email2phonenumber is an OSINT (Open Source Intelligence) tool that discovers phone numbers associated with email addresses by leveraging password recovery and account verification pages of various online services. It exploits the information disclosure common in password reset flows to establish email-to-phone relationships for investigative purposes.
git clone https://github.com/martinvigo/email2phonenumber.git
cd email2phonenumber
pip3 install -r requirements.txt
# Python 3.6 or higher required
python3 --version
# Install required packages
pip3 install requests beautifulsoup4 selenium
pip3 install tqdm pyyaml
docker build -t email2phonenumber .
docker run email2phonenumber -e target@example.com
python3 email2phonenumber.py --help
python3 email2phonenumber.py -e target@example.com
python3 email2phonenumber.py -e target@example.com -o results.txt
python3 email2phonenumber.py -e target@example.com -s google,microsoft,twitter
python3 email2phonenumber.py -e target@example.com -v
| Option | Description |
|---|
-e, --email | Target email address |
-s, --services | Comma-separated list of services |
-o, --output | Output file for results |
-v, --verbose | Enable verbose logging |
-t, --timeout | Request timeout in seconds |
-p, --proxy | Use proxy server |
--user-agent | Custom user agent string |
-l, --list | Show available services |
--headless | Run browser in headless mode |
| Service | Method | Reliability |
|---|
| Google | Account recovery page | High |
| Microsoft | Password reset flow | High |
| Twitter/X | Account recovery | Medium |
| Facebook | Password recovery | Medium |
| Apple ID | Security questions | Medium |
| Snapchat | Account recovery | Low |
| Instagram | Password reset | Medium |
| Airbnb | Account recovery | Medium |
| Uber | Phone verification | High |
| LinkedIn | Account recovery | Medium |
python3 email2phonenumber.py -e john.doe@company.com -v
python3 email2phonenumber.py -e target@example.com \
-s google,microsoft,apple,facebook,twitter
python3 email2phonenumber.py -e suspect@gmail.com \
-o investigation_results.txt -v
python3 email2phonenumber.py -e target@example.com \
-p http://proxy.example.com:8080
#!/bin/bash
# Process multiple emails
for email in email1@example.com email2@example.com; do
python3 email2phonenumber.py -e $email -o results_${email}.txt
done
python3 email2phonenumber.py -e target@example.com \
--user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
1. Access service's password reset page
2. Enter target email address
3. Observe information disclosure
4. Extract partial phone number
5. Infer full phone number if possible
# Common disclosure patterns:
- "Account found: Phone ending in 5551"
- "Verify with phone: +1 (555) 123-****"
- "SMS sent to: ***-****-7890"
- "Recovery option: Text message at +1 (***) ***-4321"
Partial: ***-***-1234
Country: US (+1)
Area Code: Common area codes
Result: Educated guess of full number
# Google reveals phone endings in account recovery
python3 email2phonenumber.py -e target@gmail.com -s google
# Full format: +1 (555) 123-****
# Infer from area code and ending digits
# Microsoft shows masked phone for verification
python3 email2phonenumber.py -e target@outlook.com -s microsoft
# Pattern: +1 (***) ***-4567
# Cross-reference with other data for full number
# Twitter/Instagram show phone for security recovery
python3 email2phonenumber.py -e target@example.com -s twitter,instagram
# Combine findings from multiple services
#!/bin/bash
# Test multiple services simultaneously
for service in google microsoft apple twitter facebook; do
python3 email2phonenumber.py -e target@example.com -s $service &
done
wait
# Get phone from email2phonenumber
PHONE=$(python3 email2phonenumber.py -e target@example.com | grep -oP '\+1\s*\(?[0-9]{3}\)?[0-9]{3}[0-9]{4}')
# Reverse lookup phone number
python3 phone_lookup.py --phone "$PHONE"
#!/bin/bash
EMAIL="target@example.com"
# Step 1: Get phone number
PHONE=$(python3 email2phonenumber.py -e $EMAIL | grep phone)
