Ethical OSINT: Investigating Your Own Digital Footprint with Maltego and Spiderfoot

You have already been doxxed and you do not know it. One recent Sunday morning I pointed Spiderfoot HX at my main email and pulled 412 hits in 38 minutes: brokers like BeenVerified and Spokeo, old Collection #1 dumps, a forgotten Last.fm profile from 2011 using the same photo I have on LinkedIn, and two tech forums where I posted my city in the bio. None of those points is dangerous on its own. Combined, they deliver an approximate address, probable salary band, current tech stack, and even my usual sleep hours. That is the blind spot ethical self-OSINT closes, and it is exactly why you should run the exercise before an adversary does.

Maltego Community Edition is still the most teachable starting point in 2026. Install version 4.6, create a free account, and enable the default Hub transforms: Have I Been Pwned, Shodan free tier, DNS, and WhoisXML. Create an Email Address Entity with your primary address, right-click, and run To Breaches [HIBP]. Then drag a Phrase entity with your full name and run To Websites [using Search Engine]. The graph grows fast, and the trick is to use the Collections tab to collapse nodes before they turn into visual spaghetti. Tag every new node by color: red for real PII, yellow for pseudonyms, green for disposable. That early OPSEC discipline aligns with what OPSEC for Security Researchers: Building a Personal Threat Model covers in depth.

Spiderfoot complements Maltego where manual work burns you out. Use the official container: docker run -p 5001:5001 spiderfoot/spiderfoot and open http://localhost:5001. Create a Footprint scan with your email, personal domain, and phone number, enable All modules except those requiring paid keys, and let it run for 30 to 90 minutes. The sfp_haveibeenpwned module lists historical breaches, sfp_hunter returns secondary emails tied to your domain, and sfp_spider crawls your personal site looking for emails commented out in old HTML. I found a partial ID number in a 2018 conference PDF still indexed by Google, a classic problem retroactively fixed by the techniques in Metadata Hygiene: Stripping EXIF, PDF and Office Before You Publish.

The least glamorous part is the most valuable: cross-referencing photos. Use PimEyes carefully or, better, self-host FaceCheck.ID via Docker and run your professional headshot against it. In parallel, run exiftool on every public image of you: exiftool -a -G1 -s headshot.jpg leaks GPS latitude, camera model, and sometimes a serial number when you forgot to strip metadata. I once saved a client from active stalking because his Instagram still carried precise GPS for his house in 2019 photos he never cleaned. The full workflow to compartmentalize future visual identities lives in Digital Compartmentalization: Separate Identities Without Leaking Metadata, and it is worth reading before you ever spin up another profile.

Phone numbers are the vector most underestimated. Run PhoneInfoga against your line: phoneinfoga scan -n +14155551234. The tool hits NumVerify, OVH, and Google dorks that surface the number indexed in classifieds, public WhatsApp groups, and even forgotten Google Sheets. Then check it in Truecaller through a clean app in an Android VM to see how third parties see you, often with a nickname leaked by some delivery app. Combine that with regional people-search lookups and you already hold the same dataset a scammer would buy for a handful of dollars on the deep web. For the regional broker playbook, Anti-Doxxing Personal Security: Removing Data from Brazilian Data Brokers is the closest reference even if you operate elsewhere.

Document everything in a markdown file structured by category: Email, Phone, Name, Photo, Address, Employer, Family. For every exposed item, write a remediation action with a deadline: file an opt-out request, swap the recurring photo, delete an old post, move to passkeys wherever you still use SMS. Re-run the full scan every 90 days and diff the results, and you will see the actual impact of the work. Your digital footprint does not vanish; it only shrinks under discipline. Practical takeaway: block 4 hours on your calendar now, install Maltego CE and Spiderfoot this week, and treat your own name as a bug bounty target whose payout is your own peace of mind.