TikTok — Using OSINT to Discover New Leads | By Josh Richards

TikTok — Using OSINT to Discover New Leads

TikTok has been with us for a couple of years now but we haven’t seen people using it in their investigations much until now. The mobile app allows users to make their own short videos. Lots of people put a sound track over it and will sing or dance. However, some people upload clips of video games, some use their own audio, and overall it allows people to be creative and come up with their own new content.

The app appears to be most popular among younger audiences, but a lot of adults can be found on it too. Many people post content, but others just watch and comment on other people’s content. Some comments are innocent, others are not. Despite this, people continue to post videos showing what schools they go to, videos inside and outside of their houses, and even give away phone numbers and other personal information, which is what this blog is going to focus on.

What information is being exposed?

A lot of TikTok users are quite young and don’t yet understand the consequences of putting their personal information out there. There are plenty of adults who do the exact same though. I have seen people posting emails, phone numbers, links to other social media, ID cards, passports, and a load of other personal identifiers like their height and age. This is often due to them following ‘trends’ where someone has done it and got good reactions, so everyone starts to do it, despite how dangerous it could be. Here I want to show how easy it is to find this information.

Image for post


Above is the ‘Discover’ tab on the TikTok mobile app. It shows trending hashtags along with popular videos. What I want to focus on is the search bar because we can search anything from usernames, keywords, songs, and more. One of my first searches was the phrase: ‘phone me’.

When you get results, you can select between the different tabs like users, videos, sounds, hashtags, but for generic searches you can stick with ‘Top’ to show the most popular videos that you want. My first search returned a lot of results where people have posted their phone numbers either in the video description or as text in the video itself. The first result is my favourite where they reveal the number except the last digit as if it’s challenging to go and try ten different numbers.

Image for post


Below is one example where you have to watch the video because they use text to show their number in it. There are some videos where they will only show the number for a fraction of a second and it would be almost impossible to pause it in time on mobile. In these situations, you can use the browser version to have more control over the video. I’m not showing the browser version in this blog because it has been covered a lot in others already.

Image for post


Sound Tracks

You may notice when you are watching a TikTok video, you can see at the bottom what sound track is playing. It is the part next to the musical symbol. Sometimes these will be famous songs, and other times it will be an original sound made by a TikTok user. In the previous image, the track is from a user called ‘alecgiacchetto’. TikTok allows you to click on where it says the track name and it will show you all the other videos that use the same sound. At the time of this screenshot, 19.8k videos are using this sound, but I know it has gone up a lot since.

Image for post


This particular sound isn’t music, it is just the user talking and this is what they say throughout the video:

“Everyone always post’s their phone number on here and then it blows up and they have to change their number but you know, i’m not famous, so, FaceTime me.”

This means that the majority of these videos will now have their phone number in so that people can FaceTime them. Some have their email address instead because they say they “aren’t comfortable” sharing their phone number… Some will also not share anything and will try to joke around by showing the number ‘911’ for example.

Here are some other examples of where people have posted their email addresses. I found these by searching for ‘gmail.com’. This can be done with any domain or phrases like ‘email me’.

Image for post
Image for post


Image for post


One more example before we see what we can get from pivoting off this information. There is a sound track about how people look in their ID pictures. People use this track on their videos where they show their ID’s. Sure, many of these don’t reveal the full thing. However, most have their signature and date of birth under their picture and out of the 1448 videos posted with this sound track, I am sure some will show the full ID.

Image for post



Now that we know the kind of information that people are sharing, what else can we find using it? First we will use the one where they give a phone number and leave out the last digit. How can we confirm the full phone number?

Image for post


There are many ways to do this so I am going to show a few here and explain how they can work well together. Also, although all these are UK numbers, the same kind of techniques can be used for both numbers and emails from all around the world.

The first place I went was the Facebook forgot password page. I could enter the phone number provided and search each digit at the end. While you may find that multiple numbers exist as you try them, this is unlikely. At least you are finding which numbers definitely exist and are more likely to be active numbers that are in use.

Image for post


In this case, 6 was the winning digit. All the others returned an error saying no account was found, but using 6, an account was found as you can see because it shows the recovery option. Although this in theory could belong to someone else, it is what I focused on first because I knew it existed and was being used on social media.

Image for post


The next step I took was adding it to my phone’s contacts list and importing that to TikTok. The top result in the picture below was the same account we got the phone number from. I have redacted a lot but you can see the username here starts with ‘lil’ as did the one from the original video.

Image for post


Similar to TikTok, you can import your contacts to Snapchat too. Doing this revealed her username which in this case contained her real name too. The ‘Aaaaaa’ part was what I set in my contacts, but the username under it was the one she set up herself. Now that we know her real name, we could search that on other social media too if we wanted. This is how easy it is to take one piece of information and pivot to find lots more.

Image for post


Another approach to pivoting from this information is Lampyre. This is a piece of software which allows you to search identifiers and it will return whatever it can find on them. My favourite is their phone and email search because of how accurate it is and the unique results it returns.

Below I searched four UK phone numbers from TikTok. Although not much was returned this time, it is possible to get a lot more, it just depends on your target and what they use their phone number for online. We can now see that two of these numbers return partial data from Facebook recovery options. Partial emails are often easy to guess depending on how careful the user’s are. The other two show that they are connected to WhatsApp accounts, so now we could go and check WhatsApp with the numbers in our contacts list and see if it reveals a profile picture.

Image for post


Below is an example of searching an email on Lampyre. Once again, it only brings back information directly connected to the email. Here it has returned partial details like a phone number from PayPal and Apple, a direct link to their LinkedIn account, and confirmation that the email is being used on sites like Pinterest and Spotify although it doesn’t go directly to the account here.

Image for post


Lampyre is currently in a 2 week closed beta which I am involved in. I tried out one of their new searches with an email address I found on TikTok and it returned a Tumblr account. When I went to check out the account, lets just say, it was full of some ratherrrr explicit content. The username on the account was completely different to the one on TikTok too so finding the Tumblr was only possible because they thought it was good to share their email with the world.


This blog could go on forever, there were so many other examples of sound tracks people were using while exposing sensitive information, more ways to pivot and find new data on them, but I thought I would leave it here for now. I hope at some point people start to realise that what they are sharing online is sensitive and if bad people got their hands on it, who knows what could happen.

This post was originally published: https://accessosint.com/tiktok-using-osint-to-discover-new-leads/

September 18, 2020
Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023