Home » From email to phone number, a new OSINT approach

email2phonenumber logo

From email to phone number, a new OSINT approach

Lately I’ve been spending time researching weaknesses and attack vectors in password reset options. At BSides Las Vegas I presented a tool called “Ransombile”. It automates the password reset process over SMS for many Alexa top 100 websites and facilitates targeted attacks when having physical access to locked mobile devices for a short period of time. I’ve also talked about the wide impact of compromising voicemail systems at DEF CON and CCC by abusing password reset over phone calls.

While working on these topics, I spent many hours testing and resetting passwords in various different websites. At some point, I started noticing a pattern I hadn’t noticed before. When you want to reset a password, you enter the email and are then presented with different options. Those usually include receiving an email with a unique link to click on, getting an SMS with a secret six digit code or even the option to receive a call and hear the secret code instead.

While reviewing the option of resetting a password with either an SMS or phone call, I noticed that the UI usually shows part of the phone number. However it is masked in a way that it will reveal only a few digits, enough for the user to recognize which one in case he has multiple phones. In other words, if I know your email, I can initiate the password reset process for your accounts and obtain several digits of your phone number.

As mentioned above, I’ve spent a lot of time resetting passwords and I realized that not all websites reveal the same digits. Some would show the last four, some would show the first one, the last two and so on. There is no standard way to mask personal identifiable information (PII) such as phone numbers. The masking happens entirely at the developers discretion and that seemed like a problem to me.

Password reset shows 5 digits
Password reset shows 5 digits
2FA shows 3 digits
2FA shows 3 digits

To demonstrate to which extent this is the case, take Paypal for example. If I initiate the password reset process, it will reveal the first digit and the last four. But, if I login and get challenged with 2FA, it will reveal only the last three. This doesn’t make any sense. With only your email address, I can get five of your ten digits phone number. If I know your email and password, then I’ll only get three. Paypal hides more digits from an attacker that knows your password already than from one that only knows your email address.

Digging deeper

I made a list of popular websites that people tend to be registered on and checked their password reset process. My goal was to identify which sites would only ask for an email to initiate the process (no further information needed), supported mobile based password reset and number of digits “leaking”. Here is a small subset:

Leaks first three and last two digits:

  • eBay

Leaks first and last four digits:

  • Paypal

Leaks first and last two digits:

  • Yahoo

Leaks last four digits:

  • Lastpass

Leaks last two digits:

  • Google
  • Facebook
  • Twitter
  • Hotmail
  • Steam

If you look at the list above, we can conclude that, for example, if you have an eBay and a LastPass account, an attacker can know seven out of ten digits of your phone number. Just by knowing your email address. In other words, an attacker can use your email address to reduce the possibilities of guessing your phone number from one billion possibilities to one thousand.

This is not the only combination possible but let’s focus on this scenario in this post.

Discovering the remaining numbers

We have seven out of ten digits which means we are only missing three. At this point, it is important to focus on which numbers we know.

A US phone number is composed of 3 fields: area code (or NPA), exchange (or Central Office Code) and subscriber number (kudos to @jjarmoc who told me about the exchange and made me realize there was more to this than I thought). There is also the country code but we are focusing on US numbers for now.

US phone number fields
US phone number fields

eBay+LastPass gave us the area code and the subscriber number. It is important to highlight that we are not simply missing 3 digits, we are missing the 3 digits corresponding to the exchange. This is an important distinction as it will help us narrow down the possibilities even further.


I put quite a number of hours researching and learning about exchanges. My main goal was to understand if I could reliably reduce the remaining thousand possible phone numbers by detecting exchange numbers not assigned to a specific area code.

Enter the North American Numbering Plan Administrator (NANPA). The numbering plan for the public switched telephone network for Canada, the US and its territories, and some Caribbean countries. This website is a goldmine! I learned so much about how the telephone systems work just from this source. Most importantly, I found exactly what I was looking for.

NANPA maintains an updated list of area codes and the corresponding exchanges that is publicly accessible. It is updated frequently and you can query the data or download a parseable file with all the information.

Exchanges in San Francisco
Exchanges in San Francisco

How useful is this? Well, let’s take San Francisco’s 415 area code. If I am only missing the three digits corresponding to the exchange, I have a thousand possible numbers for my target. By using NANPA dataset, I reduced it to 784 possible numbers because there are 216 exchange number not assigned to 415 area code. That is a reduction of over 20%, not bad!

But how good does it get? I played with different area codes and, for example, the Alaska 907 area code has only 625 exchanges assigned. That’s 375 phone numbers we don’t need to consider anymore by just using the valuable information that NANPA provides us. Or Tacoma’s 253 area code with only 458 exchanges. We got rid of over half the possible phone numbers.

What if the target only has a Paypal account? We know five out of ten digits. But again, which ones? We have the first digit of the area code and the last four random digits. Let’s imagine that you know the target is from California. Thanks to NANPA, we know all the area codes corresponding to California. There are only two area codes in California that start with 2, 213 and 209. Other two that start with 3, two that start with 4, etc. By knowing the first digit of the area code, you can still infer the first three digits of the phone number fairly easy.

National Pooling Administration

But how about if the target only has an eBay account? Or Paypal + Google? We have the area code and the last two digits of the subscriber number. Again, let’s focus on which numbers we know. I discussed above how we can use NANPA’s public records to narrow down possible numbers based on the area code and the exchange. Are there any public records that can help us discard invalid phone numbers based on the subscriber number? Yes! Thanks to the national pooling administration.

