Social Media OSINT: LinkedIn, Twitter/X, Instagram

Last updated: April 26, 2026

Social media OSINT — LinkedIn for org charts, Twitter/X for technical leakage, Instagram for lifestyle and geolocation. For pre-engagement reconnaissance and threat-intel, the platforms each yield different intelligence. This article covers practical workflow.

LinkedIn

The single highest-value platform for corporate OSINT. Yields:

• Org structure (employees, roles, reporting relationships inferred)
• Technology stack (job descriptions reveal tools used)
• Recent hires and departures
• Email pattern ([email protected] inferred from public profiles)

# Manual workflow
# 1. Search LinkedIn for company name
# 2. People tab → filter by current employer
# 3. Browse profiles for technical details

# Automated (within LinkedIn ToS limits):
# - LinkedInt — scrape employee names + title (use sock puppet)
# - phantombuster — paid LinkedIn automation
# - Apollo.io / Lusha / Hunter.io — commercial people-data providers

Email pattern inference: 4-5 known employee names + Hunter.io API → derive likely email format → enumerate full employee list with predicted emails.

Twitter / X

For technical leakage and adversary research:

• Engineers tweeting about infrastructure (cloud provider migrations, framework choices, CVE responses)
• Security researchers disclosing vulnerabilities
• Threat actors operating semi-public accounts

# Search syntax
"company name" filter:images
from:CISO_handle since:2024-01-01
"#bug" "#bounty" target_domain

# Tools
twint (legacy, broken since X API changes)
SocialBearing — paid X analytics
snscrape — works for some platforms despite API changes

# Network analysis
Hoaxy / TwitterAtlas — for retweet/follower graphs (research)

Instagram

Lifestyle, geolocation, and verification:

• Subject’s lifestyle (relevant for fraud / insider investigations)
• Geolocation via tagged photos
• Network of associates
• Verification of identity claims

Instagram has aggressive anti-scraping; manual investigation via sock-puppet account is the practical method.

Cross-platform username correlation

# Sherlock — search hundreds of platforms for username
sherlock <username>

# WhatsMyName — same idea, web-based
https://whatsmyname.app/

# Maigret — comprehensive username investigator
maigret <username>

The OPSEC reality

• LinkedIn shows visitor identities to subjects (unless investigator’s account is set to private mode)
• X / Twitter shows nothing about visitors
• Instagram shows account interactions (likes, follows) but not passive views
• Discord, Telegram, Reddit have varying levels of visitor privacy

For sensitive investigations, sock-puppet accounts on each platform are infrastructure.

Indian-context considerations

• LinkedIn India is the dominant professional network — high coverage of Indian employees
• Instagram is heavily used in India; geolocation findings frequent
• X / Twitter has lower penetration but high coverage of Indian tech leadership
• Indian regional platforms (Koo, ShareChat) have niche use cases

Compliance angle

• DPDP §8(5) — investigations involving personal data must have lawful basis
• IT Act — unauthorised aggregation may cross legal lines for some use cases
• Platform ToS — automated scraping often violates terms; legal action by platform is possible

The takeaway

Social media OSINT is the bedrock of both red-team OSINT and threat-intel investigations. LinkedIn for org structure, X for technical details, Instagram for lifestyle/geolocation. Cross-platform correlation via Sherlock or Maigret produces a coherent profile. The toolchain is mature; the discipline is OPSEC and ethical scoping.