Do you know how many times your email address has been leaked?
According to Have I Been Pwned, over 17.5 billion account records have been registered in breach databases as of early 2026. That means most people who use the internet have had their information exposed in some form.
This article uses OSINT (Open Source Intelligence) techniques to help you discover how much of your personal information is publicly available online. By auditing yourself with the same methods attackers use, you can find and fix vulnerabilities before they're exploited.
What Is OSINT (Explained in 30 Seconds)
OSINT (Open Source Intelligence) is the practice of collecting and analyzing publicly available information. It originated in intelligence agencies but is now widely used in cybersecurity auditing, journalism, and corporate threat analysis.
Everyday examples:
- Googling your own name → that's OSINT
- Checking if your email was in a data breach → that's OSINT
- Reviewing what your social media profiles reveal → that's OSINT
It's not about hacking. It's about systematically gathering information that's already out there.
Google Dark Web Report Is Gone — Now What?
Google discontinued its Dark Web Report on February 16, 2026. It was a free tool that let Gmail users check if their email appeared in known breaches. It's no longer available.
Here are the alternatives:
| Service | Price | Key Feature |
|---|---|---|
| Have I Been Pwned | Free | Largest breach database. Just enter your email |
| Mozilla Monitor | Free (paid plan for removal assistance) | Breach notifications via email |
| NordPass Data Breach Scanner | Included with Premium | 24/7 monitoring for emails, passwords, and credit cards |
| Apple Passwords | Free (Apple devices) | iCloud Keychain breach detection |
Let's use these tools in the steps that follow.
Step 1: Check If Your Email Has Been Leaked
The most fundamental check. Find out if your email addresses appear in known data breaches.
Have I Been Pwned (Free)
- Go to https://haveibeenpwned.com/
- Enter your email address and click "pwned?"
- Review the results
If you see "Oh no — pwned!" on a red background, your email was found in past breaches. The site also shows which services leaked your data (LinkedIn, Adobe, Dropbox, etc.).
# Check via API (for developers)
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/your@email.com" \
-H "hibp-api-key: YOUR_API_KEY" | jq '.[].Name'
Check all your addresses
Check every email you've ever used — work, personal, old accounts. Older addresses are more likely to have been breached.
If breaches are found, change your passwords immediately. For continuous monitoring, NordPass Data Breach Scanner provides real-time alerts for new breaches. It also monitors credit card numbers — a feature few breach scanners offer.
Step 2: Search Your Own Name Online
Next, Google yourself. See what an attacker would find when researching your name.
Basic searches
"John Smith" site:linkedin.com
"John Smith" site:facebook.com
"John Smith" filetype:pdf
Quotes force an exact match. site: limits results to a specific domain. filetype:pdf searches within PDF documents.
Google Dorking (for self-assessment)
Google Dorking uses advanced search operators to uncover information. It's perfectly legal when checking your own data.
"your@email.com" -site:yourwebsite.com
"your phone number"
"your address" filetype:pdf
You might find your information in unexpected places — event attendee lists, old forum posts, PDF metadata.
Set up Google Alerts for continuous monitoring
- Go to https://www.google.com/alerts
- Add your name and email address
- Get notified whenever new mentions appear
Setup takes one minute. It's free. There's no reason not to do this.
Step 3: Find Username Reuse Across Services
If you use the same username across multiple services, a breach on one platform can lead attackers to your accounts on others.
Sherlock (open source)
Sherlock searches 400+ sites to find where a specific username is registered.
# Install
pip install sherlock-project
# Search
sherlock your_username
Review the results. If you find accounts on services you no longer use, consider deleting them.
Namechk (browser-based)
If you prefer a GUI, go to https://namechk.com/ and type your username. It checks 100+ sites instantly.
Step 4: Check If Your Photos Leak Location Data
Photos taken with smartphones contain EXIF (Exchangeable Image File Format) metadata — GPS coordinates, timestamps, camera model, and more.
