03
13 min read · 5 briefings

OSINT and Your Digital Shadow

Attackers don't hack their homework — you published it for them.

01 Everything Leaks

OSINT — open-source intelligence — is the craft of building a detailed picture of a target using only publicly available information. No hacking, no breaking in. Just collection and correlation: social media posts, LinkedIn profiles, public records, news mentions, forum accounts, company websites, and the data spilled by old breaches.

The uncomfortable math: each fragment you publish is harmless alone, but fragments compose. Your LinkedIn says where you work and who your boss is. Your Instagram shows when you're on vacation. A breach dump from a defunct forum contains a password you might still be using somewhere. A gym check-in fixes your morning routine. An attacker with an afternoon and a search engine assembles these into a profile more detailed than your close friends could produce.

Note the legal texture here: collecting public information is generally legal — journalists, recruiters, and researchers do OSINT daily. What's illegal is what attackers do next: fraud, impersonation, harassment, unauthorized access. You should learn OSINT for two defensive reasons: to understand how attackers achieve that eerie "how did they know that?" credibility, and to audit yourself before someone hostile does.

Signal boost: Spear phishing quality is a direct function of OSINT quality. The difference between a laughable phish and one that fools you is not attacker genius — it's how much of your life is lying around in public.

02 The Attacker's Dossier

Watch how a professional builds a target package for an attack on a company — call it recon in four moves.

Move one: map the org. LinkedIn is an org chart that builds itself. Search the company, filter by department, and you have the finance team, the new hires, the executives, and who reports to whom. New employees are prized targets: eager to please, unfamiliar with internal norms, and they often announce their first day publicly.

Move two: harvest the humans. Personal socials fill in hobbies, family names, pets, travel plans, gripes about internal software (which reveals the tech stack). Email address formats are trivially inferred from one or two public examples — first.last at company dot com.

Move three: mine the breaches. Years of corporate breaches mean billions of email-password pairs circulate in criminal markets. If a target's old password appears in a dump, attackers try variations of it everywhere — and reference it in extortion emails to sound omniscient.

Move four: write the pretext. Now the phish writes itself: an email to the new finance hire, appearing to come from the real CFO's name, referencing a real vendor from a press release, timed while LinkedIn shows the CFO is at a conference and hard to double-check with.

Nothing in those four moves required breaking a single law or touching a single system. That's what makes OSINT-driven attacks so hard to detect upstream — there is no upstream.

03 Metadata Betrays You

Files carry hidden freight. Photos from phones and cameras embed EXIF metadata: device model, timestamp, and — if location services were on — GPS coordinates precise enough to identify a house. Office documents and PDFs leak author usernames, organization names, edit histories, and internal file paths. Most people have no idea this layer exists, which is exactly why it's valuable.

Major social platforms strip EXIF on upload these days — but files shared directly, posted to personal websites, attached to emails, or listed on marketplaces often keep everything. And metadata is only half the story. The content of images betrays plenty on its own: employee badge selfies (badge designs get cloned for physical intrusions), whiteboards in the background of team photos, street signs and storefronts that geolocate a "location hidden" account, reflections in windows and sunglasses. Practitioners of image-based geolocation routinely pinpoint photos to within meters using nothing but visible clues — hobbyist communities do it for sport.

Field tip: Before sharing a photo or document outside your circle: check what's in the background, and strip metadata. On most phones you can share a photo with location removed; on desktop, screenshots carry no EXIF from the original. For documents, use your office suite's built-in inspector to remove personal information before publishing.

04 Dorking and the Breach Economy

Search engines index far more than webpages — they index mistakes. Google dorking (or Google hacking) is the use of advanced search operators to surface content that was never meant to be public: spreadsheets on forgotten file servers, configuration files, login portals, camera dashboards, resumes with full contact details. Operators like site:, filetype:, and exact-phrase quoting let a researcher ask surgical questions of the entire indexed web. The technique has been documented since the early 2000s, and there are public databases cataloguing thousands of such queries.

The defensive takeaway isn't the operator syntax — it's the mindset: if it's reachable and indexed, it's public, no matter what the owner intended. "Nobody would ever find this URL" is not an access control.

The other great public data source is the breach economy. When companies get breached, stolen databases — emails, passwords, phone numbers, addresses — end up traded and eventually dumped. The free service Have I Been Pwned, built by security researcher Troy Hunt in 2013, aggregates billions of breached records and lets you check which breaches include your email address. It's the fastest way to see one slice of your shadow: every row is data about you that attackers can also see, and every reused password in those dumps is a live key until you rotate it.

05 Shrink Your Shadow

You can't delete your shadow, but you can starve it. Run this audit annually — it takes an evening.

  1. Search yourself like an attacker. Your name plus your city, employer, phone number, and usernames. Try image search on your profile photos. Whatever you find, an attacker finds faster.
  2. Check your breach exposure. Enter your email addresses into Have I Been Pwned. For every hit, make sure that password — and anything resembling it — is dead everywhere.
  3. Ration the profile fields. Birthday, hometown, family members, employer: these are answers to security questions and raw material for pretexts. Set socials to friends-only where you can, and remember that anything visible to friends-of-friends is effectively public.
  4. Kill zombie accounts. Every abandoned account is breach exposure with no upside. Delete them or at least detach your real details.
  5. Delay and blur. Post the vacation photos after you're home. Skip real-time location tags. Keep kids' names, schools, and routines offline — you're building their shadow before they can consent to it.
Threat advisory: Turning OSINT techniques on other people without consent — compiling dossiers, publishing someone's private details — crosses into doxxing and harassment, which can be criminal. Audit yourself, your household, and systems you're authorized to assess. Nothing else.

Field Glossary

OSINT
Open-source intelligence: building a picture of a target from publicly available data — social media, public records, breach dumps, metadata — without any unauthorized access.
Digital footprint
The total trail of data a person leaves online, both deliberately posted and passively leaked. The raw material for targeting and pretexting.
EXIF metadata
Hidden data embedded in image files — camera model, timestamp, and often GPS coordinates — that can reveal exactly where and when a photo was taken.
Google dorking
Using advanced search operators to surface accidentally public material: exposed documents, login portals, and misconfigured servers indexed by search engines.
Breach dump
A stolen database of user records — emails, passwords, personal details — circulated after a breach. Fuel for credential stuffing and convincing extortion.
Doxxing
Compiling and publishing someone's private information to intimidate or enable harassment. The malicious mirror image of OSINT, and frequently illegal.

Knowledge Check

Field Assessment

0 / 3

01 Why are OSINT-driven attacks so difficult to detect before they happen?

02 A photo shared directly from a phone can reveal the photographer's precise location because of what?

03 What is the correct defensive conclusion from the existence of Google dorking?

ESC
↑↓ navigate jack in