How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy and correct tools. In this article, I will show you how a hacker can get passwords of thousands of email addresses without attacking the webserver or without using any other hacking technique; but, just using the power of OSINT.

You can implement all the techniques discussed in this article manually; however, to enhance the operation and to maximize the result, we will utilize Maltego along with a web service called Have I been Pwned?

Access the Hacked Passwords Systematically

Blackhat hackers usually post and publish data after hacking a webserver; for example, they dumped Linkedin hacked accounts and others. Let’s just fetch all this valuable information smartly. Tools used in this article:

  • theHarvester
  • Maltego
  • Have I been Pawned

I have discussed the configuration of Maltego with Have I been Pawned before; so, let’s just skip this part.

Step 1: Getting email addresses using the email harvesting tool, theHarvester

As a starting point, let’s search the google for email address using theHarvester tool.

# theHarvester -d hotmail.com -b google

Getting email addresses using the email harvesting tool, theHarvester

You can use any organization’s domain or any other specific target, if you have. A basic search gave us lots of information (54 email addresses) to begin. Let’s copy a few of them into the CSV file and import them into Maltego for further analysis. The reason for copying a few is the ease of maintaining the operation because, in the Maltego, you will see a massive connection of just a few email addresses.

Step 2: Importing the Data into Maltego for further analysis

Importing the Data into Maltego for further analysis

I am selecting the manual option, so no previous connection.

I am selecting the manual option, so no previous connection. Step 3: Find the breaches where the target email addresses appeared

Select all the email addresses, since I have only imported 11 of them, and run the Have I been Pawned transform to check whether the target email addresses been hacked before or not. If it is not the part of any breach, then just drop it; it’s of no use.

Find the breaches where the target email addresses appeared

There we can see so many email addresses appeared in many breaches. I have dropped some, two email addresses out of 11 because they did not appear in any breach.  Remember that we are just gathering information, not hacking or directly attacking any server; so, if an email was not got hacked before, it won’t be beneficial for us.

email was not got hacked beforeStep 4: Find the Plain Text Passwords of the Hacked Email addresses

The most common practice in the industry is to paste or dump the hacked email addresses details into Pastebin; it is a website where you can store text for some specific time. This time, let’s execute the  second  transform:

Find the Plain Text Passwords of the Hacked Email addressesEach email addresses appearing in many Pastebin text.

Each email addresses appearing in many Pastebin text.Open any Pastebin URL and analyze the data.

Open any Pastebin URL and analyze the dataWahoo, very recent data with the plain text password, email account, and the expiry date of a particular subscription, the blackhat guys use this information to ask a ransom. A common man does not know that someone published his confidential information online.

Step 5: Try to report it to the authority

Being a responsible cybersecurity professional, you should inform the authority or at least make sure that the hacked website or service should notify about changing the password to all its members.


As you can see, the power of open-source intelligence gathering (OSINT), and we have started with just a random email acquired from the Google search. Imagine a malicious person with evil intent can do OSINT investigation against any specific target, let say an organization to check the employee details and possible passwords. And once the evil person got the password, he can further dig into the organization confidential information, or he can send his malware and backdoor to hack the entire organization. We have covered a similar story; you should this out.

Irfan Shakeel
Irfan Shakeel, the founder of ehacking project, he also hosts cyber security training classes at EH Academy. He has discovered many vulnerabilities in the famous platforms (like Google, Dailymotion, Harvard University & etc.). He specializes in Network hacking, VoIP pentesting & digital forensics. He is the author of the book title “Hacking from Scratch”.

Most Popular

Android Tips and Tricks for Getting the Most from Your Phone

Gone are the days when phones were only used to make phone calls and send text messages; nowadays, smartphones are more akin to a...

What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand...

Mobile Device Safety: Keeping your phone safe from intrusion

You might have heard that the iPhone is almost completely impossible to hack or that Samsung devices have some of the best firewalls in...

How to Detect Phishing Mails and Websites

Not long ago, phishing websites and mails looked quite unprofessional, they were peppered with spelling mistakes and had a distrustful design. Nowadays the digital...