Check with ExifTool
# Install (Ubuntu/Debian)
sudo apt install libimage-exiftool-perl
# macOS
brew install exiftool
# View metadata
exiftool photo.jpg
Example output:
GPS Latitude : 35 deg 41' 22.20" N
GPS Longitude : 139 deg 41' 30.12" E
Create Date : 2026:01:15 14:30:22
Camera Model : iPhone 16 Pro
If GPS coordinates are present, uploading that photo to certain platforms could reveal your home or workplace location.
How to fix it
- Social platforms: X (Twitter), Instagram, and Facebook strip EXIF data on upload. However, LINE album sharing and email attachments may preserve it
- At capture time: Disable "Include location in photos" in your phone settings
- After the fact: Run
exiftool -all= photo.jpgto strip all metadata
Step 5: See What Your IP Address Reveals
Check how your home IP address or website domain appears from the outside.
Shodan (IoT search engine)
Shodan indexes internet-connected devices. Search your own IP to see which ports are visible externally.
- Go to https://www.shodan.io/ (free account required)
- Search your IP address
If you see open ports that shouldn't be exposed, review your firewall configuration immediately.
Check your domain information
# WHOIS lookup
whois yourdomain.com
# DNS records
dig yourdomain.com ANY
If your WHOIS record exposes personal information (address, phone number), enable your registrar's privacy protection service.
Three Things to Do Immediately If You Find a Leak
If your self-audit revealed breaches or exposed information, prioritize these three actions.
1. Change all your passwords
Change passwords on every breached service — and every service where you reused the same password.
Doing this manually across dozens of services isn't realistic. Use a password manager to generate and store unique, strong passwords for each account. NordPass handles password generation and breach monitoring in one place.
2. Enable multi-factor authentication (MFA)
Even if your password was leaked, MFA prevents unauthorized login. Prioritize these accounts:
- Email accounts (the reset point for everything else)
- Banking and financial services
- Social media (prevent impersonation)
- Cloud storage
3. Reduce your digital footprint
- Delete unused accounts
- Remove unnecessary personal information from social media profiles
- Check and strip EXIF data from photos
- Request data removal from data brokers (legally enforceable under GDPR)
- Use a VPN to prevent IP address tracking
Password manager by the makers of NordVPN
- Manage passwords, passkeys, and credit cards in one place
- Zero-knowledge architecture
- Built-in data breach scanner
OSINT and the Law — Where Legal Ends and Illegal Begins
OSINT techniques involve collecting publicly available information, which is generally legal. However, what you collect, whose data it is, and how you use it determines the legal risk.
Legal
| Action | Basis |
|---|---|
| Checking your own email for breaches | Your own data, public service |
| Googling your own name | Viewing public information |
| Google Dorking your own website | Your own domain |
| Searching your IP on Shodan | Your own infrastructure |
Potentially illegal
| Action | Risk |
|---|---|
| Logging into someone else's account | Computer Fraud and Abuse Act (US), Unauthorized Access Law (Japan) |
| Downloading others' passwords from breach databases | Unauthorized acquisition of credentials |
| Publishing someone's personal information without consent | Privacy violation, potential defamation |
| Scanning a company's systems without authorization | Unauthorized access laws |
Key legal frameworks
Japan: The Unauthorized Computer Access Law prohibits accessing systems protected by access controls without permission. Viewing publicly available information is not covered, but accessing login-protected systems without authorization is a criminal offense (up to 3 years imprisonment).
EU (GDPR): Data subjects can request disclosure, correction, deletion, and portability of their personal data. Requesting removal from data brokers is fully legal, with a one-month response deadline.
US (CCPA): California residents can request disclosure, deletion, and opt-out of sale of their personal information collected by businesses.
Wrapping Up
OSINT is a powerful way to see yourself through an attacker's eyes. You don't need special skills — the five steps in this article let you audit your digital footprint using the same techniques professionals use.
With Google's Dark Web Report now discontinued, protecting your information is in your own hands. Start by checking your email on Have I Been Pwned. If breaches are found, change your passwords and enable MFA as your top priority.
Related articles: