OSINT social media search: Find any hidden profile

headshot of Nico Dekens – aka “Dutch OSINT Guy”Nico Dekens – aka “Dutch OSINT Guy”
8 Jul 2026
OSINT social media search using public engagement data to discover and correlate online accounts

An OSINT social media search is the process investigators use to identify alternative public social media profiles that belong to a subject based on only one seed identifier like name, email, phone or photo. There are approximately 5.24 billion social media users as of 2025 (DataReportal) and over 70 percent of businesses use open source intelligence in their risk and investigation workflows today (ShadowDragon®).

Hidden profiles can often be found. Deleted profiles can often be restored. This process can be facilitated by using tools to accelerate the process.

Our professional method happens across five steps. It uses both free and proprietary tools. It balances methodology and specific platforms at every stage and results in a verified social graph, not one lucky find.

Parts of the process are free. Parts are accessible only through an enterprise platform like the SocialNet® API. We’ll explain which is which as we walk through the process.

In approaching a social media investigation, we want to definitively identify which accounts belong to the target, which accounts do not belong to them, and which accounts were once associated with them but have been deleted.

An important note on legal and ethical use: All methodologies outlined in this guide are designed to only collect publicly available information. Do not attempt to login to a personal account to obtain information. Do not retrieve information hidden behind a login screen. Do not attempt credential stuffing or session hijacking. There is a clear distinction between ethical OSINT techniques and illegal hacking.

Step 1: Seed pivots, turning a single identifier into leads

How do I locate social media accounts from an email, phone, photo, or name?

Every social media OSINT investigation starts with a seed. A seed is the one piece of information the investigator knows. It can be an email address, phone number, legal name, photo or likely username. Step 1 is tasked with turning that seed into the searchable signals the downstream tools can process.

“OSINT is a reconnaissance skill. It is all about that preparation work that needs to be done before you do anything in cyber, whether it is attacking or defending.” Micah Hoffman, Senior SANS Instructor and author of SANS SEC487: Open-Source Intelligence Gathering and Analysis.

Hoffman’ simple framing is why Step 1 is more important than most investigators realize. The quality of the seed work will dictate what every downstream step has to build from.

Begin with an email address. Email reverse lookup services expose accounts created with that email address. Epieos reveals connected Google accounts, Skype IDs, public Gravatar profiles, and any breach data leaked from the email address. Holehe scans the email by initiating the password-reset flow for over 120 sites without sending the actual reset email, then analyzing the response. Both services are free. Neither are invasive if used properly.

The same goes for a phone number. Check the number with reverse-phone lookup services that search against WhatsApp, Telegram, Signal or carrier listings. Provided your case parameters allow, the number is also extremely valuable when used with paid people-search aggregators.

Submit a photo for reverse image search. ShadowDragon® Horizon® indexes faces and also surfaces web pages from around the open web that faces can be found on. Yandex Images will often return better matches from East European and Russian websites than Google. Google Lens works quickly and at no cost.

Given a legal name, investigators will explore likely usernames and combine the first initial with their last name, full first names and just the last initial, add commonly used number sequences to their name, and include any known nicknames. Believe it or not, a large percentage of subjects use the same handle everywhere, and that handle is usually either a slight modification of their name, or an old online nickname from a hobbyist community.

Quick reference for seed to tool mapping:

With the completion of this step, you should have at least one possible username and a short list of platforms you already know they are active on. That username will be your input for Step 2.

Step 2: Username enumeration across platforms

Username enumeration takes that candidate username from Step 1 and compares it against every social network that has a publicly documented profile URL structure. Now the search starts to feel worthwhile. You can expand the digital profile and easily get dozens of hits from just one run spanning social networks you weren’t even considering.

There are multiple mature tools available for free download and use. WhatsMyName is the actively maintained master list of platform username patterns. It powers dozens of other tools that leverage its lookup engine. Sherlock is the original open-source Python project that started it all. It works great running directly from the command line. Maigret is a fork of Sherlock that parses profile data, detects the country, and has an even richer list of sites to search. Forensic OSINT is a paid tool with over 500 site checks and packaged results for export. For investigators who need username enumeration folded into a broader workflow, the ShadowDragon® Horizon® Platform bundles this type of search with the verification and monitoring features that free tools don’t provide on their own.

Keep in mind that every username tool will yield false positives. Two completely unrelated people may share a handle. A username that resolves on Reddit, GitHub and Steam may belong to one developer, but the Instagram account with the same handle could be someone entirely different who also happens to use that username. Dig deeper than the hit list.

