Give me a username and I have a string. Give me an email address and I have a key. That is the difference, and it is the whole reason an email is the single most productive thing you can start an investigation with. A username is a name somebody chose, often once, often years ago, and it tells the services nothing they are obliged to answer for. An email address is the thing those same services use to find their own users, to reset their own passwords, to recover their own accounts. It is a globally unique identifier that the platforms themselves will leak back to you if you know how to ask. You do not really search an email. You interrogate the services it touches and you watch what falls out.

And here is the part nobody selling you a course wants to admit. The classic toolkit for doing this is half broken. The famous tools that everyone still installs are abusing the exact endpoints the platforms spent the last three years hardening, so a tool that found everything in 2020 quietly finds nothing in 2026 and tells you "no account" with a straight face. The skill is no longer running the tool. The skill is the method, and the corroboration, and the discipline to treat every single result as a question rather than an answer. So let us do this properly.

What You Are Actually Asking The Internet

When you have an email and nothing else, you are not looking for one big answer. You are collecting fragments and triangulating. A masked phone tail from one service. A first name from another. A reused username pulled out of a breach. A face hanging off an avatar hash. None of those is an identity on its own. Stacked and cross checked, they become one.

So the work splits into a handful of distinct moves. You ask which services the address is registered on. You knock on account recovery doors to harvest the masked hints they hand out. You hunt for the real corporate address behind a person. You mine the breach corpora for reuse and pivots. You resolve avatar hashes into a face. And then, the part that matters more than any of it, you confirm every fragment against a second independent source before you write a word of it down. Run those moves in that spirit and a free pile of tools beats an expensive black box every time.

The Tool That Tells You Where Somebody Lives Online

The first move is registration enumeration, and the canonical tool for it is Holehe. You feed it an address and it fans out across roughly a hundred and twenty services, Twitter, Instagram, Spotify, Adobe, Amazon and the rest, by quietly poking each one's password reset or registration endpoint and reading whether an account exists. It does this without notifying the target, which is exactly why it is so useful and exactly why platforms have spent years killing the trick.

So here is the honest 2026 status. Holehe is still the tool everyone installs and it is still where most people start, but it has gone a long stretch without serious maintenance and a great many of its modules are simply broken. The community write up titled RIP Holehe puts it perfectly when it calls an unmaintained checker "a false negative machine", because the platforms it relies on, X and Instagram chief among them, have hardened or changed the endpoints out from under it. The maintained successor it points to is user-scanner, which merges Holehe style email enumeration with Sherlock style username scanning and gets patched whenever a platform moves the goalposts. Use it, but confirm the exact repository before you install, because several forks share the name.

Whichever you run, read the output the right way. A green hit is a lead. "Account exists at Spotify" tells you the person uses Spotify, hints at their region and locale, and hands you another platform to mine. An empty result tells you almost nothing, because the module may have simply died. Trust presence. Distrust absence. And spot check the platforms that matter by hand, in a sock puppet, before you report anything.

TL;DR A green hit is real. "Nothing found" usually means the tool broke, not that the account does not exist.

Knocking On Doors

This is the oldest trick in email OSINT and still one of the best, and Secjuice wrote the canonical guide to it years ago in Account Knocking For Fun and OSINT. The idea is brutally simple. Open a platform's account recovery page, type in the email you have, and read the masked hints the recovery flow throws back at you before it sends anything. Done from a clean sock puppet, on the right platforms, it hands you a phone tail, a masked email, a first name and a profile photo from a single address.

But you have to know each platform's masking quirk or you will mis correlate and burn yourself. Facebook is the holy grail, returning a profile photo, a name, the last two digits of the phone and a redacted email, but the number of asterisks in that email does not match the real length, so do not count them. Twitter, now X, is the opposite and the more dangerous to misread the other way, because its redacted email contains the same number of characters as the real one and leaks the first character of the domain, which narrows the provider hard. Yahoo is chattier still, giving you the first and last digits of the email, the full domain and even part of the area code, though again its asterisk count lies about length. Gmail's login page coughs up the account's first name. Apple's recovery page gives you the last two digits of a phone that the target may never have linked anywhere social. Cross reference that phone tail against any number you found elsewhere and you have tied two fragments to one human.

