Email addresses are one of our most public piece of PII. We are confortable sharing it with strangers, publishing it on the internet and it is generally our public way of communicating. However, when it comes to phone numbers things change. We are more selective with who we share it with, mostly because receiving unsolicited phone calls is much more invasive. There are also security implications when making your phone number publicly available. SS7 attacks, SIM swapping, phishing and scam calls are just a few of the threats that originate from the target’s phone number. What if it were possible to obtain someone’s phone number by only knowing their email address? Beyond the criminal advantage, it could be very useful to investigators, red teams and OSINT lovers. In this talk, I will discuss techniques which when combined will let you discover someone’s phone number via their email address. I will also demo and release a tool that helps automate the process.

1. From email address
to phone number
A new OSINT approach
Martin Vigo
@martin_vigo | martinvigo.com

2. Martin Vigo
Prodsec | Red team | Triskel Security Founder
From Galicia, Spain
Research | Scuba | Gin tonics
@martin_vigo - martinvigo.com
Amstrad CPC 6128

3. Privacy
email
address SSN
phone
number
profile
picture
home
addressage

4. Security
EMAIL ADDRESS PHONE NUMBER
Spam / Phishing Spam / Phishing
Spoofing Spoofing
Password dumps HLR registers
Voicemail hacking
Fake cell towers
SS7 attacks
SIM Swapping

5. Useful for:
Private investigators Stalkers
OSINT professionals Doxxers
Red teams Spammers

6. Classic methodologies
Google dorks
People search engines
Phone books
Data leaks
Social engineering
Public records

7. Purpose of this talk
A new OSINT method for your bag of tricks
A new OSINT tool for your toolset

8. Harvesting digits abusing
password reset
012-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
0XX-XXX-XX89
Yahoo
XXX-XXX-6789
LastPass
XXX-XXX-XX89
Google, Twitter, Microsoft, Steam

9. No masking standards
Password reset
(attacker needs email)
Leaks 5 digits
2FA challenge
(attacker needs email+password)
Leaks 3 digits

10. Combining accounts
012-XXX-6789
Ebay + Paypal
Ebay + Lastpass
0XX-XXX-6789
Yahoo + Lastpass
That’s 7 out of 10 digits
from just the email
address!!
012-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
0XX-XXX-XX89
Yahoo
XXX-XXX-6789
LastPass
XXX-XXX-XX89
Google, Twitter, Microsoft, Steam

11. Let’s focus on which digits we know, not how many
012-XXX-6789
Area code
or NPA
Exchange
or NXX
Subscriber
1000 possible numbers left…

12. NANPA (North American Numbering Plan Administration)
Maintains a public list of area codes and its exchanges
San Francisco’s 415 area code has 784 exchange
numbers
Tacoma’s 253 area code has only 458 exchanges
https://nationalnanpa.com

13. National Pooling Administration
Number block area assignment in the 10 thousands
Area code + Exchange + 4 digits subscriber number
Sausalito has 7k residents. No need for 10 thousand block assignment
NPA manages smaller block number assignments in growth areas
Per FCC, first digit of the subscriber number is used for this purpose
012-345-6789
Area code
or NPA
Exchange
or NXX
Subscriber
Block#

14. https://www.nationalpooling.com

15. 253-XXX-9123
tacoma_resident@victim.com
with ebay and Paypal account
1. ebay gives us area code
2. Paypal gives us subscriber number
3. NANPA gives us 458 valid exchange numbers for the area
code ‘253’
4. NPA gives us 13 unassigned exchange numbers for the
block number ‘9’
Only 445 possible numbers left!!
————— —

16. Still… 445 possible numbers…
We reduced the possible victim’s phone number
from 10 billion to 445 just with an email address and
publicly available information
🤔

17. Same attack vector… reversed!
Initially, we used the email address to harvest phone digits
Now we use the remaining numbers to reset
passwords and harvest masked email addresses!

18. Target: victimusa@martinvigo.com
Amazon
v*******a@martinvigo.com
# of * matches remaining chars
Twitter
vi*******@m*********.***
# of * matches remaining chars
And more…

19. Attack vector
1. Harvest phone number digits initiating password
resets with victim’s email
2. Use Phone Numbering Plan data to reduce the list of
possible phone numbers
3. Harvest and correlate masked emails by initiating
password reset with the remaining possible phone
numbers

20. email2phonenumber.py
A new OSINT tool that automates the entire process

21. email2phonenumber features
Harvest phone number digits from major sites
Generate valid phone number lists from partial numbers
based on the country’s Phone Numbering Plan
Bruteforce phone number password reset and correlate
masked emails with victim’s
support for proxies to avoid captchas / IP banning
Easily extendable to support more online services
Available on Github
https://github.com/martinvigo/email2phonenumber

23. What about other countries?

24. It get’s worst…
Many do not adjust the PII mask
for customers from other countries
Ebay, Lastpass, …
Some countries have 7 digits
mobile numbers
Estonia, San Salvador, Iceland,
Åland islands (Finland), …
Ebay + Lastpass exposes the
ENTIRE phone number
Estonian victim’s number: (+372) 588 1179
😱

25. Countries by phone number length

26. phonerator
An online service to generate phone number lists
multi-country support | detailed info | advanced filters | historic records
Stay tuned on twitter for updates and release date: @martin_vigo

27. Recommendations
For online services:
Use customizable labels instead of PII tidbits
“An SMS will be sent to 415-***-**12”
“An SMS will be sent to [CUSTOMLABEL]”
For you:
Never provide your real phone number to online services
Usually not required to use the service
If required, use VOIP numbers or dedicated SIMs
Use different email addresses or aliases

28. Responsible disclosure
012-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
0XX-XXX-XX89
Yahoo
XXX-XXX-6789
LastPass
0XX-XXX-XX89
Ebay
0XX-XXX-6789
Paypal
“The team has assessed this to be an acceptable risk”
?XX-XXX-XX??
Yahoo
Still assessing the risk and mitigations
XXX-XXX-XX89
LastPass

29. Attackers can use your email address to obtain phone number
digits from online services due to a lack of standardization in PII
masking. Combined with publicly available information and an
understanding of the country’s phone numbering plan, it is
possible to recover the entire phone number
TL;DR
Security
&
Privacy
Online
Services
UX

30. THANK YOU!
@martin_vigo
martinvigo.com
linkedin.com/in/martinvigo
github.com/martinvigo
youtube.com/martinvigo