Ready? Number pooling is a way to assign smaller blocks of numbers (in the thousands) to growth areas. Historically, a phone number is a way of rooting a call to a person in a physical location. Take 415-272-XXXX. The first 3 digits narrow it down to a wider area like San Francisco, the 272 exchange is specific to Sausalito and the missing 4 digits specify the actual person (subscriber) in that limited area. Because carriers own the specific area code + exchange, this means that there area 10000 phone numbers assigned to Sausalito residents that have a plan with AT&T (the carrier owning 415-272).

As of 2017, Sausalito has 7110 residents. This means that from the 10k available numbers, only 7k will be used, and that if everyone is an AT&T customer. With this way of assigning numbers, many are going to waste and will not be used.

The irruption of cable modems and VOIP services which made it easier to become a carrier worsened the problem. The FCC decided that numbers should be assigned in smaller blocks in growth areas. Specifically in blocks of thousand numbers rather than ten thousand. Therefore, blocks of numbers would be assigned as XXX-XXX-X to carriers, including the first digit of the subscriber number.

The national pooling administration is responsible for managing it and has public records of the assigned blocks, including the subscriber digit. We can use this data to further discard invalid numbers. For example, taking our Sausalito number 415-272-XXXX which is missing the last 4 digits, we can use the public records to discard phone numbers like 415-272-[0-8]XXX and focus just on numbers which subscriber starts with 9. In other words, we have reduced the possible valid phone numbers from 10 thousand to one thousand.

9th block is the only one assigned
9th block is the only one assigned

Still… many possible numbers remaining

You have your target’s email address who happens to be from Tacoma and has an eBay and LastPass account. You initiate the password reset process and harvest seven out of ten digits of his phone number. Now, you can use NANPA to get rid of 542 and reduce the list to 458 possible numbers assigned to that email address. Then you use the National Pooling Administration to check if the block number yo have is assigned to the different possible exchanges reducing the possible valid phone numbers to 445.

What now? It is still a fair amount of phone numbers. I would claim that reducing one billion possible phone numbers down to 445 only knowing an email is pretty significant. The remainder could even be tested manually. But the goal is to reduce the possibilities as much as possible before attempting any manual verification. Let’s go back to the drawing board!

There is a number of ways you could take the remaining phone numbers and see if they are somehow linked to the email address. Using search engines with well defined search flags to try find clues in case the target left his phone number in a forum, website, etc. Look the email up by phone number on online services like pipl, BeenVerified or Spokeo that have huge databases with people’s personal information. You could even use telephone system online services that allow you to reverse search the owner of a phone by its number. Basically, a phonebook in reverse. I was actually pretty shocked by the amount of personal information I was able to get from services like WhitePages via it’s Twilio add-on by just providing a phone number and pay ten cents.

These options are good but not 100% reliable. You may not find anything in search engines, online data farms don’t have your target’s phone number and WhitePages tends to be somewhat outdated, many times it just doesn’t have the information you need. So, I started to think of new ways I could reliably obtain the phone number assigned to an email address.

Reusing the same attack vector, in reverse

It did not take long to get to that sweet “Eureka” moment. I reflected on the steps I took to get this far. I was abusing the password reset function of online services to collect a few phone number digits assigned to an email…

Hmmm.. I reset the password putting an email… and I get a few digits back. Can I… reset the password by entering a phone number and get a few email characters back?

Amazon password reset using phone number
Amazon password reset using phone number

Eureka! Turns out, there are popular services, like Amazon and Twitter, that allow you to reset the password by entering a phone number and get an email to complete the process. Most importantly, it will display a few characters of the email address it will send the link to. In Amazon’s case, you get the first and last letter of the username and the full domain. You also get the length of the username as the number of * matches the number of masked chars.

Twitter shows you the first two characters of the username and the first one of the domain. You also will know the length by counting the asterisks.

The attack vector looks like this:

1. Use the target’s email address to initiate the reset password process in multiple sites to harvest several phone number digits

2. Reduce the possible phone number list by discarding non-existing area codes, exchanges and subscriber numbers using NANPA and the National Pooling Administration publicly available data

3. Initiate the password reset process iterating over the remainder phone number list and correlate the leaked email chars against the target’s email address

By following these steps, you will be able to obtain the full ten digit phone number associated to the email address, without having to make one single call! Just by abusing password reset options and bruteforcing efficiently using publicly available information.


The attack vector above can be done manually. You can use services like namechk to pinpoint where to go harvest digits. Look at NANPA’s data yourself to discard invalid numbers. You could even bruteforce the remaining phone numbers to find the matching email using web proxy features like Burp’s intruder. But you don’t need to, I wrote a tool that will do all this for you.

email2phonenumber is a tool that allows you to provide a partial phone number and get a list of all the possible valid phone numbers, eliminating non-existing area code and exchange numbers. The tool will also let you bruteforce phone numbers using Amazon’s and Twitter’s password reset feature and correlate the masked emails against the one you provided looking for a match. It will attempt to fly under the captcha radar by replicating user behavior and randomizing some parameters in the requests. It also supports the use of proxy servers. What we are doing is starting the password reset for different phone numbers. This means that the services cannot detect you based on a specific phone number you are hammering on.

There are multiple other services that allow password reset using phone numbers that can be used for the same purpose. The tool supports Amazon and Twitter for bruteforcing. The idea is to get support from the community through pull requests to support additional ones.

You can find the tool in my github repo.