April 18, 2026·SquareBreach team·#security #ethics

Responsible OSINT research

Breach data is a defensive tool. It's also a sharp one — easy to misuse, easy to mishandle, and easy to walk into a GDPR fine with. This is the working checklist we apply internally and the one we'd ask any customer to apply too.

1. Purpose

Every search should answer a written question.

Are you triaging an alert?
Investigating a phishing attempt against your own users?
Vetting a third-party vendor before you onboard them?
Researching a publicly disclosed breach?

If you can't answer "why am I searching this?" out loud, don't search it.

2. Scope

Search the smallest possible set of data you need.

Use email or username, not a wildcarded last name, when you can.
Limit drill-downs to the device or victim id you're actually investigating, not its neighbours.
Don't fish for whole-domain dumps unless you own the domain (or have written permission from someone who does).

3. Audit trail

You should be able to explain, six months later, why each query was run.

SquareBreach keeps a 30-day query history per workspace by default — enable longer retention if your industry requires it.
Use saved searches with notes for recurring monitoring — the note explains the purpose to your future self and to auditors.
For shared workspaces, add the ticket id or case number into the saved-search note.

4. Retention

Don't hoard hits. The breach corpus already exists; you don't need a permanent local copy.

Export only what you'll attach to your investigation file.
Delete temporary CSVs as soon as you're done; they're a magnet for accidental leaks.
Use the /app/settings/privacy page to wipe stored history when an investigation closes.

5. Disclosure

If your search reveals an active credential against a third party, you have a responsibility — most regulators agree — to notify that party.

For an individual: a direct, factual email pointing at haveibeenpwned.com is usually the right move, with a link to a password manager.
For a company: their security.txt, then their CISO/IR mailing list, then a CERT.

In closing

OSINT done well makes the internet safer. OSINT done sloppily makes you the next headline. SquareBreach is built to support the first kind — the Acceptable Use Policy and the Privacy Policy spell out the rest.

← More posts Try SquareBreach →

All posts