email2phonenumber is an OSINT (Open Source Intelligence) tool that discovers phone numbers associated with email addresses by leveraging password recovery and account verification pages of various online services. It exploits the information disclosure common in password reset flows to establish email-to-phone relationships for investigative purposes.
Installation
Clone from GitHub
git clone https://github.com/martinvigo/email2phonenumber.git
cd email2phonenumber
pip3 install -r requirements.txt
Install Dependencies
# Python 3.6 or higher required
python3 --version
# Install required packages
pip3 install requests beautifulsoup4 selenium
pip3 install tqdm pyyaml
Docker Installation
docker build -t email2phonenumber .
docker run email2phonenumber -e target@example.com
Verify Installation
python3 email2phonenumber.py --help
Basic Usage
Simple Email Lookup
python3 email2phonenumber.py -e target@example.com
Save Results to File
python3 email2phonenumber.py -e target@example.com -o results.txt
Test Specific Services
python3 email2phonenumber.py -e target@example.com -s google,microsoft,twitter
Verbose Output
python3 email2phonenumber.py -e target@example.com -v
Command-Line Options
| Option | Description |
|---|
-e, --email | Target email address |
-s, --services | Comma-separated list of services |
-o, --output | Output file for results |
-v, --verbose | Enable verbose logging |
-t, --timeout | Request timeout in seconds |
-p, --proxy | Use proxy server |
--user-agent | Custom user agent string |
-l, --list | Show available services |
--headless | Run browser in headless mode |
Supported Services
Web Services with Phone Discovery
| Service | Method | Reliability |
|---|
| Google | Account recovery page | High |
| Microsoft | Password reset flow | High |
| Twitter/X | Account recovery | Medium |
| Facebook | Password recovery | Medium |
| Apple ID | Security questions | Medium |
| Snapchat | Account recovery | Low |
| Instagram | Password reset | Medium |
| Airbnb | Account recovery | Medium |
| Uber | Phone verification | High |
| LinkedIn | Account recovery | Medium |
Practical Examples
Comprehensive Email Investigation
python3 email2phonenumber.py -e john.doe@company.com -v
Check Multiple Services
python3 email2phonenumber.py -e target@example.com \
-s google,microsoft,apple,facebook,twitter
Save Detailed Results
python3 email2phonenumber.py -e suspect@gmail.com \
-o investigation_results.txt -v
Use Proxy for Privacy
python3 email2phonenumber.py -e target@example.com \
-p http://proxy.example.com:8080
Batch Email Processing
#!/bin/bash
# Process multiple emails
for email in email1@example.com email2@example.com; do
python3 email2phonenumber.py -e $email -o results_${email}.txt
done
Custom User Agent
python3 email2phonenumber.py -e target@example.com \
--user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
How It Works
Password Recovery Flow Analysis
1. Access service's password reset page
2. Enter target email address
3. Observe information disclosure
4. Extract partial phone number
5. Infer full phone number if possible
# Common disclosure patterns:
- "Account found: Phone ending in 5551"
- "Verify with phone: +1 (555) 123-****"
- "SMS sent to: ***-****-7890"
- "Recovery option: Text message at +1 (***) ***-4321"
Phone Number Inference
Partial: ***-***-1234
Country: US (+1)
Area Code: Common area codes
Result: Educated guess of full number
Advanced Techniques
Service-Specific Strategies
Google Account Recovery
# Google reveals phone endings in account recovery
python3 email2phonenumber.py -e target@gmail.com -s google
# Full format: +1 (555) 123-****
# Infer from area code and ending digits
Microsoft Account Recovery
# Microsoft shows masked phone for verification
python3 email2phonenumber.py -e target@outlook.com -s microsoft
# Pattern: +1 (***) ***-4567
# Cross-reference with other data for full number
# Twitter/Instagram show phone for security recovery
python3 email2phonenumber.py -e target@example.com -s twitter,instagram
# Combine findings from multiple services
Parallel Service Testing
#!/bin/bash
# Test multiple services simultaneously
for service in google microsoft apple twitter facebook; do
python3 email2phonenumber.py -e target@example.com -s $service &
done
wait
# Get phone from email2phonenumber
PHONE=$(python3 email2phonenumber.py -e target@example.com | grep -oP '\+1\s*\(?[0-9]{3}\)?[0-9]{3}[0-9]{4}')
# Reverse lookup phone number
python3 phone_lookup.py --phone "$PHONE"
Data Enrichment Pipeline
#!/bin/bash
EMAIL="target@example.com"
# Step 1: Get phone number
PHONE=$(python3 email2phonenumber.py -e $EMAIL | grep phone)
