Some states also include: unemployment claims, campaign contributions, licenses and certifications, tax information, real estate transactions and deeds, census records, etc.
Automated Reconnaissance Scraping Tools
OSINT Tools (this list is not all encompassing, and all APIs need to be added prior):
Recon-ng modules for individuals (“add profiles” and “add contacts” or use the “import” feature prior to running the following modules)
Have I Been Pwned hibp_breach and hibp_paste credential modules
FullContact module
Profiler module
Linkedin_auth module (Bing LinkedIn cache)
Adobe module
Bozocrack module
Hashes_org module
Pgp_search module
Dev_diver module
Namechk module
Mailtester module
Geocode and Reverse geocode modules
Pushpins modules
Jigsaw and pwnlist modules (APIs need to be purchased beforehand)
Many other recon-ng modules such as the Shodan and Twitter modules can help add to this list as well
geo: filter can be used with latitude and longitude coordinates that correlate with target individual’s physical address (results may vary in densely populated areas)
Various Torrent search engines contain a lot of breached data for download as well
Identified Personnel OSINT Checklist
Optional Sanity Checklist (Identified Personnel)
Conclusion
That's a ton to process, we know. Hopefully you can use this as a resource and reference when needed! (Hint: The checklist is functional!) A big shout out to BelleBytes for taking the time to compile this information.