# Step 2: Search for phone across internet
# Use with Google, WhitePages, etc.
# Step 3: Cross-reference with email
# Correlate findings
# Step 4: Compile OSINT profile
echo "Email: $EMAIL"
echo "Phone: $PHONE"
python3 email2phonenumber.py -e target@example.com -o results.json
grep -oP '\+1\s*\(?[0-9]{3}\)?[0-9]{3}[0-9]{4}' results.txt
# Verify format and region code
python3 validate_phone.py results.txt
#!/bin/bash
# Aggregate findings from multiple emails
for email in targets.txt; do
python3 email2phonenumber.py -e $email >> combined_results.txt
done
# Remove duplicates
sort combined_results.txt | uniq > final_results.txt
#!/bin/bash
# Complete OSINT workflow
TARGET="target@example.com"
# Get phone
python3 email2phonenumber.py -e $TARGET
# Search for phone online
# Use additional tools to cross-reference
# Document findings
echo "OSINT Report for $TARGET" > report.txt
# Identify what information is discoverable
# About your own accounts
EMAIL="my.email@company.com"
python3 email2phonenumber.py -e $EMAIL
# Check what's exposed
# Update privacy settings accordingly
#!/bin/bash
# Law enforcement / Corporate investigation
SUBJECT_EMAIL="suspect@example.com"
echo "=== Email to Phone Investigation ==="
echo "Target Email: $SUBJECT_EMAIL"
echo ""
echo "=== Google Account Check ==="
python3 email2phonenumber.py -e $SUBJECT_EMAIL -s google
echo "=== Microsoft Account Check ==="
python3 email2phonenumber.py -e $SUBJECT_EMAIL -s microsoft
echo "=== Social Media Check ==="
python3 email2phonenumber.py -e $SUBJECT_EMAIL -s twitter,facebook,instagram
echo "=== Investigation Complete ==="
# Only perform lookups on:
- Your own accounts
- Accounts you have authorization to investigate
- Subjects with proper legal authority
- Consult legal counsel first
# Understand GDPR, CCPA, and local privacy laws
# Phone numbers are sensitive personal data
# Misuse can violate privacy regulations
# Document authorization and purpose
# If discovering vulnerabilities:
- Report to affected service
- Use responsible disclosure practices
- Allow time for patch
- Don't share information publicly before fix
# Service may be blocking requests
# Try with different proxy:
python3 email2phonenumber.py -e target@example.com -p http://proxy:8080
# Increase timeout:
python3 email2phonenumber.py -e target@example.com -t 30
# Check available services
python3 email2phonenumber.py -l
# Service may have changed
# Check GitHub for updates
git pull origin main
pip3 install -r requirements.txt
# Email may not exist
# Account may not have phone associated
# Service may have disabled feature
# Try manual verification on service
# Update Selenium and webdriver
pip3 install --upgrade selenium
# Download chromedriver
# matching your Chrome version
wget https://chromedriver.chromium.org/downloads
# Run with headless option
python3 email2phonenumber.py -e target@example.com --headless
| Tool | Purpose | Method |
|---|
| email2phonenumber | Email-to-phone lookup | Password recovery pages |
| Sherlock | Username search | Multi-site search |
| OSINT Framework | Multi-tool aggregator | Web-based interface |
| Maltego | Graph-based OSINT | Commercial platform |
| SpiderFoot | Automated OSINT | Multiple sources |
# Secure password recovery options
- Use unique phone numbers per account
- Enable 2FA with authenticator app
- Regularly audit connected emails
- Check for exposed information
# Avoid detection
# Don't hammer services with requests
# Add delays between lookups:
sleep 5
python3 email2phonenumber.py -e email2@example.com
# Use VPN or proxy
# Don't expose your IP
# Rotate user agents
# Maintain investigation logs
email2phonenumber is a valuable OSINT tool for discovering phone numbers associated with email addresses by leveraging password recovery mechanisms. It demonstrates how information disclosure vulnerabilities in account recovery flows can lead to privacy breaches. The tool is useful for authorized investigations, security testing, and awareness of what information may be discoverable about your own accounts.
