Unlocking Secrets: What One Email Can Reveal Through OSINT
One Email. One Tool. Endless OSINT Secrets.
In today’s digital world, an email address can unlock a treasure trove of hidden information — if you know where to look. Enter Zehef, a powerful OSINT tool that helps you uncover surprising details lurking behind any email. This post takes you on an exciting dive into how Zehef reveals what’s often just beneath the surface, all while respecting privacy and ethics. Curious to see how much an email can really expose? Let’s jump in.
Zehef is an open-source OSINT (Open-Source Intelligence) tool focused on email footprinting and reconnaissance. It helps researchers, ethical hackers, and cybersecurity professionals gather information associated with a given email address.
It checks whether an email appears in data breaches, pastes, or leaked credential dumps. It also detects account presence on various platforms like Adobe, Spotify, X, Gravatar, and Instagram by analyzing login behaviors. Some versions include pastebin and dark web leak detection. Zehef outputs color-coded results in the terminal and is easily scriptable and customizable for automation in larger OSINT workflows. Well, i think that's enough for an intro, lets jump straight into the action.
Chapter 1: Playing with Zehef
Lets start by downloading Zehef on our system. For that, we will use the below command.
git clone https://github.com/N0rz3/Zehef
Once downloaded, install the required dependencies. Please note that zehef works on Python version above 3.10. So you can check yours first using python3 --version. If it is lower than that then install the latest one online and retry the given pip command according to that only. For example - pip3.12 install.
cd Zehef
pip3 install -r requirements.txt
Alright so all the dependencies has been successfully installed in our system. Let's check if our tool is working or not by accessing its help. Again, i have the latest python 3.12 installed here that's why using the below command, if your default python is above 3.10 then you can just use python3 and it will work just fine.
python3.12 zehef.py -h
So now that our tool is starting fine. Lets start with information gathering process on a target email. I will use a test email for that, lets see what we find out.
python3.12 zehef.py test@gmail.com
Alright, so we gotta lot of data over here from the Leak search. So this tool checks on Hudson Rock if a email has been exposed in a data breach or not. Hudson Rock is an Israeli-based cyber‑crime intelligence firm. They specialize in tracking infostealer malware and provide threat intelligence info. As per it, the email has been compromised and we can see redacted passwords too. If we are on a pentest engagement at this point, then we will next check this email in Data Breach services like Dehashed for potential password and that could be our initial foothold in a target organization.
Next we have the Account Search Functionality. So as per this the target email is associated with different platforms and services like - Adobe, Chess.com, Deezer, Duolingo, Github, Picsart, Pornhub, Starva and X. As i have said in the previous result, we can now check these services with a leaked password and see if we can log into in any of them.
Next, this tool also generate a list of potential email addresses in various services that the target might have. It uses permutation and combination to do that, which is a nice feature to have in certain scenarios.
Chapter 2: The CEO Unmasked
So, we have already tested our tool and its capabilities with a test email. Lets now take a take a step further and target a legit individual. So, i came across this post by Deepinder Goyal who is the CEO of Zomato, one of India’s largest food‑tech & delivery platforms. In the post, Deepinder is looking for Business and produc leaders that are already using AI in their lives. Along with that, there is an email that Deepinder has posted for reaching him out and that for us is a great place to start our recon.
We will provide the target email to Zehef and what it founds out about Deepinder.
python3.12 zehef.py d@zomato.com
Okay, so no Leak search has been found in this case.
The only account that we found here is Adobe, so nothing serious.
And a bunch of potential email address. So, in a nutshell we didn't find anything on Deepinder Goyal as per the tool result but anyway it is a great place to start with to check and Email address for Leak Search, Account Search and potential email address that the tool is providing. On that note, lets move forward!
Chapter 3: Behind the Filters
Alright, this was really random. While a scan was running on Deepinder, I opened Instagram, and a random reel of this beautiful lady popped up at the top of my feed. Out of curiosity, I clicked on her profile—and to my surprise, there was an email listed. I thought to myself, 'Hmm… should we give this a try?'
