OSINT for Personal Security: What Attackers Know About You and What to Do About It

Image: osint investigation open source intelligence privacy digital

Open source intelligence isn’t just a red team capability. The same techniques used to research targets before a social engineering engagement are techniques that anyone can run against their own digital footprint — and the results are frequently alarming. Understanding what publicly available information about you exists is the prerequisite to reducing it.

This article covers the personal OSINT reconnaissance workflow and what to do with what you find.

Why This Matters

The information aggregated about most people through public records, data broker databases, social media, and breach data is extensive enough to support convincing social engineering attacks, identity theft, and in extreme cases, physical security threats (stalking, swatting).

The practical threat model for most people: data brokers who aggregate and sell personal information, making it available to anyone who pays (or knows which free sources to check), and data breach databases that expose email-password combinations used for credential stuffing.

Understanding your own footprint lets you: reduce what’s publicly available, identify credentials that need rotation, harden the identity information that attackers most commonly use, and take specific actions that reduce risk.

The Personal OSINT Workflow

Step 1: Email reconnaissance.

Your email address is the anchor of most digital identity. Start with:

  • Have I Been Pwned (haveibeenpwned.com): Enter your email address to see which breach datasets it appears in. Every breach database your email appears in is a potential credential exposure — if you reuse passwords, each breach is a risk against every account using that password.
  • Google your email address in quotes: "yourname@gmail.com" — this surfaces anywhere your email has been posted publicly (forum registrations, comment sections, directory listings).

Step 2: Name and phone reconnaissance.

  • Google "First Last" site:linkedin.com — what does your LinkedIn profile expose? Location, employer, employment history, education, connections.
  • Google "First Last" "city" — what public records, news mentions, or forum posts surface?
  • Reverse phone lookup: Spokeo, WhitePages, and similar services show what’s attached to your phone number. Run your number and see what comes back.

Step 3: Data broker audit.

Data brokers — Spokeo, BeenVerified, Whitepages, Intelius, Radaris, MyLife, TruthFinder, and dozens of others — aggregate public records, social media, and purchase data into profiles that include home address, family members, estimated income, property records, and more.

The opt-out process for each broker is individual and tedious. Services that automate this: DeleteMe ($129/year), Privacy Bee, and Kanary send opt-out requests on your behalf and monitor for re-population. For high-threat-model individuals, this is worth the cost. For others, the manual opt-out process covering the major brokers is free.

High-priority brokers to opt out of manually:

  • Whitepages (whitepages.com/suppression_requests)
  • Spokeo (spokeo.com/optout)
  • BeenVerified (beenverified.com/opt-out)
  • Intelius (intelius.com/optout)
  • Radaris (radaris.com/page/public/privacy)

Step 4: Social media exposure audit.

Review your social media profiles as a stranger would see them. On each platform:

  • What does your public profile expose? (Location, employer, hometown, phone number, relationship status, family member names)
  • What do your public posts expose? (Regular locations, daily schedule, travel plans, home exterior, vehicle)
  • Who can see your friend/follower list? (Family member names)
  • What does your oldest content expose? (Prior addresses, prior workplaces, prior relationships)

The specific risks in social media exposure for physical security: photos with metadata (EXIF data can include GPS coordinates), regular check-ins that establish routines, home exterior photos that reveal address, and family member names that enable targeted social engineering.

Step 5: Property records.

In most US jurisdictions, property ownership records are public and searchable. If you own property, your name and address are linkable in the county assessor’s database. In some states (like Wyoming and South Dakota), LLCs can own property without revealing beneficial owner names — a more sophisticated protection for high-threat-model individuals.

Step 6: Court records.

Public court records (PACER for federal, state court systems for state-level) may reveal civil litigation, divorce proceedings, and criminal records that include addresses, associates, and biographical detail.

What to Do With What You Find

Rotate exposed passwords immediately. Any email-password combination in a breach database should be treated as compromised. Use Have I Been Pwned to identify breaches, then rotate passwords for any account using those credentials. Use a password manager (Bitwarden, 1Password) to generate and store unique passwords per account — credential stuffing only works against password reuse.

Enable MFA everywhere. Even if your password is compromised, TOTP-based MFA (not SMS — SIM swapping is a real attack) protects accounts against credential stuffing. Authenticator apps (Google Authenticator, Authy, Aegis) are the minimum; hardware tokens (YubiKey) are stronger.

Submit data broker opt-out requests. Start with the major brokers listed above. Expect repopulation within months — these services pull from public records continuously. Either use a service to manage opt-outs ongoing or plan to repeat the process periodically.

Lock your credit. A credit freeze with all three bureaus (Equifax, Experian, TransUnion) plus ChexSystems is free and prevents new accounts from being opened in your name. It does not affect your existing credit. enable temporarily when you need to apply for new credit. This is one of the highest-value low-cost steps available for identity theft prevention.

Reduce social media exposure. Set profiles to private where possible, review location permissions on mobile apps, remove phone numbers and email addresses from public profiles, and audit what’s visible to non-friends/followers.

Separate your identity layers. The email address you use for public accounts and the one you use for financial accounts should be different and ideally not guessable from your name. Services like SimpleLogin or AnonAddy provide email aliasing — unique addresses per service that forward to your real inbox, allowing you to identify the source of spam and isolate breaches.

The OSINT Mindset for Ongoing Privacy

Personal OSINT is not a one-time cleanup. Information regenerates from public records, new breaches occur, and social media exposure accumulates. Building a periodic review habit — running your own name and email through the major search surfaces every 6–12 months — keeps you aware of what’s out there and what’s changed.

The goal is not invisibility; that’s impractical for most people with jobs, property, and normal social lives. The goal is a reduced, managed footprint that raises the effort required to aggregate a useful profile — enough friction to deter opportunistic threats and reduce the impact of targeted ones.

Digital Privacy Reference: Extreme Privacy by Michael Bazzell on Amazon — the most comprehensive and regularly updated guide to reducing your digital footprint, covering data broker opt-outs, identity separation, and OSINT self-defense at every threat level from baseline privacy to high-risk profiles.

The information about you that’s publicly available isn’t your fault — it’s the product of a data economy that monetizes aggregation without your consent. But it is your problem to manage, and the tools to manage it are available, mostly free, and effective. Running your own OSINT is where that management starts.

Scroll to Top