To quickly do a user lookup to find someone online, in social networks or dating sites with just a username or email address, you can:
- Use a reverse lookup tool to find them, if you have their username or email address.
- Manually visit the websites themselves and utilise inbuilt search functions of the website.
- Add some of their friends as your friends and you may be able to see their profile then.
- Search google cache for the specific site, for example, “site:match.com [email protected]”.
- Try a more generic people search tool, such as Pipl.
- Access the websites public API and perform the search directly.
- Read this article and find out how to do all these, with and without tools.
If your searching the web, wondering how to find your ex, long lost school friend, or future date, you may come across words in google such as reverse image search, reverse user search, user lookup tool, background check, etc.
Fed up of the same old..
All these terms will bring you the same place, which is, where can I find a big bunch of data that will let you search? 95% of the time you’ll have an article wasting your time, and 4% of the time you’ll be forwarded to a user lookup page that will charge you. Frustrating we know. You may prefer to do this yourself, rather than relying on a tool, which we can totally understand.
This article will show you exactly how to do these user lookups yourself, using just your patience, determination and your brain. We’ve been doing this for decades, and we automated the process into our search engine, but we want to show you how to do it without using any tools.
Finding users on the following Focial Networks
During this article, we are actually going to walk through a number of websites, manually, and show you exactly what you can, and cannot currently see from a public facing, non-registered user account on the following websites (by popular demand):
- POF (Plenty of Fish)
- Match Dating site (match.com)
- Cash App
- Kik Messenger
- Xbox Live
We are a team of cyber enthusiasts, computer programmers, open source experts and web crawler developers. The fields of specialism include building web crawlers to gather public information and then providing that data onto websites (our website). Our combined knowledge consists of decades, and our wrinkles show.
Manual you say?
While we are manually going through these 11 sites, rest assured that we are testing all the usual tricks. These include fake data submissions, URL path analysis, API checks, reviewing Java script of each site and checking if there are hidden APIs we can access. We’re reviewing the form structure of the sites to determine if additional information can be gleaned publicly, checking where the data is going and testing if we can send our own data without authentication. We are not hacking, were simply checking if there are public bits of information that are not publicly advertised.
We will tell you what worked, and what did not work. If nothing else, this article will aid your own research in knowing what not to bother trying and hopefully aid you in developing your own personal strategy in conducting user lookups online.
How to conduct email and user lookups
Whether your using automated lookup tools or manually investigating a target, the methodology is rather similar. You need a lot of patience, determination and knowledge on what your looking for. Websites, generally, unless purposefully designed to be as public as possible (such as Reddit minus the email), do not openly advertise the personal information of people under usernames and email address accounts. Quite often, the knowledge that a username or email is actually active on a particular social network or dating site, or at least has been active, is an indicative indicator and positive result as part of any OSINT investigation or personal mission to lookup someone online.
Sometimes, having a positive or negative confirmation that a user or email address on a particular website is all your going to get (and sometimes that’s all you need!). By utilising the information we pass onto you in the following few pages, in combination to the guides we present in the article “how Hide and Seek : How to find anyone online (and hide)” and our article on tinder investigations plus finally the article on “what can a hacker do with your email address”, you pretty much have the ammo to fully conduct your own personal online investigation into a username or email address, whether you choose to use an automated tool like UserSearch or not.
How to find someone on POF (plenty of Fish) with a username or email?
API POF user lookup :
We saw no publicly accessible API as part of the user registration or user login screen. This is quite often a trick where websites use their own API to perform a username or email lookup to determine if a user / email is already registered. Most websites handle this code server side, but we have seen some client based (meaning we can see the code and thereby the API being called, which we can use to our advantage. If we could access this, we would have a programatic way of checking, which has been exploited by some hackers historically.
POF email lookup via password reset :
We tested the password reset function, which is sometimes used by automated tools. You do not receive a message on if an email account is valid / invalid or exists. Its a blank response. Some websites will suggest that the email you have tried to reset does not exist. That response does not occur in this case, its good design but bad for researchers like us.
POF email lookup using registration :
This is a trick where, during standard user registration, you can enter a used email (in this case, the email you are looking for), and the website will typically respond with ‘sorry that email is in use’. Thats pretty nice, letting us know they are members of the website. However, POF has an odd way of dealing with this, which we believe is a bug. A lot of tools will automatically fill in regitration forms and wait for a response like this to see if the user exists on the site.
Typically, a website will call the database as soon as you enter an email address to determine if already in use (it saves you typing out the whole form to realise you just need to reset your own password). However, on POF, it allows you to fill out the full form as a new user and it then seems to reset the form and push you back to the start (if you try and register with an already used email account). We don’t know if this is a design flaw, or a purposeful tactic to discourage people from doing this.
POF user lookup using registration :
Similar to the trick for emails, by purposefully using a username that you are trying to lookup, a website will call the server to see if the username exists.
We get a positive response during user registration and we can be provided with intelligence that this username is currently on the site.