So, I fired Zehef on her email to check if i can found out anything or not.
python3.12 zehef.py poornadwivedi511@gmail.com
So, nothing in the Leak Search. That's fine!
The Account Search showed me 3 green flags - Adobe, Spotify and X. That's great! And at last some potential email address.
The first platform, Adobe, didn’t have anything interesting to pursue, so I tried X instead. I went to the login page, entered the email address, and it prompted me for a password—confirming that she has an account there.
Next, I tried to see if I could find her Spotify profile. But Spotify doesn’t use names or usernames in their profile URLs—instead, they use a random string of letters and numbers. So in this case too, the only option was to try logging in to check if an account exists. And the result was positive here as well.
Now, the only platform we can proceed with is X. But before diving deeper into the rabbit hole of OSINT on her, I want to make one thing clear: I won’t be listing any step-by-step techniques that could compromise her privacy or potentially dox her. While this information may be publicly accessible and technically legal under the scope of OSINT, in the hands of a stalker or someone with ill intent, it could be seriously harmful to her—or to anyone, for that matter. This is a morally grey area, and I’m engaging in it purely for research purposes.
With that being said, I looked for the associated X profile with her name — and one in particular caught my eye. While the full name isn’t listed, the profile picture does seem to resemble her. What really stood out was the username: it’s the same as the one we saw on her Instagram. This kind of username consistency is common among individuals trying to build a personal brand online. The account was created in July 2021, and the bio mentions '17' —presumably her age at the time. If we cross-reference that with her Instagram bio, which says '20', it further supports the idea that this X account belongs to her. I also checked the posts and found a few related to IMUN, which indicates she was active in Model United Nations during her school years.
Those of you who don't know, what IMUN is, Well, IMUN stands for International Model United Nations.It is an educational simulation of the United Nations, where students and young professionals take on the roles of delegates representing different countries and debate real-world global issues.
Further research on her, found out that she's an aspiring model and actress. She also had Auditioned for a webseries and is currently located in Delhi NCR.
But as I dug further, I discovered that she’s into fashion design and studied at one of the most reputed colleges in India. In fact, she was even crowned Ms. Fresher there. For privacy reasons, I’ve blurred the faces of the other people in the picture below. While I cannot disclose the exact location where she lived or studied, it is in Sector 23 of a major modern town in India.
Further recon revealed that she lived in a hostel during her first year of undergraduate studies, and the hostel document also listed her father's name.
Upon further digging, i found out her Primary WhatsApp phone number, which is scary. Again i have redacted all the sensitive information.
I checked the phone number for the cell carrier in use using some Carrier Lookup service and as per the result - She is using a Reliance Jio Sim. Also the location of the SIM is Delhi which further confirms her current location.
The final nail in the coffin came from her Google Reviews. I found only one review, posted two months ago for Rizq, which appears to be an exotic bar and dining spot. The review criticized the place for imposing strict dress code standards.
But the location of Rizq confirms her current location in Delhi.
So, that was a brief recon on her. It took me less than an hour to gather all this information—from the moment I saw that random reel at the top of my feed to uncovering her current and real locations, where she studied, and even her personal phone number. Yes, OSINT is a valuable skill set, but I won’t be sharing step-by-step techniques here, as doing so could harm her—and I have no intention of causing any harm or invasion of privacy. Well considering that in mind, let’s move ahead.
Chapter 4: Supercharging Zehef
Okay, so we’ve seen what the Zehef tool can do. While it’s not as comprehensive as some other email OSINT tools, it provides useful results and is a great place to start. However, it does have a limitation—it only supports searching one email at a time. But what if you want to search multiple emails simultaneously?
For example, during a pentesting engagement on a company, you might have collected multiple employee email addresses using tools like theHarvester or similar. Now, you want to identify which accounts are low-hanging fruit or potential targets. How would you do that? Because this tool doesn’t support batch searches natively, I doubt anyone would want to type in each email manually and wait for results one by one.
