Let’s be honest—this is a tough topic. And it’s not because it’s hard to gain access to data leaks and start analyzing them—not at all. There are many different sources, often paid, that offer great ease in analyzing such data.
However, the whole issue in the world of OSINT analysis is somewhat of a taboo. Whenever the ethical aspects of using such knowledge are brought up, even the biggest authorities in this area tend to shy away from the conversation. After all, data leaks often happen due to illegal actions (theft, hacking), or accidental human error…
…and OSINT refers to all those investigative and analytical actions on the internet (and beyond—don’t forget about press analysis, for example) that are considered ethical. Therefore, an OSINT analyst should not be breaking into anything, hacking, or bypassing security by exploiting identified vulnerabilities.
So what should an OSINT analyst do? We should properly use available tools to gather as much information as possible from open sources without endangering or interacting with the subject being analyzed.
Should you use data leaks?
Absolutely—use tools that allow you to gather more knowledge and context.
BUT, if by chance the leaked data includes a password for your subject, NEVER use it to attempt logging in or breaking into any accounts. That step is no longer OSINT. Anything you obtain after logging into someone’s profile, email, or any other account would be considered electronic communication, and in most developed European democracies, accessing such data is strictly regulated. Only specialized authorities, with court approval and proper legal grounds, can operate in this space.
OSINT essentially ends when you must interact with the subject. Everything you can gather from the internet ethically is fair game. Everything beyond that—leave to the appropriate authorities who are professionally equipped to handle it.
Think about it! 😎
