How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy and correct tools. In this article, I will show you how a hacker can get passwords of thousands of email addresses without attacking the webserver or without using any other hacking technique; but, just using the power of OSINT.

You can implement all the techniques discussed in this article manually; however, to enhance the operation and to maximize the result, we will utilize Maltego along with a web service called Have I been Pwned?

Access the Hacked Passwords Systematically

Blackhat hackers usually post and publish data after hacking a webserver; for example, they dumped Linkedin hacked accounts and others. Let’s just fetch all this valuable information smartly. Tools used in this article:

  • theHarvester
  • Maltego
  • Have I been Pawned

I have discussed the configuration of Maltego with Have I been Pawned before; so, let’s just skip this part.

Step 1: Getting email addresses using the email harvesting tool, theHarvester

As a starting point, let’s search the google for email address using theHarvester tool.

# theHarvester -d hotmail.com -b google

Getting email addresses using the email harvesting tool, theHarvester

You can use any organization’s domain or any other specific target, if you have. A basic search gave us lots of information (54 email addresses) to begin. Let’s copy a few of them into the CSV file and import them into Maltego for further analysis. The reason for copying a few is the ease of maintaining the operation because, in the Maltego, you will see a massive connection of just a few email addresses.

Step 2: Importing the Data into Maltego for further analysis

Importing the Data into Maltego for further analysis

I am selecting the manual option, so no previous connection.

I am selecting the manual option, so no previous connection. Step 3: Find the breaches where the target email addresses appeared

Select all the email addresses, since I have only imported 11 of them, and run the Have I been Pawned transform to check whether the target email addresses been hacked before or not. If it is not the part of any breach, then just drop it; it’s of no use.

Find the breaches where the target email addresses appeared

There we can see so many email addresses appeared in many breaches. I have dropped some, two email addresses out of 11 because they did not appear in any breach.  Remember that we are just gathering information, not hacking or directly attacking any server; so, if an email was not got hacked before, it won’t be beneficial for us.

email was not got hacked beforeStep 4: Find the Plain Text Passwords of the Hacked Email addresses

The most common practice in the industry is to paste or dump the hacked email addresses details into Pastebin; it is a website where you can store text for some specific time. This time, let’s execute the  second  transform:

Find the Plain Text Passwords of the Hacked Email addressesEach email addresses appearing in many Pastebin text.

Each email addresses appearing in many Pastebin text.Open any Pastebin URL and analyze the data.

Open any Pastebin URL and analyze the dataWahoo, very recent data with the plain text password, email account, and the expiry date of a particular subscription, the blackhat guys use this information to ask a ransom. A common man does not know that someone published his confidential information online.

Step 5: Try to report it to the authority

Being a responsible cybersecurity professional, you should inform the authority or at least make sure that the hacked website or service should notify about changing the password to all its members.


As you can see, the power of open-source intelligence gathering (OSINT), and we have started with just a random email acquired from the Google search. Imagine a malicious person with evil intent can do OSINT investigation against any specific target, let say an organization to check the employee details and possible passwords. And once the evil person got the password, he can further dig into the organization confidential information, or he can send his malware and backdoor to hack the entire organization. We have covered a similar story; you should this out.

Irfan Shakeel
Irfan Shakeel, the founder of ehacking project, he also hosts cyber security training classes at EH Academy. He has discovered many vulnerabilities in the famous platforms (like Google, Dailymotion, Harvard University & etc.). He specializes in Network hacking, VoIP pentesting & digital forensics. He is the author of the book title “Hacking from Scratch”.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...