# Step 2: Search for phone across internet
# Use with Google, WhitePages, etc.
# Step 3: Cross-reference with email
# Correlate findings
# Step 4: Compile OSINT profile
echo "Email: $EMAIL"
echo "Phone: $PHONE"
Handling Results
Parse Output Results
python3 email2phonenumber.py -e target@example.com -o results.json
grep -oP '\+1\s*\(?[0-9]{3}\)?[0-9]{3}[0-9]{4}' results.txt
Validate Phone Numbers
# Verify format and region code
python3 validate_phone.py results.txt
Combine Multiple Results
#!/bin/bash
# Aggregate findings from multiple emails
for email in targets.txt; do
python3 email2phonenumber.py -e $email >> combined_results.txt
done
# Remove duplicates
sort combined_results.txt | uniq > final_results.txt
Integration with OSINT Workflows
Reconnaissance Script
#!/bin/bash
# Complete OSINT workflow
TARGET="target@example.com"
# Get phone
python3 email2phonenumber.py -e $TARGET
# Search for phone online
# Use additional tools to cross-reference
# Document findings
echo "OSINT Report for $TARGET" > report.txt
Social Engineering Prevention
# Identify what information is discoverable
# About your own accounts
EMAIL="my.email@company.com"
python3 email2phonenumber.py -e $EMAIL
# Check what's exposed
# Update privacy settings accordingly
Investigative Workflow
#!/bin/bash
# Law enforcement / Corporate investigation
SUBJECT_EMAIL="suspect@example.com"
echo "=== Email to Phone Investigation ==="
echo "Target Email: $SUBJECT_EMAIL"
echo ""
echo "=== Google Account Check ==="
python3 email2phonenumber.py -e $SUBJECT_EMAIL -s google
echo "=== Microsoft Account Check ==="
python3 email2phonenumber.py -e $SUBJECT_EMAIL -s microsoft
echo "=== Social Media Check ==="
python3 email2phonenumber.py -e $SUBJECT_EMAIL -s twitter,facebook,instagram
echo "=== Investigation Complete ==="
Ethical and Legal Considerations
Authorized Use Only
# Only perform lookups on:
- Your own accounts
- Accounts you have authorization to investigate
- Subjects with proper legal authority
- Consult legal counsel first
Privacy Implications
# Understand GDPR, CCPA, and local privacy laws
# Phone numbers are sensitive personal data
# Misuse can violate privacy regulations
# Document authorization and purpose
Responsible Disclosure
# If discovering vulnerabilities:
- Report to affected service
- Use responsible disclosure practices
- Allow time for patch
- Don't share information publicly before fix
Troubleshooting
Connection Timeout
# Service may be blocking requests
# Try with different proxy:
python3 email2phonenumber.py -e target@example.com -p http://proxy:8080
# Increase timeout:
python3 email2phonenumber.py -e target@example.com -t 30
Service Not Supported
# Check available services
python3 email2phonenumber.py -l
# Service may have changed
# Check GitHub for updates
git pull origin main
pip3 install -r requirements.txt
No Results Found
# Email may not exist
# Account may not have phone associated
# Service may have disabled feature
# Try manual verification on service
Browser Issues with Selenium
# Update Selenium and webdriver
pip3 install --upgrade selenium
# Download chromedriver
# matching your Chrome version
wget https://chromedriver.chromium.org/downloads
# Run with headless option
python3 email2phonenumber.py -e target@example.com --headless
| Tool | Purpose | Method |
|---|
| email2phonenumber | Email-to-phone lookup | Password recovery pages |
| Sherlock | Username search | Multi-site search |
| OSINT Framework | Multi-tool aggregator | Web-based interface |
| Maltego | Graph-based OSINT | Commercial platform |
| SpiderFoot | Automated OSINT | Multiple sources |
Security Best Practices
Protect Your Own Accounts
# Secure password recovery options
- Use unique phone numbers per account
- Enable 2FA with authenticator app
- Regularly audit connected emails
- Check for exposed information
Rate Limiting
# Avoid detection
# Don't hammer services with requests
# Add delays between lookups:
sleep 5
python3 email2phonenumber.py -e email2@example.com
Operational Security
# Use VPN or proxy
# Don't expose your IP
# Rotate user agents
# Maintain investigation logs
Summary
email2phonenumber is a valuable OSINT tool for discovering phone numbers associated with email addresses by leveraging password recovery mechanisms. It demonstrates how information disclosure vulnerabilities in account recovery flows can lead to privacy breaches. The tool is useful for authorized investigations, security testing, and awareness of what information may be discoverable about your own accounts.
