How to Identify Company’s Hacked Email Addresses Using Maltego & HaveIbeenPawned

This article is part of the Maltego OSINT tutorial, where you will learn to identify the already hacked account, and it’s password using the open-source tools.

While doing the hacking, the very first phase of attacking any target is to perform reconnaissance, which means gathering information about the target until a particular vulnerability or loophole makes itself apparent.

There are several ways to gather information, but the most famous one, favorable by hackers is to use Open Source Intelligence or OSINT.

What is Open Source Intelligence?

OSINT lets the user scraping information from public channels. OSINT includes any information that is acquired from free and open sources about an individual or organization.

The technique helps to look for human errors, individuals that may not seem to follow their security policy and let their organization’s resources to be in danger.

There are many OSINT tools available for information gathering, but to be able to solve more complex questions like who will be the person that is more likely to be involved in a data breach, then Maltego is the best choice!

Maltego for Open Source Intelligence

Maltego is an Open Source Intelligence and forensics software developed by Paterva. It comes pre-build with Kali Linux, but you can install it on any operating system.

This tool is used to solve more complex questions by taking it a single piece of information, then discovering links to more parts of data relating to it. Finally, it gives a complete big picture in terms of graphs to visualize the output.

It has multiple features that are said to be Transforms, which pull the related information via API pulls and then comparing the gathered data that tends to give meaningful information.

Having said that, in our case, we want to identify if any employees have violated their security policy and entered their work email address into a third-party website. Also, we want to know if there is a breach of credentials what are the actual passwords that a target has lost.

Have I Been Pwned Transform

Maltego came with a variety of transforms that will track screen names, email addresses, aliases, and other pieces of information links to an organization; some are paid while others are available as free.

We will be using a free transform ‘Have I Been Pwned’ that is relatively simpler and easier. This transform takes an email address and query from a database that contains all the data related to compromised accounts, email addresses, passwords, locations, and other personal information. This database is maintained by security professionals to let users get acknowledged if a particular email address has been compromised without the knowledge of a user.


In a web version of Have I Been Pwned, we can only check a single email at a time, but in Maltego as a transformer, several emails can be checked in one click!

Identify Vulnerable Email Addresses using Maltego

You can use Maltego on any operating system; we are using this tool on Kali Linux. It comes pre-installed on Kali, so no need to get in the installation steps; just open it from the Kali terminal.

Identify Vulnerable Email Addresses using Maltego

It will ask which version you want to use. We will use a Community version as it is free, but still, we need to make an account on Paterva.

Once you make an account and log in, you will get the main page of the transform hub. Here you can see there are various transforms available in which some are free while others are paid.

Luckily the Have I Been Pwned transform comes free in Maltego, so you just have to install it.

Transform Hub

Now, after installing the transform, you need to conduct your investigation by creating a new graph. You can create it by clicking the document icon on the top left corner.

clicking the document icon on the top left corner

After creating the document, you will find ‘Entity Palette’ on the left corner, from where you can add different entities (domains, devices, Groups, companies, etc.) in your canvas. Just drag and drop the item you want to investigate.

We will be starting from adding a single point i.e., Domain.

DomainYou must specify the Domain you want to target. In our case, the target domain is microsoft.com.




Getting Email Addresses

Right-click on the domain and type email, you will see several options which are paid and free. We will use a free one, i.e., ‘Email addresses in PGP key servers.’

Getting Email Addresses

And we got a bunch of email addresses.

And we got a bunch of email addresses.


We can get more email addresses from pastebin that is a popular web application for storing and sharing text.

Select all the email addresses and right-click on it, type paste where you will see an option ‘Get all pastes featuring the email address,’ Select this option.

Select this option.You will see a bunch of entities in your graph names as ‘Pastebin.’ Click one of those Pastebin to get a URL.


On browsing the URL, you will be redirected to a Pastebin page where you can find the email addresses of the desirable Domain, just search for it.

We got located one email address of microsoft.com, copy it from here, and paste it on the Maltego graph.

microsoft.com, copy it from hereYou can also use The Harvester, a tool for gathering email accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, PGP key servers).

In this way, you can collect as many email addresses as possible and get the desired data set to target.

Searching for The Breached Accounts

After getting the data set now, you will be able to search for the breached email addresses. Select all the addresses from the entity list and right-click on it, type ‘breach’ where you will get an option ‘Get all breaches of an email address,’ select that option.

Searching for The Breached Accounts

It will take some time to run the transform. We will see as this transform finishes running, different results show up.

transform finishes running

[email protected] has been breached in a Dailymotion database breach as well as sharethis.com, myfitnesspal.com database breaches.

Right-click one the breach you want to examine, i.e., dailymotion.com.

Type ‘breach’ and select an option ‘Enrich breached domain’.

database breach


It shows the user has signed up with his company account on Dailymotion and hence losses up his email address, passwords, and usernames, as shown below.

Additionally, it includes a short description of what was happened with the database breach.

database breach

Furthermore, we can see the email addresses that haven’t breached.

email addresses that haven’t breachedDiscovering Actual Passwords

This transform shows that what data have been lost by individuals. Extracting actual credentials can be rare, but it could be possible that we can find breached passwords if they are present in the Pastebin dumps as plain text.

Once you have targeted the email, it is much easier to find Pastebin dumps related to that email with the help of Maltego.

Moreover, you can even crack the hashed passwords with brute-forcing, and if you crack that password into a plaintext successfully, you can even use it on other platforms if the person used the same password.

Also, you can make a guess from an old password that how the account owner has constructed their new passwords.


All this information extracted from a single reconnaissance tool, you get one piece of information, i.e., a data set of the employee’s email addresses, public to everyone, and with that information, you can investigate when and what exactly the data had breached from these official email addresses.

Irfan Shakeel
Irfan Shakeel, the founder of ehacking project, he also hosts cyber security training classes at EH Academy. He has discovered many vulnerabilities in the famous platforms (like Google, Dailymotion, Harvard University & etc.). He specializes in Network hacking, VoIP pentesting & digital forensics. He is the author of the book title “Hacking from Scratch”.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...