So, I came up with an idea: to create a script that takes a CSV file containing a list of emails as input, runs the Zehef tool on each email, and then saves the results to another CSV file. This way, we can easily filter and identify potential targets more efficiently
However, before writing the script, I had to solve a small issue with Zehef’s output. In the 'Account Search' section, Zehef displays valid and found accounts in green, while unavailable or invalid accounts are shown in red. This color-coded output was causing problems for my script during the filtering stage, as it wasn’t parsing the text-based output cleanly
To fix this, I modified the account search functionality within the original Zehef tool. Zehef uses dedicated Python files inside its `modules` directory to perform different checks, and the main script dynamically calls these modules during execution. By tweaking the relevant module, I was able to standardize the output in a more script-friendly format.
I peeked into the `adobe.py` file and noticed that for a valid result, it was printing the '>’ symbol in green. To make it easier for my script to parse, I modified the valid result output by appending `:[FOUND]` to the print statement. Now, my script can reliably identify found accounts in the Zehef output by simply searching for the keyword “FOUND” in the results. This has to be done for all the account modules out there.
Here's the complete code:
import re
import csv
import subprocess
from concurrent.futures import ThreadPoolExecutor, as_completed
from tqdm import tqdm
# === CONFIG ===
ZHEF_SCRIPT_PATH = "/home/wh1terose/Desktop/Zehef/Zehef/zehef.py" # Change this with your script path
PYTHON_EXECUTABLE = "python3.12" #Change this with your python version
INPUT_CSV = "input_emails.csv"
OUTPUT_CSV = "osint_results.csv"
MAX_THREADS = 5 # You can increase this
ANSI_ESCAPE = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
def strip_ansi(text):
return ANSI_ESCAPE.sub('', text)
def run_osint_tool(email):
try:
result = subprocess.run(
[PYTHON_EXECUTABLE, ZHEF_SCRIPT_PATH, email],
capture_output=True,
text=True,
check=True
)
output = result.stdout
lines = output.splitlines()
leak_result = "No"
leak_data = "N/A"
platforms = []
in_leak_section = False
in_account_section = False
for line in lines:
line = strip_ansi(line.strip())
if "📁 Leak search" in line:
in_leak_section = True
continue
if in_leak_section:
if "No paste found" in line or "Email Safe" in line:
leak_result = "No"
leak_data = "N/A"
elif line.startswith(">") or line != "":
leak_result = "Yes"
leak_data = line.replace(">", "").strip()
in_leak_section = False
if "🎭 Account search" in line:
in_account_section = True
continue
if in_account_section:
if "[FOUND]" in line:
platform = line.split(":")[0].replace(">", "").strip()
platforms.append(platform)
elif "📧" in line:
in_account_section = False
return [email, leak_result, leak_data, len(platforms), ", ".join(platforms) if platforms else "N/A"]
except subprocess.CalledProcessError as e:
print(f"Error running zehef for {email}: {e}")
return [email, "Error", "Error", 0, "Error"]
def main():
with open(INPUT_CSV, newline='') as infile:
reader = csv.reader(infile)
header = next(reader, None)
emails = [row[0].strip() for row in reader if row and row[0].strip().lower() != "email"]
total_emails = len(emails)
print(f"🔎 Starting OSINT for {total_emails} emails using {MAX_THREADS} threads...\n")
results = []
with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
futures = {executor.submit(run_osint_tool, email): email for email in emails}
with tqdm(total=total_emails, desc="Progress", unit="email") as pbar:
for future in as_completed(futures):
result = future.result()
results.append(result)
pbar.update(1)
with open(OUTPUT_CSV, mode='w', newline='') as outfile:
writer = csv.writer(outfile)
writer.writerow([
"Target Email",
"Leak Found",
"Leak Data",
"Account Count",
"Platforms Found"
])
writer.writerows(results)
print("\n✅ Finished writing output.")
if __name__ == "__main__":
main()Let's breakdown, what the script is doing - step by step.
🔧 Imports
import re, csv, subprocess from concurrent.futures import ThreadPoolExecutor, as_completed from tqdm import tqdmre: Used for regex (removing ANSI color codes).
csv: For reading and writing CSV files.
subprocess: To run Zehef as a separate process for each email.
