What Is OSINT?
Open Source Intelligence (OSINT) refers to information that is freely and publicly available — gathered from social media profiles, news articles, public records, job listings, company websites, and anywhere else data is accessible without requiring a hack or breach. Intelligence analysts use OSINT for legitimate investigative work. Cybercriminals use it to build detailed profiles of individuals before launching targeted attacks.
You don't need to have been part of a data breach to be vulnerable to OSINT. Everything you've voluntarily made public is fair game, and a determined attacker can often assemble a surprisingly complete picture of your life using only what you've posted yourself.
What Attackers Learn from Your Profiles
Social media platforms are rich sources of personal data. An attacker patiently reviewing your public posts, follower lists, and tagged photos can quickly gather information you'd never hand to a stranger in person.
- Birthdays — commonly used as PINs, password components, and security question answers. Posted publicly on nearly every major platform
- Pet names — "What was your first pet's name?" is one of the most common security questions. If your pet's name features in your Instagram bio or photos, the answer is public
- Employer and job title — provides a pretext for spear phishing emails that reference your company, manager's name, or internal processes
- Location check-ins — telling the world you're on holiday is also telling any threat actor that your home is unoccupied
- Family members — relatives visible in tagged photos or your followers list can be used as social engineering vectors ("Hi, I'm calling on behalf of your brother...")
- Phone number and email — sometimes listed directly; otherwise inferable from "tag a friend" posts or linked accounts
Security Questions Are Broken by Oversharing
Account security questions were designed as a fallback authentication mechanism, but they rely on secrets — and most people's "secrets" are publicly posted. The questions themselves are predictable: mother's maiden name, childhood street, first car, name of your primary school. For anyone who has posted family content, hometown details, or nostalgic memories publicly, these answers are effectively public record.
Where possible, treat security question answers as additional passwords: use random, false answers stored in your password manager rather than real biographical details that are visible on your profiles.
Spear Phishing: When Attackers Use Your Own Data Against You
Generic phishing sends the same message to millions of recipients hoping some will click. Spear phishing is a targeted attack where the attacker crafts a message tailored specifically to you, using details harvested from OSINT. An email that says "Hi [your name], following up on the project we discussed at [your actual employer] last week" feels fundamentally different to a generic scam — and is far more likely to succeed.
The more personal information an attacker can reference accurately, the more legitimate their message appears. A message that names your pet, mentions your city, and references a recent life event visible on your public profile creates a false sense of familiarity that overrides normal scepticism.
Attackers don't need to hack your accounts to learn about you — they just need to read your public profiles. Review your privacy settings on every platform today and remove personal details you wouldn't hand to a stranger.
Data Harvesting Disguised as Entertainment
Be particularly wary of viral quiz posts and "fun" questionnaires circulating on social media — "What is your rock star name? Take your first pet's name and the street you grew up on!" These posts are frequently deliberate data harvesting exercises designed to extract security question answers at scale, submitted voluntarily and cheerfully by the participants.
How to Reduce Your Exposure
- Audit your privacy settings on every platform and set posts, friends lists, and profile information to "Friends only" or equivalent — not public
- Remove your phone number, email address, and birthday from your public profile on all platforms
- Avoid posting real-time location updates or holiday announcements until you're home
- Think carefully before posting photos that reveal your home address, number plates, or workplace in the background
- Skip the viral quiz posts — they are not worth the data exposure
- Before posting anything, ask: could this information help someone impersonate me, guess my passwords, or bypass a security question?