People love to form virtual connections and try to be as unique as possible in creating their profiles. Everyone wants to distinguish themselves from the masses, without thinking about what personal data is left. Some of that data is publicly exposed, like usernames. That offers an opportunity to trace people across different websites.
When you search for a username, a tutorial on how to find a nickname, or the person hidden behind it, you usually get articles with a list of OSINT tools. While those are useful to be able to find an instrument to work with, they don't usually explain the investigative process. There is a big chunk of work to be done before the username can be passed into those tools. The flowchart below illustrates the complexity of username investigation.
Find a username
It is easy to find a username if you land on a user profile page. However, some websites don't put it straight on the page, but into the URL of the user account. If the user has left a comment or has made a post on the website, their username may be displayed alongside.
Investigators should also check whether the username displayed is chosen by the user. Many websites automatically generate the username. Some of them select completely random usernames, while others base it on the provided email address. Username searches might also be tricky on websites that use IDs along with usernames. For example, Vkontakte users might not always have a username unless they create one. If the target is on websites that don't use usernames (or you haven’t found one), then make username assumptions.
Make username assumptions
Make assumptions if you don’t have a username. Also, it’s useful to generate additional usernames to expand your search. Generating assumptions can be tricky, as usernames are often unique and personal. However, there are techniques one could use to make assumptions:
- Using common patterns: You can assume a username by using common patterns, such as combining a user's first name and last name, adding numbers or symbols, or using a user's birth year or location.
- Check other social media platforms: If you know a person's name or email address, you could try searching for them on other social media platforms. They may use the same username across multiple platforms, or you may be able to find a similar username that could help you make an assumption.
- Occupation and hobbies: A person's interest and occupation can also be a source of inspiration for username choices. For example, a teacher might use a username like "TeachMe" or "ClassroomPro."
Generate a username wordlist
Many tools generate usernames based on keywords. They will help you quickly come up with a list of potential usernames that could be used by your target. If you are looking for an online tool, then NAMEINT is a good one. For more advanced permutations there is a ProtOSINT script or pydictor.
Usually, usernames are case-insensitive, but most websites will store your capitalization preferences. When the profile is deleted, some websites still reserve the username for a while (like Mastodon). Moreover, some social networks (like LinkedIn) still link your previous URL to you for six months unless you unlink it. Thus, other members won’t be able to claim it during this period.
Bear in mind username that platforms have different username conventions. For example, from the special symbols, Facebook allows only a full stop while Twitter allows only an underscore. Youtube on the other hand, doesn’t allow any special symbols. Therefore, if you research John.Doe on Facebook – it’s not applicable on Twitter and Youtube.
Search engines are the first stop if you are doing a targeted search. Of course, passing a list of usernames to some automated tool is easier, but not as efficient. You might find relevant usernames, cached pages and mentions you wouldn’t get otherwise. Google, Bing, Yahoo, Baidu and Yandex are the main ones to try. Different search engines will yield different results due to the difference in the underlying technology, so don’t restrict yourself in choice.
A user might set up a new username, but the link to their social media profile in the search result can still contain an old username. Check different search engines to check if the username is cached. Usually, cached pages are displayed within search results. Also, you can examine a particular URL for a cached version using CachedView or Quick Cache and Archive search.
- Whatsmyname – This is my favourite one. It is pretty fast and shows only websites where the username is taken, which excludes a lot of visual noise.
- Instantusername – A pretty good username checker, but like all of them, still provides false results on some social networks. For example, on Tinder it might show that the username is taken, when, in fact, it is not. Checks more than 100 networks.
- Checkusernames – Another online username checker, but might have false results as well. For example, it might show that the username is not available, but when following the link you get to the 404 page (eg. Imgur, Flickr). Checks 160 social networks.
- Socialcatfish – This one checks across many resources, but it takes too long to generate a report, and in the end it requires payment to unlock the report.
- Search.illicit.services – Search engine for PII and leaked credentials from data brokers and breaches. Finds data leaks associated with usernames, if there are any.
- Social Searcher – Searches for username mentions on social networks.
- Maigret – A pretty advanced username checker which collects a dossier on a person by username from thousands of sites. Creates HTML reports and has a telegram bot.
- Blackbird – Another OSINT tool to search for accounts by username in social networks.
- Social Analyzer – A tool for analysing and finding a person's profile in 1000 social media \ websites with a vast number of features. Can be accessed in CLI and has a Web App.
- Sherlock – Hunts down social media accounts by username across social networks.
- Enola – A modern CLI tool written with Golang. Based on Sherlock, but returns more false positives.
Usernames give you valuable pivot points. For example, having a username means it is possible to obtain the email address, as usernames are frequently created using email addresses. A target's name, surname, or date of birth can be included in the username as well. Therefore, don’t just blatantly enter the username into search tools, but try to figure out what it means.
The disadvantage of the username search is that OSINT tools often generate false positives. A manual check is required during such investigations to verify the accuracy of the finding.