Learn the Email-to-Contact Conversion with XIT

How to Find Phone Number with Email Address

📧>>☎️ The Email Hack You’ve Been Waiting For..

XIT
6 min readNov 5, 2023

Follow XIT on medium & UglyCompany on Telegram for more..

Have you ever tried to reset your passwords on different websites? I did, and it took me a while. But here’s the interesting part: I noticed something. When you’re resetting a password, you usually enter your email and then have options. You can get an email with a special link, receive an SMS with a secret six-digit code, or even get a phone call with the secret code.

Now, here’s the twist. When you choose the SMS or phone call option, the website often shows part of your phone number. But, it’s not the whole number; just a few digits. Enough for you to recognize it if you have multiple phones. In simple terms, if I know your email, I can start the password reset for your accounts and see some of your phone number.

But wait, here’s the catch. Not all websites show the same digits. Some show the last four, some show the first one, and others show different combinations. There’s no fixed way to hide personal information like phone numbers. It’s all up to the website developers, and that’s a problem, don’t you think?

Understanding the concept..

Let’s practically understand this with Instagram as our example. Imagine you’re trying to reset your password on Instagram. When you start the process, they show you the first digit and the last four digits of your phone number.

But here’s the head-scratcher: if you log in and they ask for two-factor authentication (2FA), they only reveal the last three digits. It’s a bit puzzling, right? Just with your email, I can figure out five of the ten digits in your phone number. But if I know both your email and password, I’ll only see three. (If containing 2-fa)

Surprisingly, Instagram hides more of your phone number from someone who knows your password than from someone who only knows your email. It’s a bit of a mystery!

Phone Number Privacy List (Accord. Websites)

I decided to create a list of well-known websites where people often register, and I took a closer look at their password reset processes. My aim was to find out which websites only required your email to start the process, which supported mobile-based password reset, and how many digits of your phone number were revealed during the process. Here’s a part of the list I found:

eBay (first three and last two digits)
Amazon
(first three and last two digits)
Airbnb
(first three and last two digits)
LinkedIn
(first three and last two digits)
Airbnb
(first three and last two digits)
Walmart
(first three and last two digits)
Dropbox
(first three and last two digits)
Vimeo
(first three and last two digits)
Pinterest
(first three and last two digits)
Evernote
(first three and last two digits)
Quora
(first three and last two digits)
TripAdvisor
(first three and last two digits)
GoDaddy
(first three and last two digits)
Slack
(first three and last two digits)
Vimeo
(first three and last two digits)
Zillow
(first three and last two digits)
Pandora
(first three and last two digits)
Etsy
(first three and last two digits)
Hulu
(first three and last two digits)
Salesforce
(first three and last two digits)
SoundCloud
(first three and last two digits)
Uber
(first three and last two digits)
Salesforce
(first three and last two digits)

PayPal (first and last four digits)
Microsoft (
first and last four digits)
Apple (
first and last four digits)
Netflix (
first and last four digits)
Adobe (
first and last four digits)
Spotify (
first and last four digits)
Snapchat (
first and last four digits)
Reddit (
first and last four digits)

Yahoo (first and last two digits)
Instagram (
first and last two digits)
Dropbox (
first and last two digits)
Tumblr (
first and last two digits)
Reddit (
first and last two digits)

LastPass (last four digits)
GitHub (
last four digits)
Bitbucket (
last four digits)
Trello (
last four digits)
Evernote (
last four digits)

Google (last two digits)
Facebook (
last two digits)
Twitter (
last two digits)
Hotmail (
last two digits)
Steam (
last two digits)

Now, let’s break it down. For instance, if you have accounts on both eBay and LastPass, an attacker could potentially figure out seven out of the ten digits in your phone number, just by knowing your email address. In simpler terms, your email address can help an attacker narrow down the possibilities of guessing your phone number from one billion options to just one thousand.

Keep in mind that this is just one possible combination, but we’ll focus on this scenario in this blog.

Understanding the threats..

I’ve shown you how someone can find your phone number starting with just your email. But why is that a concern? Well, let’s look at it from different angles, like privacy and security. Here are several ways this method can lead to potential threats:

  1. SIM Swapping (reset passwords, and bypass 2FA)
  2. SS7 Attacks (exploiting carrier protocol to track locations, eavesdrop on calls, intercept texts, and initiate fraud)
  3. Voicemail Vulnerability (data theft, identity theft)
  4. Location Tracking (enabling physical harm, privacy invasion)
  5. Caller ID Spoofing (manipulating caller IDs for deceptive social engineering, leading to fraud or impersonation)
  6. Phishing Attacks (using phone number for targeted phishing campaigns)
  7. Identity Theft (can impersonate you for financial fraud or reputation damage)
  8. Harassment (unwanted texts, calls, or stalking may lead to emotional distress)
  9. Account Takeover (unauthorized access to your online accounts)
  10. Robocalls (automated spam calls and messages leading to scams)
  11. Social Engineering (can manipulate you through your phone number, leading to financial loss, data breaches, or identity theft)

Understanding practically..

The process begins with the possession of an email address. We gather various digits across different websites associated with that email. To do this, we generate combinations of possible phone numbers using Python code given below or you may develop more advanced code as this is just a basic start. For example, from an initial number like 703XXXX891, we create a list of potential numbers.

# you can even use random library for the same concept
import itertools

# target masked num
initial_number = "703XXXX891"

combinations = []

# gen com
for combination in itertools.product("0123456789", repeat=4):
new_number = initial_number.replace("XXXX", "".join(combination))
combinations.append(new_number)

# saving in file
with open("number_combinations.txt", "w") as file:
for combination in combinations:
file.write(combination + "\n")

Then, we move on to the next step, which involves testing each number combination on well-known social sites and match with the email similar to the target. We use a separate Python script to perform this testing, attempting to reset a phone number using the list of specific sites. During this process, we check if any of the generated numbers match the exact email we’re investigating. This method allows us to potentially identify the phone number associated with the email address through a combination of data collection, number generation, and site testing. You can further bruteforce these list of numbers on other websites till you obtain the similar email matching to your target. You can write custom code for performing this automatically and quick.

If you learnt anything from this blog, we’d appreciate your engagement — give it a clap and consider sharing to help spread the knowledge. Also Follow XIT on medium & UglyCompany on Telegram. Your support means a lot to us!

A supporter is worth a thousand followers. 😊

--

--

XIT

SHHH! The voice of none is stronger than the voice of one.