Here is a picture of the response:
Plenty of fish will inform us during user registration that the user account ‘Bob’ already exists on POF. However it will not inform us whether ‘[email protected]’ exists. If you keep filling in the required joining forms, it will eventually reset if you do not use a unique email address.
POF internal user lookup :
We logged into POF to see if we can look for our user ‘bob’. Success, POF do allow full searching of usernames if you are a registered user. We can see pictures, preferences and that they are married. Those pictures will come in handy with using some Reverse Image Searching later on.
POF lookup notes :
In conclusion, POF is pretty well locked down from the public side. The only glean of informaiton it will release is the usage of a username, which still, depending on how confident in the uniqueness of the username, that in itself may be enough information for you to create a fake profile and login to POF.
How to find someone on Match (Match.com) with a username or email?
We follow the same process as we followed for POF to chech for any public data leaks on match.
API Check: No API publicically accessable.
Password reset via email: Resets without informing you of email existing.
Registration using email:
Once attempting to sign up, it will inform you an email is being used on the system. Not only that, it will allow what seems to be an unlimited amount of attempts at changing your email address to other possibilities..and then inform you if that email is being used. Someone with very basic web crawler skills could automate that function to pull out used emails on Match.com. Not sure of your target email? dont worry, match offers unlimited retries (if not unlimited, then a lot)!
Username registration : not available.
We managed to sign up to match.com using a random email address (without email confirmaiton!) and random registration information. We can now fully browse all users and see their profile pictures and full profiles. What a treasure trove of information!
Match user lookup via URL :
Once logged into our fake account, we can see that each user is assigned a number rather than a username. E.G. “https://uk.match.com/d/profile-display/65456456466554“. A determined web crawler could download every single profile by incrementing the number.
How to do a Reddit User lookup?
Performing user lookups on Reddit are not difficult, the entire site is designed to be open. As per our usual test runs, this is what we found out:
User lookup via API :
This service provides a full itinary of API access to thier site, including username confirmation. They have a lot of documentaiton on how you can access this. This is why there are so many Reddit bots, but equally they can be used to register users (and therefore determine if a user or email exists). We threw together a quick script just to test and it works rather well. We are not making it public because it can be used for mass user registrations.
Password reset via email :
You need to get the Username & password correct, in order to cause a reset..plus they dont tell you if either one exists. Nothing much we can do here.
Username remind via email :
When we attempt to ‘remind’ ourselves of the username, we get a block to wait 10 minutes. On waiting patiently, again it will not confirm nor deny existence of the username.
Username lookup via registration :
Success (if it can be classed that). On attempting to register an already used username, we are told so. Not very useful as we can simply check this via the site itself.
Finding Reddit users via URL :
The site makes it rather easy to find any user by username. You can simply use their inbuilt search function or if you want a more direct approach, you can enter it directly in the URL as so : “https://www.reddit.com/user/username/“. The corner stone of Reddit is trying to find the email address, which it does appear lock down well. The only saving grace is the hope your target uses the same username on Reddit as they do on another social media account. From running a large reverse user lookup using a tool such, this can be determined rather quickly
How to do a Snapchat user and email lookup?
Snapchat is another social networking community but its mainly via phone access only, and limited to phone users. However, we have found a number of ways to perform user lookups on snapchat.
User lookup via URL :
Access to Snapchat user profiles are not directly public. However, it allows people to post stories and have a spotlight on the main page. You’ll see there are thousands of username available on here. You can quickly perform a URL lookup on these by using the following URL combinations:
A fly in the ointment here, is if you enter a username within the above URL that does not exist, Snapchat will provide you a false positive result, meaning they give the impression the user exists whilst they don’t as seen in the picture below.
Due to us reviewing the HTML code, there is a distinct difference in the title between a user with a public story vs non-public, so checks can still be automated.
Email lookup on Snapchat :
It looks like Snapchat have done the cardinal sin when it comes to logging into user accounts. If you simply try to login but enter an email address that does not exist on their system, they will tell you there is no account! big mistake. They do not even require a bot checker should you attempt multiple email address lookups. As mentioned, hackers have built bots to mass query emails via these non-bot secured login pages to pull out the entire email list of the websites.
Username lookup on Snapchat :
Another cardinal sin by snapchat, they allow quick and easy access to check username registrations. Should you attempt to create an account, they will inform you whether a username is being used on Snapchat or not. Again, no bot verificaitons.
Phone Number Lookup on snapchat :
Snapchat is not very high in our standards with data privacy it seems. In order to determine if a phone number is being used on snapchat by simply going to the password reset screen (https://accounts.snapchat.com/accounts/password_reset/phone). You dont need to submit in order for them to inform you of this.
Cash App user lookups ?
Cash App is a payment service that allows users to transfer money using their app. Its mainly available in the USA and UK. We’ve checked this out, it has a few useful features for user lookups.
Cashapp user lookup via URL :
By design of the website, you are able to see via the URL, a user on this service. Simply type the URL followed by the username to lookup if they are using the app, E.G. https://cash.app/$fred.
