OSINT 101: Understanding Breach Data

A guide to using breached data during investigations.

Category
Guides & Information
Date
March 11, 2026
Author
Neil Smith

Author: Neil Smith

Large-scale data breaches have become a routine feature of the digital world. When companies are hacked, attackers often obtain vast troves of account information, including email addresses, usernames, phone numbers, and passwords. These datasets are frequently sold, traded or leaked online. Over time, they are collected and indexed on so-called breached-data websites, where they can be searched.

A number of online tools, some free, others paid, allow researchers to query these datasets. With them, it is possible to search for an individual, address, company or domain name and identify any associated email addresses, phone numbers or usernames that have appeared in past breaches.

Importantly, these datasets rarely originate from the hacking of a single individual’s account. They usually stem from large cyber-attacks against companies or platforms, in which millions of user records are stolen at once.

Several well-known breaches illustrate the scale involved. LinkedIn suffered a series of incidents, including a major breach in 2012 and further leaks in 2016 and 2021. The 2021 incident alone reportedly exposed data relating to roughly 700m users. Facebook experienced a similar event in 2021, when information from more than 500m accounts was posted online. In 2019, a cyber-attack on MGM Resorts International exposed personal data belonging to roughly 37m customers.

Data from such incidents often circulates for years. Criminals may exploit it for fraud or identity theft. Yet much of it is also aggregated by breach-search services, many of which advertise themselves as consumer-protection tools. They allow individuals to check whether their own data has appeared in a breach so they can change passwords or improve security.

For investigators and open-source intelligence (OSINT) researchers, these databases can also provide useful leads.

Finding contact details

You may have a subject whom you are researching, but no linked email address or mobile number for them. Breached data sites can be used by investigators to search for their name or address, looking for any linked email addresses or mobile numbers. 

The results may include:

  • associated email addresses or phone numbers
  • usernames or account handles
  • partial or full passwords
  • the online services where the account appeared

These details can suggest which platforms a person has used and where they may still maintain accounts.

Identifying the owner of an account

Alternatively, if an investigator begins with an email address, phone number or username and wants to identify the person behind it, breached data may reveal other identifiers linked to that account.

Usernames and screennames can be particularly useful. Many people reuse the same screen name across multiple services. If that username appeared in a breach, it may be linked to email addresses, names or other identifying details.

Password intelligence

Breached datasets sometimes contain passwords, either in plain text or in hashed form.

In certain lawful investigative contexts, such as missing persons cases conducted by law enforcement agencies, such information can provide clues about credentials a subject might have used elsewhere. Because many people reuse passwords across services, a password appearing in one breach may appear again in other accounts.

When officers need to gain entry to a device or an account, they may use these sites to search for details of their subject, such as their email address or mobile number, to locate any passwords. Investigators must, of course, ensure that any use of such information complies with applicable laws and professional standards.

Breach-search service sites

A range of online services allow users to search breach datasets. Many offer limited searches for free and more detailed results through paid subscriptions. A list of these is available at https://www.uk-osint.net/hackedaccounts.html.

Basic free sites, such as WhatIsMyIPAddress offer simple lookups that allow you to check an email address and will return details of any breached lists it is on.

One example is Have I Been Pwned, which allows users to check whether an email address has appeared in known breaches. The free version typically reports whether a breach occurred, while paid services provide greater detail and additional search options.

Another example is DeHashed, which allows queries using identifiers such as email addresses, usernames, passwords, IP addresses, domains, and names. Subscription tiers unlock more extensive searches and results. Paid accounts start from $4.50 p/month up to and beyond $199 p/year, returning lots of useful details.

Another site, LeakPeek, allows searches across email addresses, phone numbers, usernames, passwords, domains, keywords, IP addresses and other identifiers. Unregistered users can, without signing in, perform basic searches to see redacted passwords associated with the identifier. Registered accounts return additional redacted information, and paid tiers provide full results, including unredacted data where available. Investigators can pay for an account, from $1.99 for a day’s unlimited access, $9.99 for a month’s unlimited access, or up to $27.99 for three months' unlimited access, and see unredacted passwords and details of other linked email addresses.    

Collections of such tools are often maintained on OSINT resource pages, including directories of breach-search sites and related utilities. These lists typically include both free services and paid platforms, reflecting the range of capabilities available.

Training exercise

To understand how these tools work, investigators can experiment with publicly available breach-search services using their own personal and work email addresses and phone numbers.

  1. Use a breach-checking tool, like WhatIsMyIPAddress to search for one of your own email addresses and see whether it appears in any known breaches.

  2. Repeat the search using a second service, like LeakPeek or Dehashed and compare the results.

  3. When using LeakPeek, create a free account and repeat the search to see whether additional information becomes visible.

  4. Try searching for different identifiers, such as usernames or phone numbers, and note how the results differ. Search your email addresses, mobile phone number (remembering to make it internationalised by removing the first 0 and adding 44 for a UK-related number), and name to see how much more you can search and how the results returned may have expanded slightly from what was previously shown.

Ideally, your searches will return few or no results. But if breaches do appear, they provide a useful illustration of how much information can be exposed in large-scale cyber-attacks, and how searchable that information can become.

"
People linked with me on various projects after the event... A+ for networking opportunities!
Sam Doak
Jack Lambourne
TOEX, UK Police
A great opportunity to talk about OSINT and meet professionals from different areas of the field
Sam Doak
Sam Doak
Sky News
Best place for OSINT insights and learning from others
Simon Gunning
Investigator, M&G plc
An excellent community to network & educate with UK OSINT experts
Agent G9
Anti-Scam Youtuber
An outstanding atmosphere and an amazing gathering of professionals
Daniel Heinen
Founder, GeoSpy
Bridging industry
gaps to create a real community
Stephen Adams
Founder, Intelligence With Steve
Synergy between different minds and tradecraft
William R
Founder, The Aracari Project
Inspiring community of members who collaborate and engage for knowledge sharing
Peter Allwright
Head of Crossleys Forensics
Prev
Next
About & Team

Making the United Kingdom the global leader in open source intelligence.

Events

Talks, networking opportunities, hackathons and more.

Content

Guidance Guides & information to become a world class OSINT expert.

UK OSINT Community Code of Conduct
© UK OSINT COMMUNITY LTD — Company number: 15762520
Made in the UK 🇬🇧