JunkMail
Back to blog
OSINT: How Investigators Use Forgotten Emails to Find You

OSINT: How Investigators Use Forgotten Emails to Find You

Think you're anonymous? An old email address on a 2012 forum might be enough to trace your entire life. A deep dive into Open Source Intelligence techniques.

By Security Expert1/21/2026

Imagine a scenario. You’re a cybersecurity expert, or perhaps an investigative journalist. You want to stay low-key. But one day, someone knocks on your door. They know your real name, your employer, and even your dog's name.

How did they do it? They didn't hack the NSA. They just used Google and an old "MySpace" account you created when you were 14.

Welcome to the world of OSINT (Open Source Intelligence).

The Flaw: Pseudonym Reuse

The most common mistake is attachment to a pseudonym. Let’s say you use Vader99 on Twitter. An investigator will search for Vader99 everywhere. They find a GitHub account. On that GitHub, in an old commit from 2018, there is an email address: vader99@gmail.com.

Bingo. Now they have your Gmail email.

The Formidable Tool: Account Recovery

The investigator goes to Google, Facebook, PayPal, Amazon. They type in your email and click "Forgot Password." They don't want to hack your account. They just want to see what the site displays.

"A code has been sent to +33 6 ** ** 45 12". They have the last 4 digits of your phone number.

They try again on another less secure site that sometimes displays: "Recovery email: j.doe@company.com". Bingo. They have your initial, your last name, and your employer.

Data Cross-Referencing

With j.doe@company.com, they go to LinkedIn. They find "John Doe." They look at your posts. You posted a photo of your office. We see the company logo. We see the view from the window. Using Google Street View, they geolocate your office.

Starting from a handle on Twitter, they arrived at your physical address in less than 20 minutes. Without using a single illegal tool.

The Defense: Total Compartmentalization

To protect yourself from OSINT, you must break the chain of links. There should be no link between your Identity A (Twitter) and your Identity B (LinkedIn).

The solution isn't to have 50 Gmail accounts (too hard to manage). The solution is a unique email per service.

If your Twitter account is linked to twitter.access@junkmail.site:

  1. The investigator cannot guess this address (it's not public).
  2. Even if they find it (via a data breach), it leads nowhere. It’s not linked to any other account.
  3. If you delete it, it’s a Dead End.

Conclusion

On the Internet, your past is your worst enemy. The breadcrumbs you left 10 years ago lead straight to your door today.

Stop leaving tracks. Start wearing shoes that don't leave prints. Use disposable emails for everything that doesn't require your legal identity.

Become a ghost. Secure your digital footprint with JunkMail.