Now the hard rule. You stop at the masked hint page. You do not complete the reset. The instant you finish a recovery you fire a code or an email at the target, they realise something is wrong, and they may abandon the very account you were working. Rehearse any new platform on a sock puppet first, every time. And remember the floor is moving under you. On the sixth of June 2026 a logic bug in Instagram's password reset flow returned fully unredacted emails and phone numbers instead of masked ones, to the point that half the internet was passing Mark Zuckerberg's phone number around, and Meta patched it within hours. Recovery flow leakage opens and closes without warning. Write the date you tested into your notes, because a technique without a "verified on" is a stale technique.

Finding The Address In The First Place

Sometimes you do not have the email, you have a name and a company, and you need to construct the address. This is its own little craft. Pull the organisation's known pattern from Hunter.io domain search or from email-format.com, permute the target's name against the domain, then validate. The clean way to validate without sending mail is an SMTP handshake check, where a verifier runs HELO, MAIL FROM and RCPT TO and reads whether the mailbox is accepted, all without ever delivering a message.

Two traps will bite you here. The first is the catch all domain, which answers "valid" for every address you throw at it including obvious garbage, so always probe a random nonsense mailbox first, and if that comes back valid too then mailbox level verification is impossible there and you fall back to the pattern plus a second signal. The second is that the big providers, Google, Microsoft, Yahoo, deliberately defeat RCPT TO probing, so an SMTP "valid" against Gmail proves nothing. Never report a permutation as confirmed on the handshake alone. Confirm the winning address with a separate signal, a breach hit, a Gravatar, a social bio, before you call it real. For harvesting addresses at the domain level rather than the person level, theHarvester remains the canonical Kali tool, pulling emails, names, subdomains and hosts from dozens of public sources to give you the addresses you then pivot on.

The Breach Corpora

An email checked against the breach world is an email that starts talking. The authoritative first stop is Have I Been Pwned, which tells you which known breaches and stealer logs an address appears in. It returns metadata only, never a password, and the web search is free. Each breach is itself a pivot. A LinkedIn breach confirms employment era data. A gaming breach hints at hobbies and region. The breach list is a biography in fragments.

To go deeper you reach for DeHashed, a search engine sitting over more than twenty four billion records that will return the usernames, names, IP addresses, phone numbers and exposed passwords tied to an address. It is paid, from a couple of cents a query, and it is the one that turns an email into a web of other identifiers. Every recovered username becomes a fresh pivot into username OSINT. Every recovered phone becomes a phone OSINT pivot. Aggregators like Mosint and SocialPwned wrap several of these steps into one command, though SocialPwned leans on the breach back ends and on GHunt and will break when they do.

And here is the line you do not cross, ever. Finding a cracked password in DeHashed is OSINT. Typing it into a live login form is unauthorised access and a crime under the Computer Misuse Act and its equivalents. Treat a leaked password as a correlation hint, a way to tie one account to another by reuse, and nothing more. The moment you authenticate you have stopped doing intelligence and started committing an offence.

The Face Hanging Off The Hash

Most people never learn this one and it is gorgeous. Gravatar is a service that maps an email to an avatar and a public profile, deterministically, through a hash. Lowercase the address, trim the whitespace, hash it, and ask Gravatar for the result. The current Gravatar developer docs document SHA-256, and in practice the legacy MD5 identifier still resolves for older profiles, so keep both in your kit. Request the avatar with a 404 fallback and an image means a profile exists while a 404 means it does not. Request the JSON profile and you may get a username, a display name, a location and a list of linked accounts, all from an address and a hash. Then reverse image search the avatar to chase that same face onto other platforms. The tool hashtray automates the whole dance in both directions, email to Gravatar and username or hash back to a candidate email.

