Osintgram: Instagram OSINT for Self-Exposure Assessment
Osintgram is an open-source tool used to gather publicly available information from Instagram accounts. In this article we look at exactly what it does, how it works technically, and most importantly how it can be used lawfully — against your own accounts or in engagements with written authorization — for self-exposure assessment and security awareness.
Legal & ethical scope — CRITICAL: Using Osintgram against someone else’s accounts (a) violates Instagram’s Terms of Service, (b) may violate the GDPR (Regulation 2016/679) since Instagram user data is personal data, and (c) may be a criminal offense under your local computer-misuse legislation (CFAA in the US, Computer Misuse Act in the UK, Budapest Convention signatory laws). Permitted uses: assessing your own exposure, authorized red-team engagements where the client is the actual account holder, and educational labs using testing accounts you created yourself. No other use is permitted.
What Osintgram is
Osintgram (Datalux, GitHub) is a Python tool that uses Instagram’s public APIs (via a session from your own account) to extract public data of an Instagram username in structured form: followers, following, comments, likes, geotagged photos, hashtags, mentions.
Important: Osintgram does not “break” any account. It only collects information that is already publicly visible to anyone visiting the profile. Its value lies in aggregation and structure: data that would manually take you hours is extracted in seconds and the patterns of exposure become obvious.
Why it matters in a security context
Osintgram (or any similar tool) is used lawfully in:
- Self-exposure assessment: See what your own profile reveals — geotags, schedule patterns, recognizable colleague names, employer references, device identifiers in EXIF.
- Executive protection: With written authorization from the executive in question, assess what they publish that could be weaponized for targeted social engineering.
- Brand monitoring: Detect fake brand accounts and phishing campaigns aimed at your customers.
- Security awareness training: Demos in internal awareness sessions showing how public info becomes OSINT.
- Threat intelligence: Research into known threat actors who have publicly left traces on Instagram.
Where it fits in the methodology
Social-media OSINT maps to MITRE ATT&CK T1593.001 — Search Open Websites/Domains: Social Media and T1589 — Gather Victim Identity Information.
Installation in a lab environment
# Clone from GitHub
git clone https://github.com/Datalux/Osintgram.git
cd Osintgram
# Create a virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Configuration
nano config/credentials.iniThe credentials.ini file expects:
[Credentials]
username = your_test_account
password = your_test_account_passwordImportant: Use a separate testing account (not your personal Instagram). Instagram detects automated use and may block or trigger 2FA challenges. The testing account should be warm-up (a few days of natural use beforehand) so anti-bot mechanisms do not fire.
First run (against your own account)
python3 main.py your_own_username
# Successful output:
# Logged in successfully
# Target: your_own_username
# Account type: PublicInside Osintgram’s interactive shell, you run commands:
Run a command: listCore commands for self-exposure assessment
info | Basic profile data (bio, full name, profile picture URL). |
addrs | Geotagged locations from public posts. |
captions | All captions of public posts — useful for keyword search. |
followers | List of followers (only on public accounts or your own). |
followings | List of accounts being followed. |
hashtags | Hashtags used. |
tagged | Accounts tagged in public photos. |
photodes | Captions and descriptions of photos. |
photos | Download public photos (on your own account). |
fwersemail | Emails of followers (frequently rate-limited; does not return complete data). |
target | Switch target to another of your own test usernames. |
exit | Exit. |
What it reveals — and why it matters
After a thorough run against your own Instagram profile, you typically discover:
- Geolocation patterns: Your gym at 18:30 every Tuesday, your office on a specific avenue.
- Professional environment: Hashtags around corporate conferences, names of colleagues in tags.
- Family ties: Tags of children and family members — high risk for social engineering.
- Likely answers to security questions: Pet name, school name, date of birth.
- Travel schedule: “On vacation!” posts = your home is empty for X days.
All of this is public. The insight is: when you aggregate it into structured form, the profile risk becomes measurable and teachable.
Common issues
- Login challenges / 2FA prompts: Instagram detects unusual login activity. Use a warm-up testing account.
- Rate limiting: Many commands → temporary blocking. Use delays between queries.
- Outdated APIs: Instagram changes its internal APIs frequently. If the tool breaks, check for updates or open pull requests.
- IP fingerprinting: Many runs from the same IP → flagged. In professional contexts, consider lawful residential proxy use.
Defensive perspective — reducing your own exposure
- Private account: The simplest defense. Approve followers only from people you know.
- Disable geotagging: Both in the camera settings and inside Instagram. Never share live location — post photos after you leave the location.
- Limited tagging: Approval-based tagging — do not let others tag you without approval.
- EXIF stripping: Before publishing images to other platforms (not just Instagram), strip metadata with
exiftool -all= image.jpg. - Story restrictions: Hide stories from specific users / use the Close Friends list.
- Regular audit: Every 3-6 months, check who follows you and what you have left public.
Complementary tools (lawful use)
- Sherlock: Detect common usernames across dozens of social platforms — to see whether your dev/test handle exists elsewhere.
- ExifTool: Analyze and strip EXIF metadata from images.
- Instagram’s own Privacy > Activity Status / Story Sharing settings.
Best practices
- Use it only on your own accounts or with the written authorization of the account holder.
- Respect GDPR and Instagram’s ToS — both are violated by unauthorized scraping.
- Retain minimal data and delete it immediately after the analysis.
- Include the findings in security awareness training as a case study.
- If you work in a red team, document the OSINT scope explicitly in the Rules of Engagement.
Summary
Osintgram is an educational tool that highlights how much we expose involuntarily on social media. Its correct use is self-exposure assessment and security awareness — not surveillance of third parties. In every lawful use, the first responsibility is compliance with GDPR and the platform’s Terms of Service.
Next steps
- Maltego: OSINT link analysis
- theHarvester
- All Information Gathering articles
- External references: MITRE T1593.001, GDPR official text.
For complete training in OSINT, social-engineering risk assessment, and privacy, explore the courses at Audax Cybersecurity Academy.