ThreadPoolExecutor: To run multiple email scans in parallel (multi-threading).
tqdm: To display a progress bar for user-friendly feedback.
⚙️ Configuration Section
ZHEF_SCRIPT_PATH = "/home/wh1terose/Desktop/Zehef/Zehef/zehef.py" PYTHON_EXECUTABLE = "python3.12" INPUT_CSV = "input_emails.csv" OUTPUT_CSV = "osint_results.csv"
MAX_THREADS = 5ZHEF_SCRIPT_PATH`: Path to the Zehef tool.
`PYTHON_EXECUTABLE`: Python version to use when executing Zehef.
`INPUT_CSV`: Input file with target emails.
`OUTPUT_CSV`: Output results file.
`MAX_THREADS`: Number of parallel threads (speed optimization).
🎨 ANSI Color Stripping
ANSI_ESCAPE = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])') def strip_ansi(text): return ANSI_ESCAPE.sub('', text)This removes color-coded characters (like green/red) from Zehef’s output so the script can parse plain text.
🧠 Core Function: `run_osint_tool(email)`
Runs Zehef for a **single email**, parses the output, and returns structured results.
Key parts:
result = subprocess.run([...])Runs Zehef on the target email via command line.
Captures the output.
if "📁 Leak search" in line:Looks for the leak search section.
If leaks are found, records them; otherwise, marks as safe.
if "🎭 Account search" in line:Looks for the account search section.
If a line contains `[FOUND]`, it extracts the platform name (e.g., Adobe, Spotify).
Ends when it reaches the next section or the email output ends.
Returns:
[email, leak_result, leak_data, number_of_accounts, platforms_list]🗂️ Main Function: `main()`
Handles CSV reading/writing and manages the multi-threaded scanning.
Step-by-step:
1. Read Emails:
with open(INPUT_CSV) as infile...Reads the email list from CSV and stores them.
2. Run in Threads:
with ThreadPoolExecutor(...) as executor:Executes the scan for each email in parallel using threads.
Shows progress using `tqdm`.
3. Write Results:
with open(OUTPUT_CSV, 'w') as outfile...Writes a clean summary of findings to a new CSV.
▶️ Execution Block
if __name__ == "__main__": main()Ensures the script only runs `main()` when executed directly (not when imported).
✅ Summary: What This Script Does
Accepts a list of emails via CSV.
Runs Zehef OSINT checks on each one.
Parses the leak data and account availability.
Writes results into a new CSV file.
Supports multi-threading for faster processing.
Automatically filters `[FOUND]` indicators thanks to your Zehef code modification.
Next for our script to show progress bar, we have to install a small python module.
pip3 install tqdm
For the script to work, we obviously needed a list of emails. As I mentioned earlier, you can use tools like theHarvester to gather email addresses during an engagement. But in this case, I chose to use something a bit closer to home—my newsletter subscribers list. So… sorry, guys. 😅
I saved the emails into a CSV file named `input_emails.csv` and set the script to write the results to `osint_results.csv`.
Now, lets fire up our script.
python3 sub_osint.py
Once the script is done doing its job, i looked into the osint_results.csv file and got this data. Sweet!
Chapter 5: From Research to Responsibility
Wrapping up, Zehef proved to be a powerful tool for email-based OSINT, offering valuable insights with minimal effort. From testing on generic emails to uncovering detailed public information about high-profile targets like Deepinder Goyal and an Instagram influencer, the potential—and responsibility—of such tools became clear.
By enhancing Zehef with a custom multi-threaded script, I was able to scale the process efficiently, demonstrating how automation can accelerate reconnaissance while maintaining ethical boundaries. At God Access, we believe in leveraging the power of OSINT responsibly—using publicly available information to inform and protect, never to invade privacy or cause harm.
If you’re interested in learning more about OSINT tools, scripting automation, or ethical hacking, stay tuned to God Access Labs for future deep dives and practical guides. Until then, keep exploring, stay curious, and always act with integrity.