Cyber Security Blog

Stay ahead of the curve with industry trends, cutting edge tech and inventive strategies.

5 Unexpected Risks We’ve Found in OSINT Investigations

Key Takeaways

  • Serious security risks can be uncovered through publicly available information alone, with no data breach or system compromise required.
  • A single social media photo can expose an employee’s home address through small background details like street signs or a car’s satnav screen.
  • Forgotten subdomains left unmonitored can be hijacked and used to host malicious or reputation-damaging content under your own domain.
  • Personal device compromise can expose company credentials and session tokens, bypassing password protections entirely.
  • Publicly published content, like a virtual facility tour, can give attackers what they need to plan a physical intrusion.

Why OSINT Investigations Matter

You can monitor everything inside your perimeter. You have alerts, dashboards, and a team watching your systems around the clock. But outside those boundaries, information about your organisation is publicly accessible, and in most cases, security teams have no visibility of what that information reveals, who is looking at it, or how it is being used … until it is too late.

 

That is where open source intelligence (OSINT) comes in. OSINT is the collection and analysis of publicly available information to produce actionable threat intelligence, giving security teams visibility of their external digital footprint. And in our experience, the security risks that footprint reveals are rarely what organisations expect.

 

Here are five anonymised findings from real OSINT investigations that surprised the organisations we were working with.

Case 1: How a coffee mug photo led us to an employee’s home address

What we found

During a proof-of-concept engagement, I was reviewing social media activity for an organisation. One of their sales team had posted a photo on LinkedIn, a company-branded mug in their car before an industry event. Harmless enough.

But in the background, slightly blurred on the car’s satnav, were visible road names. Cross-referencing those with the employee’s publicly listed city of residence, I was able to pinpoint their likely home address within a small radius.

The risk

  • Knowing where an employee lives opens them up to physical threats and targeted surveillance
  • An attacker could use the information to pose as a service provider, delivery driver, or IT representative
  • For a senior executive, the security risks would be considerably higher
  • The post had been live for two years, no one had flagged it as a risk

The implication

One photo. One home address. No breach required. Social media monitoring is not just about what people say, it is about what is visible in the background.

Case 2: How a forgotten subdomain became a gambling website

What we found

During a monitoring engagement, I was checking a client’s subdomains. Organisations often lose track of these, particularly old test or development environments that get shut down but never properly cleaned up, becoming a part of a potential attack surface.

I did not find what I was looking for. But when I adjusted my approach to check what was being hosted on their existing subdomains, I found something else entirely. Under one of the company’s own web addresses was an Indonesian gambling website.

The risk

  • Attackers inherit the domain’s existing reputation rather than building trust in a new one
  • Highly effective for phishing, users checking the link would see a legitimate company domain
  • Internal applications that trust subdomains could be exploited to intercept sensitive data
  • The organisation had no visibility of it whatsoever

The implication

This was not a vulnerability waiting to be exploited. It was active exploitation, already happening. OSINT investigations do not just surface potential risks, sometimes they find risks that are already being used against you.

Case 3: How searching beyond the brief uncovered a confidential contract

What we found

When conducting document searches for a client, the initial brief was clear: monitor our own domain only. I carried out those searches. But then I decided to look further, to see what might be sitting on third-party sites.

I found a document marked COMPANY CONFIDENTIAL on a third-party site. It was a private contract between the client and another organisation, one that had never been publicly associated with our client. The document was fully accessible to anyone who searched for it.

The risk

  • The document itself should never have been publicly accessible
  • It exposed a business relationship that was meant to be entirely private
  • Competitors, journalists or other third parties could have found it at any time
  • An automated tool running predefined searches against the client’s own domain would never have found it

The implication

The moment the client saw the document, their stance changed immediately, from “only monitor our domain” to “find out what else is out there.” This is one of the most consistent lessons from running OSINT services: the scope organisations think they need is rarely the scope that surfaces the most important findings.

Case 4: How did a game mod download put company systems at risk?

What we found

During routine dark web monitoring for a client, I identified a stealer log containing credentials linked to an employee device. A stealer log is not just a leaked username and password, it is a comprehensive capture of everything on a device at the time of infection. Passwords, session tokens, authentication cookies, keystroke logs, autofill data. Everything.

Analysing the log, I could see the device was being used to access both personal sites and company systems. I could also see where the infection had come from. The user had been attempting to download and install GTA mods from an unofficial source, a common malware delivery method.

The risk

  • Company system logins were captured and sent to attackers
  • Session tokens and authentication cookies were exposed, allowing attackers to bypass password requirements entirely
  • The infection was ongoing, changing passwords alone would not have resolved it
  • It would never have triggered an internal alert

The implication

One personal device. Company systems at risk. And it would never have triggered an internal alert.

This case also illustrates one of the most overlooked attack surfaces in most organisations. When employees access company systems from personal devices, the security controls your organisation has invested in offer no protection against what happens on that device outside of work. Deep and dark web monitoring is often the only way to find out that a personal device has become a risk to your organisation. Check out the NCSC’s guidance on BYOD for more on managing this risk

Case 5: How did a virtual building tour help plan a physical break-in?

What we found

Before conducting a physical social engineering assessment for a client, I was asked to perform OSINT preparation, exactly as an attacker would, before attempting to gain unauthorised access to a building. I identified third-party suppliers, employee names and roles, and other useful intelligence from publicly available sources.

But the most significant find was not on the dark web or in a breach database. It was on the company’s own website. They had published a full 360-degree 3D virtual tour of their facility, designed to help prospective customers understand what they could offer.

The risk

  • Building routes and entry points were mappable before setting foot inside
  • IT equipment brands and technologies were identifiable from the tour
  • High-value target rooms including server rooms were clearly visible
  • The information intended to help customers was sufficient to plan a realistic intrusion

The implication

The most significant finding in this investigation was published on their own front page. The client knew it was there but wasn’t aware of the risk. Real attackers build trust by appearing to know things only an authorised person would know, a room number, a piece of equipment, a name on a lanyard. The information needed to build that trust is often sitting in plain sight.

What does this mean for your organisation?

These real OSINT case studies have one thing in common: none of them required a data breach. None required unauthorised access to systems. All of them came from publicly available information, waiting to be found by someone who knew where to look.

The most valuable OSINT examples often come from sources organisations never think to check:

  • a background detail in a photo
  • a forgotten subdomain
  • a document on a third-party site
  • a virtual tour on their own website

Find out what OSINT investigations might reveal about your organisation. Visit our OSINT for business service page or get in touch to discuss your requirements.

Ready to achieve your security goals? We’re at your service.

Whether you are a CISO, an IT Director or a business owner, Equilibrium has the
expertise to help you shape and deliver your security strategy.

About the author

Eve is a Cyber Security Consultant who works across a range of cyber security services, including Cyber Essentials, penetration testing, phishing simulations and open source intelligence (OSINT). She is passionate about helping organisations understand and reduce cyber risk through practical, effective security services that strengthen resilience.
Penetration Tester at Omni and Equilibrium
Eve Ashton
Cyber Security Consultant

Latest posts