Step 3: Cross-platform correlation and verification

How do I verify that a social media account belongs to a specific person?

This is a confidence-scoring process using five independent signals. A profile picture overlap, as confirmed with reverse-image search, is by far the strongest single signal. Bio information overlap which includes city, employer, school or hobby is the next strongest signal.

Connections, writing style overlap and consistency of account age make up the final three. Three or more signals confirms high confidence. One or two signals is medium confidence and requires additional supporting evidence. If there are zero signals that match you may discard that profile as fake, even if the username is exactly the same. The same handle does not automatically mean it’s the same person. This is the step where it is easy for OSINT investigations to go awry.

Pull the avatar from each account and perform a reverse-image search on each. If you find three accounts across three separate networks who use the exact photo OR easily recognizable variations of the same photoshoot, you can assume they are connected.

Bio detail overlap comes in second. If both accounts mention the same city, employer or school in their bios, it’s much more likely that they are the same person.

Mutual connections take longer to confirm, but they’re extremely compelling. Multiple people who are followed by or connected to multiple social media accounts is difficult to fabricate.

Writing-style overlap is significant when considering long-form posts. Vocabulary choice, catchphrases, patterns of opinion and formatting habits bleed through platforms whether a writer intends it or not. Software tools called stylometrics can measure this in high-impact cases.

Timestamp consistency is the easiest check that is often overlooked. If an account purports to be the subject of scrutiny, but the posting history doesn’t align, the account was likely cloned, impersonated, or belongs to an unrelated individual using the same handle.

Score each account prospect with this checklist:

  • Does the profile photo resemble any verified accounts?
  • Does the bio information resemble any verified accounts? (city, employer, school, hobby)
  • Are there mutual connections in common with any verified accounts?
  • Do they write in the same style or use the same recurring phrases?
  • Does the account age/posting frequency match what you know of the subject’s timeline?

Step 4: Metadata and public data extraction

After verification, the next stage is gathering the public data that will actually fuel the investigation. Posting cadence can often indicate work hours and time zones. Geo-tagged posts show travel patterns. Connection graphs show who the subject interacts with. Comment networks show community and belief systems. Image metadata (when available) reveals camera information, and sometimes location.

snscrape and assorted Twint clones grab public timelines from X without using the X API. Instaloader pulls public Instagram posts, stories, and comments at scale. Reddit’s own API, along with tools like PullPush, can recover comment history. For Facebook, public visibility is limited and most professional data recovery is performed through paid services.

Image metadata is its own discipline. EXIF embedded in a downloaded photo can contain the camera, lens, date/time stamp and sometimes the GPS location the photo was taken. Most major websites strip EXIF upon upload. Some don’t. Always process downloaded images through ExifTool before believing metadata is lost.

Step 5: Historical recovery, finding what has been deleted

Step 5 is the professional investigator’s step that can be a differentiator when subjects delete information, social accounts get made private or posts are deleted after going viral.

Visit the Wayback Machine from the Internet Archive first. Paste the profile URL into the search box and look for archive snapshots. The Wayback Machine often archives bios and post listings from several years prior to before the subject wiped their profile. The second stop is archive.today. It’s another archive operated with a different web crawler, so it may have snapshots the Wayback doesn’t.

Eliot Higgins, founder of Bellingcat, summarized the broader principle in Time magazine:

“Scattered across the globe, we are an online collective, investigating war crimes and picking apart disinformation, basing our findings on clues that are openly available on the Internet, in social media postings, in leaked databases, in free satellite maps. We have no agenda but we do have a credo: evidence exists and falsehoods exist, and people still care about the difference.”

Higgins and his team have employed archive retrieval, as described in this section, to expose Russian military intelligence officers, authenticate war crime videos and map disinformation campaigns. It’s the same process a corporate investigator leverages to rebuild a threat actor’s deleted activities.

Since Google retired their cache feature back in 2024, use site specific search operators against the live wayback index as well as open telegram and Discord archives which often re-publish viral content.

For fully privatized accounts, the recourse is to search data collected by third parties. Subreddits, Discord servers, and Telegram channels often preserve accounts, serving as a public record. Journalists and researchers also rely on these archived copies for evidence when a subject deletes evidence.

When investigations are active for weeks or months, deletions are an ongoing concern, so investigators use a real time monitoring service. Instead of manually checking accounts, monitoring tools allow for notifications to alert on posts, edits, or deletions. For one-off investigations, the free archive utilities are typically sufficient. ShadowDragon®’s Horizon Monitor®  offers this support for enterprise teams.

