restrict profile visibility to connections, hide your connection list, avoid operational details in job descriptions, review which sections are visible to “Anyone” in LinkedIn’s privacy settings.

Photos with EXIF data — the hidden geolocation

Smartphone photos embed EXIF metadata by default: precise GPS coordinates of where the photo was taken, exact timestamp, camera model, sometimes altitude. These metadata survive upload on many platforms.

A series of published photos allows an investigator to map your movements, identify your home address (if you photograph from home), your regular workplace, your frequented restaurants, your patterns. This isn’t theoretical: investigative journalists have located people under witness protection by exploiting EXIF data in photos published on social media.

Quick check: on Mac, open a photo in Preview → Tools → Show Inspector → GPS tab. On Windows, right-click a photo → Properties → Details → GPS. Test your last ten published photos. If coordinates are there, they were visible to anyone who downloaded that image.

Old profiles and forums — digital ghosts

The version of you from ten years ago may have asked questions on medical forums, discussed a personal situation on Reddit, listed items for sale on Craigslist with your phone number and city. Those traces still exist. Google often still indexes them.

The particular danger of old traces: they reveal information you wouldn’t share today — a previous address, a vehicle you owned, a family situation, health issues. An attacker can use these to validate an identity claim (“you used to live at…”) or build a credible pretext.

PDF and Word documents published online — forgotten metadata

A Word or PDF document created with Microsoft Office or LibreOffice contains by default: author’s full name (from the OS user account), organization name, creation date, modification date, and sometimes tracked changes (all deleted text from revisions is potentially recoverable).

Contractors have published quotes, reports, and presentations on client websites or in response to public procurement processes without realizing those files contained identifying metadata or intermediate draft versions with confidential information visible in the tracked changes.

Check: exiftool filename.pdf on Linux/Mac (exiftool available via Homebrew or apt) shows all metadata. On Windows, right-click → Properties → Details. Run this on any document you’ve ever published externally.

Domain registrations — WHOIS history

If you ever registered a domain without privacy protection, your name, address, email, and phone number were publicly recorded in the WHOIS database. Even if you’ve since enabled privacy, WHOIS history services (DomainTools, ViewDNS.info) maintain archives.

Marketplace listings — the identifier with phone number

A Craigslist, eBay, or Facebook Marketplace listing with your first name, phone number, and city, cross-referenced with a LinkedIn search on the name and location, often yields a complete identity profile. Listings don’t always disappear from Google’s cache after deletion — sometimes they persist for months.

OSINT graph methodology

OSINT isn’t a checklist of searches. It’s a graph method. You start with a seed data point and follow the connections.

Typical starting point: professional email. From a single email address, you can find:

• Which services are registered with that email (Holehe)
• Which domains are registered to that email (WHOIS lookup)
• Which forums or sites display that email publicly (Google dork: "email@domain.com")
• Which data breaches contain that email (Have I Been Pwned, Dehashed)

Extending the graph: from discovered services, you find usernames/handles. From handles, you search other platforms (Sherlock). From platforms, you find photos, comments, networks. From photos with EXIF, you get coordinates. From coordinates, you identify an address. From the address, you search property records, voter rolls, and people-finder sites.

In three hours with standard tools, a competent investigator can often connect email → usernames → photo → home address → phone number → family members → employer.

Practical tools for defensive auditing

Holehe (Python, open source): sends “forgot password” requests to hundreds of online services with your email and returns which ones recognize the address as registered. Reveals every service your email is enrolled in, including services you’ve forgotten about.

pip install holehe
holehe your@email.com

Sherlock (Python, open source): searches a username across hundreds of platforms simultaneously. Run it on all your active and former usernames.

sherlock your_username

theHarvester (Python, open source): aggregates emails, names, subdomains, IPs, and URLs for an organization or domain name from search engines, LinkedIn, and other sources. Useful if you have a domain or associated organization.

Spiderfoot (Python, open source): automates OSINT aggregation from a seed data point (email, name, domain, IP). Web interface available. Crosses dozens of sources simultaneously. Good for a synthetic overview of your exposure.

Maltego CE (free tier): visualizes relationships between OSINT entities as a graph. Slower to use but highly effective for understanding connections between data points. The paid version adds more data transforms.

Have I Been Pwned (web, free): checks whether your email appears in publicly known breach databases. For each breach, identifies exactly which data types were exposed. If your email appears with passwords, assume those passwords are actively being tested in credential stuffing attacks right now.

IntelTechniques (Michael Bazzell): search tools covering major social networks, image search, and public records. Bazzell is a former FBI agent; his tools and podcast are a reference for the OSINT community. His book “Open Source Intelligence Techniques” is the most comprehensive written guide available.

What you cannot erase

The right to erasure (GDPR Article 17 in Europe, California’s CCPA equivalent) exists in theory. In practice, enforcement is laborious, incomplete, and many data operators are either outside European jurisdiction or simply non-compliant.

What persists regardless:

• Wayback Machine archives (archive.org has indexed web pages since 1996 and doesn’t accept arbitrary deletion requests)
• Google and Bing caches (update delays measured in weeks to months)
• Breach databases (once exfiltrated and redistributed, data circulates independently of any legal process — the breach data from 2017 is still being used in credential stuffing today)
• Third-party WHOIS archives
• Screenshots and reposts made by other users

The right to erasure can reduce indexation. It doesn’t delete the data.

What you can minimize

Disable EXIF before publishing photos. On iOS: Settings → Privacy → Location Services → Camera → Never. On Android, the option is in Camera app settings and varies by manufacturer. Alternatively, strip metadata before uploading with ExifTool or the Scrambled Exif app (Android).

Close old accounts. Every online service you no longer use is a future breach waiting to happen, plus historical data already in their systems. Delete them methodically. Justdeleteme.com rates how easy it is to delete accounts on major services.

WHOIS privacy on your domains. Free or a few dollars per year at most registrars. It masks your information in future WHOIS queries. It doesn’t remove historical records.

Remove your phone number from public profiles. LinkedIn, forums, email signatures — every place your number appears is a cross-reference point.

LinkedIn data export restrictions. Settings → Privacy → How LinkedIn uses your data → limit what third parties can retrieve via API scraping. Also check which third-party apps have access to your LinkedIn data.

Mistakes we see all the time

Only searching your real name. Usernames, secondary email addresses, company names, registered domains — all of these are OSINT seeds that lead back to your full profile.

Forgetting published PDF documents. Dozens of professional documents published on client sites contain identifying metadata. Systematically overlooked.

Photos with geolocation still enabled. The vast majority of people have never checked whether their published photos contain GPS coordinates.

Not checking Have I Been Pwned. If your email appears in breach data with passwords, those credentials are being actively tested in credential stuffing campaigns. If any password is reused anywhere, that account is at risk right now.

Underestimating gaming platform traces. Steam, Twitch, Discord accounts with old usernames, sometimes linked to personal emails, rarely checked during a surface audit.

• N1 Run OSINT searches on your full name and primary usernames via Google
• N1 Check your email addresses on Have I Been Pwned
• N1 Check EXIF data on your last 10 published photos
• N2 Disable location services for the camera app on your smartphone
• N2 Run Holehe on your primary and secondary email addresses
• N2 Run Sherlock on your active and former usernames
• N2 Audit and close inactive accounts identified by Holehe
• N2 Remove your phone number from public profiles (LinkedIn, forums)
• N2 Check metadata on PDF/Word documents you've published externally
• N3 Enable WHOIS privacy on your registered domains
• N3 Set up a Google Alert on your name and usernames
• N3 Run Spiderfoot against your email and name for an aggregated exposure view