The Google Pivot, And A Reality Check

If the address is a Google one there is a dedicated weapon, GHunt, which from an email resolves the Gaia ID and pulls the public Google profile, the photo, the public Drive files, the Maps reviews. Those Maps reviews are a quietly devastating source, a scattered map of the places in a person's life. Authenticate it once through the GHunt Companion extension to mint the token and run it.

The reality check is the same one that haunts this whole field. GHunt is actively developed but Google throttles it hard, 403 and "Sorry" pages are routine, and reliable display name retrieval has been broken since around April 2024. So when it hands you a name, do not trust that field on its own, and when it returns nothing, read that as "Google blocked me", not "no account exists". Corroborate the name and photo against social profiles before you believe either. Bellingcat's own toolkit carries GHunt and DeHashed entries for exactly this kind of work, which tells you these are serious instruments, not toys, and serious instruments demand serious verification.

One Shot Aggregators

When you want a fast first sweep, the aggregators earn their keep. Epieos runs an address across well over a hundred services, mapping registered accounts and pulling Google and Gravatar data and breach exposure without alerting the target, with a free tier covering the basics and an Osinter tier around thirty euros a month unlocking LinkedIn, GitHub, HIBP and a couple of dozen more modules. OSINT Industries is the commercial cousin, returning a timeline of linked accounts across many platforms, and its own primer OSINT Basics: Reverse Email Lookup is a fair map of the terrain. Run one, run the other as a second opinion, list every platform either one claims, and then go and manually verify the high value claims, the LinkedIn, the GitHub, the masked recovery phone, against the source itself. A paid aggregator's false positive becomes your false positive the moment you copy it without checking.

A Match Is Not An Identity

Now the part that outranks everything above it. Every technique in this article produces leads, not facts. A green hit from Holehe is a lead. A name from GHunt is a lead. A linked account from an aggregator is a lead. Not one of them is an identification until a second, independent source confirms it, and the gap between those two states is somebody's reputation, or their safety.

Bellingcat made this the law of the field. When they identified the FSB unit that tailed and poisoned Alexei Navalny they did not run one tool and publish. They triangulated leaked vehicle registrations, phone records, passenger manifests and travel data, and they were explicit about why it held up, writing in their methodology that "for every source of data we find, we are sure to verify and corroborate it with other data sources", because "a person's name, date of birth, license plate, passport number, and other data points can be cross-referenced with other sources to be sure that a single data source is not tainted". They traced one operative by matching his flights to Navalny's, tied him to another by phone records, confirmed the second man's FSB employment through his registered work address, and grew the net outward, every link load bearing only because three other links agreed with it. That is the standard. Their smaller piece on Skype email forensics, pulling addresses out of a Skype database and pivoting each one through an aggregator, is the same discipline in miniature, email as pivot, every pivot corroborated.

We have said it on Secjuice before and it bears saying again. OSINT is not evidence until you have corroborated it into evidence. A single source result is a hypothesis to disprove, never a finding to report.

Two last things the tool tutorials skip. The first is that when you knock on a recovery door or upload an address to an aggregator you are query from a clean, compartmentalised setup, sock puppet accounts and a managed browser, never your real identity. Aggregators log queries. Epieos advertises that it does not log or notify, which is admirable, but you assume the rest do and you behave accordingly.

The second is the law. Passive collection of public and leaked data is broadly lawful, but GDPR, stalking and harassment statutes and pretexting laws all still apply, and breach data carries its own constraints on top. Have written authorisation and a defined scope before you begin, and stay inside it. An infosec audience least of all gets to plead that ignorance is a defence.

So burn the idea that there is a magic email lookup, because there never was one and the closest thing to it is rotting in real time. Email OSINT in 2026 is a method, not a button. You enumerate where the address lives, you knock for the masked hints and stop before the reset fires, you permute and validate the corporate address against a second signal, you mine the breaches for reuse and never once log in, you resolve the hash into a face, and when a tool hands you a name with a tick beside it you remember the tick is a question. The investigators who find people are not the ones with the priciest aggregator. They are the ones who corroborate every fragment before they believe it, and who know that absence of evidence is just a broken module having a quiet day.

Now go and find something, and prove it twice.