Is OSINT social media search legal?

Searching and recording information that is publicly available on social media is legal for investigators, journalists and consumers in most jurisdictions. An investigator crosses the line if they view a private account without the consent of the account holder, obtain information behind a login wall using credential stuffing or session hijacking, or impersonate another person to view protected information. Legitimate OSINT professionals stick to public information, document every step of their collection process for chain of custody purposes, and cease activities the moment they learn a particular technique would violate the target platform’s terms of service.

“We are professionalising, we are giving more training, we are talking more about ethics, we are talking more about what you can do but more importantly what you should not do when it comes to this profession.” – Nico Dekens (Dutch OSINT Guy), Senior SANS Instructor and ShadowDragon® contributor, on Black Dot Solutions’ OSINT podcast, 2025.

When to move from free tools to a professional OSINT platform

The free stack will take you far as a diligent investigator. But at some point, it will no longer be sufficient.

Case volume is the first sign. Processing Sherlock hits, manually scoring them and writing them up is hours of work per target. Once your queue grows beyond 2-3 cases a week you run into the limitations of a manual workflow.

Auditing and chain of custody are the second sign. Free tools don’t log what was collected, when, who collected it, and under what authorization. That may be fine for casual use, but if you’re in law enforcement, finance or any other regulated industry where data may end up in a court of law, it is unlikely to suffice. Check out how ShadowDragon® supports law enforcement workflows for an idea of what audit-proof collection should look like, or review our comparison of the best social media monitoring tools for law enforcement.

When analysts on the same team happen to investigate the same person without realizing it, they may inadvertently alert them and jeopardize the investigation. Free tools typically do not provide teams with an unattributed or shared workspace. Many enterprise platforms do.

The fourth sign is when you need data collection that’s ToS-safe at scale. Free automated data extraction tools often violate the terms of service of platforms. That may be okay for internal research that is almost never prosecuted. But if you need evidence that can be defensible in court, your collection method matters. ShadowDragon®’s SocialNet® API only gathers publicly available data from social networks and follows ethical OSINT collection practices.

If you’re still trying to decide which is best for you, our best OSINT tools comparison puts the major platforms head to head and may indicate you’ve outgrown the free stack.

Putting the workflow together

Done right, an OSINT social media search begins with one seed and results in a confirmed social graph.

The investigative workflow differs little between a journalist hunting down a disinformation network, a fraud team authenticating a synthetic identity and a corporate security team rooting out an insider threat. The starting point varies. Platforms skew differently. Legal considerations change. But the five steps remain constant.

The most common error people make when conducting social media OSINT research is often breadth and depth and making assumptions too quickly. A username match is only a hypothesis that you’ve found the target’s account. Three signals matching in-step is the minimum requirement. Look for three or more signals matching before declaring a positive.

If you’ve outgrown the free stack because of case volume, audit requirements, or deconfliction needs, the Horizon® Platform is the enterprise-grade solution that scales this workflow with chain of custody built in. If you’re earlier on in your OSINT journey, ShadowDragon® Free Tools, the OSINT techniques overview and the 75+ Best OSINT Training Courses list are quite helpful.

Frequently asked questions

How can I find someone’s hidden social media for free?

Begin with your seed pivots. Search any email address you have in Epieos and Holehe. Search any username in WhatsMyName and Sherlock. Search any photo in Google Lens. These tools will help you discover most public profiles for free.

How can I find out if my partner has secret social media accounts?

The same methods work for personal use. Just remember two things. First, the methods are noisy. They will generate false positives that can hurt relationships if you take action based on partial results. Be sure to run correlation checks prior to making any judgment. Second, there is no legal controversy surrounding searching public accounts, but it is illegal to access another person’s private account without their permission. Search only what you can see publicly.

Can OSINT be used to find people?

Yes, OSINT can locate people. Law enforcement uses open source intelligence to find missing people, corporate security teams use it to investigate insider threats, fraud teams use it to validate customer identity, and journalists use it to identify their sources or subjects of investigation. This guide details the methodology employed in those cases. Learn about the broader discipline in our guide to OSINT techniques.

Is it possible to look up social media by email or phone number for free?

Yes, for email. Epieos and Holehe both look up an email across dozens of platforms and will return matches that have public profiles. Neither service will alert the owner of the email address you searched. For numbers, there aren’t as many free options, but you can do reverse lookups with Truecaller or look up a phone number directly on WhatsApp, Telegram and Signal to see if it’s registered.