We checked the rest of this app, and it has no api, no password reset and no registration. If you attempt to register, it instantly sends a code to the email or phone number in question, whether it exists or not.
How to do a Kik user Lookup ?
Kik is a chat applicaiton thats exclusivly for mobile phones. We had to access the App therefore via our mobile phone.
Kik user logon screen :
On testing the logon screen, we entered a very common email address. It gave us the message that the password was wrong for the email address! Quite shocking given how easy bots use this for hacking. Useful for us, in performing an email lookup on Kik.
We then tried entering a random password for a made up email, it let us konw the email does not exist! It allowed us to do this, even if we did not enter a password.
Email lookups on Kik (password resets) :
They only let you access the password reset screen if you access the app via the phone (wrong!). They simply dont advertise the password reset screen anywhere unless you are accessing via phone.
Once you access the app on the phone, view the HTML and you’ll see a very insecure (no SSL) password reset page. You can then get the URL (http://ws.kik.com/p), access it via a browser on a computer and you will access it without issue (makes deploying bots much easier). Did we say it has no SSL?
At least, we can presume it will not provide us any information that we can use for an email lookup like the logon screen, you would think? Surely not. If you simply enter a random long email that would not exist, they will politely tell you so. Another method of verifying email lookups on Kik.
How to do a Instagram user lookup?
Finding anyone on instagram via manual user lookups is very easy, the site is nicely designed to be public and open. You wont have issues finding people on here, the usernames are searchable via a URL lookup. They also have an internal username lookup you can use. Due to a lot of instragram accounts being fronts for business or influencers, it’s in their interest to publisise their email in Instagram. We did the standard process as we have done for the others, but I dont think you’ll have any trouble with Instragram user lookups.
Instagram URL user lookup :
Very simple, its literally “https://www.instagram.com/yourusername“. You don’t need to be logged in to see the profile. Users can set their profile to private of course, which will require you to login and add them to view their content. If your just trying to ascertain whether that username is used on Instagram, it will tell you the profile is private.
Instagram Email lookup (login screen) :
If you want to work out whether an email is currenly being used on Instragram, they make it very easy. Too easy infact, bordering on a security weakness. You can literally visit the login screen, enter the email address and any random 8 character password. If the email is not used on Instragram, it will simply inform you.
We did this for phone numbers and usernames, all of which give open answers on whether those lookups are currently being used on Instragram.
Instagram HTML Review / Jquery Review / Public API – Reset Passwords :
Something a little more interesting that caught our eye, mainly because we got bored that Instagram was so simple to perform user lookups. We checked out the password reset function. On testing a password reset, we noticed a pop-up saying ‘user does not exist’.
A popup like this typically uses client based script (Java / Jquery / CGSI script) as you can see on the picture to the right (the black line pop-up). If the script is client based, it means we can see it.
We started to review the browser console whilst re-running the request, and discovered some interesting code. This code is usually a little more obfuscated (for security reasons).
By viewing the console inspector we see a POST query to
“https://www.instagram.com/accounts/account_recovery_send_ajax/“. If we expand this information and browse to the request, we will see they provide us with the variable names of the entered values. Very handy. What do we have here you ask? we have a fully accessible API to perform mass password requests (if scripted). Also, they seem to have 4 other values as part of the api, we can only assume one of them may have been ‘planned’ to be used for source verification? but by default they are blank and the API query accepts them blank. We created a quick API request via a free tool, and can confirm it does not require the Captcha value nor the other values. Here is what we are looking at:
We don’t suggest you use this method for your own online lookups (as resetting passwords inform users if nothing else!). Its not often we find a perfect example of how to find publicly accessible (hidden) APIs to further your investigation. This methodology can be used to further your knowledge if nothing else.
Xbox Live Lookups, Minecraft Lookups, Github Lookups
I know we said that Xbox, Minecraft and Github will also be reviewed, however I think you’ve seen enough examples to repeat the process. We’ll probably do another article covering Xbox, MineCraft and Github next, plus add a few new features we use.
Too much work?
It goes without saying, it takes a lot of work to manually perform user and email lookups. You may be able to check one website on 3-10 minutes, but there are a lot of social networks. But, you are reading an article on how to do it manually, soo….
This time investment is the main reason why we built our own lookup service for free, it helps us with our work and also helps over 500,000 people each month with theirs! The site was so useful for people we decided to expand this (with significant cost to us!) and this is why we now offer an even more advanced version for $6.99 per month, with thousands of happy customers! We hope it continues to help and we are adding new websites to perform user lookups every week. Have some suggestions on the site, want new sites covered or want a particular website reviewed in the next article? simply drop us an email at [email protected]
Finally, we would like to welcome our latest partner and supporter of our website, the popular OSINT community
discord group “Oryon’s OSINT Hub’ (https://discord.gg/Ad34ZAYMr8). If you want to get involved and chat OSINT, join the group and we’ll see you there!