> [!info] > Input: [[Login|login]] (typically [[Email Address|email]] or [[Phone Number|phone]]) > Output: [[Social Media Account|personal accounts]] > > Types: [[Technical Weakness|technical]], [[Behavioural Weakness|behavioural]] > Weakness: [[SOWEL-6. Reusing Personal Data]] > Functionality: [[SOFL-22. Accounts]] ### Explanation A **login** is the credential a platform uses to identify and authenticate an account at sign-in — most often an **email address** or **phone number**, sometimes a chosen string. Logins are not the same as public-facing nicknames: a Twitter handle can be `@cool_guy`, but the email behind it can be `[email protected]`. People reuse the same email or phone across many services — for password-reset convenience, to keep notifications in one inbox, or simply out of habit — and this reuse becomes a powerful pivot for an investigator: a single known email can reveal accounts on dozens of unrelated platforms. How **email/phone enumeration** works in practice: 1. The investigator feeds a login candidate (collected from a leak, a Whois record, a public profile, or an avatar's Gravatar URL) into a tool such as [holehe](https://github.com/megadose/holehe) or [mailcat](https://github.com/sharsil/mailcat). 2. The tool walks through each supported service and calls its registration or password-reset endpoint with the email or phone as input. 3. The service's response — phrasing of the error, HTTP status, presence of a captcha, presence of a partially-masked recovery hint — reveals whether an account with that login exists. Critically, this happens **without sending any notification to the user**: no reset email is actually delivered, only the registration check is fired. 4. The output is a list of services where the login is registered, ready for manual follow-up — loading the corresponding profile, checking activity, cross-referencing with already known accounts. When the technique works best: - Targets who reuse one personal Gmail / iCloud / Outlook for everything (most non-OPSEC-aware users). - Long-tail services with sloppy registration flows that leak "this email is already taken" verbatim. - Phone numbers — the same logic applies to services that use SMS sign-in (Telegram, WhatsApp, Signal, Tinder). Limitations: - Privacy-aware users keep a different address per service (Apple's "Hide My Email", Firefox Relay, SimpleLogin, ProtonMail aliases). - Many large platforms now return uniform messages ("If an account exists, we sent a reset link") specifically to defeat enumeration. - Each per-service checker rots over time — when the platform tweaks its response, the check silently returns false-negatives until someone updates the source. - A positive hit confirms registration, not identity ownership: an email might belong to a previous owner of the inbox or be a shared/role address. Don't forget the complementary direction — pivoting from a **nickname** instead of a login — covered in [[SOTL-6.2. Check Nicknames Reuse to Find Another Account]]. In practice, investigators often run both: namecheckers on the username, email-enumerators on the email, and intersect the results. ### Examples - [Holehe OSINT — Email to Registered Accounts](https://th3m4rk5man.medium.com/holehe-osint-email-to-registered-accounts-b21bbd34d029) — walk-through of enumerating 120+ services from a single email - [Holehe: The Email Investigation Tool You Need for OSINT](https://hacklido.com/blog/341-holehe-the-email-investigation-tool-you-need-for-osint) — practical guide with sample output and pivots - [Reverse Email OSINT: The Complete Guide to Tracing Digital Identity](https://usersearch.com/resources/intel-hub/blog/reverse-email-osint-guide/) — broader methodology of pivoting from one email to a full identity ### Tools - [holehe](https://github.com/megadose/holehe) — CLI tool that checks an email against 120+ services via password-reset endpoints; non-intrusive (target receives no notification) - [mailcat](https://github.com/sharsil/mailcat) — finds existing email addresses by nickname across 155+ provider domains via API and SMTP checks - [mosint](https://github.com/alpkeskin/mosint) — automated email-OSINT pipeline combining holehe-style checks with breach lookups and social-profile pivots ### See also - [[SOTL-6.2. Check Nicknames Reuse to Find Another Account]] - [[SOTL-6.3. Check Password Reuse to Find Another Account]]