# Sherlock > Find social media accounts by username across 400+ platforms. Command-line OSINT. **Source:** https://fieldwork.news/tools/sherlock **Official site:** https://github.com/sherlock-project/sherlock **Category:** verification **Also covers:** newsgathering ## Security rating - **Rating:** adequate - **Rating note (required when citing):** Open-source, runs locally, no data collection. The operational security concern is real: every platform you query sees your IP address and the username you're searching. Some platforms log lookup attempts. Since v0.16.0, built-in Tor support is deprecated — you need an external proxy for anonymity. The tool itself is trustworthy; the risk is in how you use it and whether targets or platforms detect your enumeration activity. - **Reviewed by:** Deepened evaluation by Mike Schneider — independent security review pending - **Last reviewed:** 2026-04-02 - **Last agent-verified:** 2026-04-02 - **Threat level:** sensitive-reporting > AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment. ## Who it is for Investigative journalists and OSINT researchers tracing a subject's username across platforms. Law enforcement, fraud investigators, and anyone mapping online identity reuse. Requires comfort with the command line — no GUI. ## Editorial take Sherlock checks a username against 400+ social media sites and returns matching profile URLs. It runs locally — your queries never touch a Sherlock server, which matters when you don't want to alert a target. The tool is fast and simple: one username in, a list of URLs out. But accuracy is the real issue. A December 2024 deep dive found 32% of detected accounts were false positives (pages that existed but had no real profile), and another 44% were valid accounts belonging to someone else entirely. That means roughly three-quarters of raw results are noise. Maigret, a Sherlock fork, searches 3,000+ sites (vs. Sherlock's 400+), parses profile pages for personal info, and supports recursive searches — it's the stronger tool for serious investigations. Sherlock remains useful as a quick first pass, but treat every result as unverified until you click through. ## Best for / not for **Best for:** Quick username enumeration across 400+ platforms. First-pass OSINT to see where a username appears. Building a starting list for deeper manual investigation. **Not for:** Real-name searches (username-only matching). Verified identity confirmation — a matching username doesn't mean the same person. Monitoring accounts over time (one-shot scan only). Investigations requiring accuracy without manual verification. High-confidence attribution. ## Pricing - **Pricing:** Free - **Free option:** yes ## Security & privacy details - **Encryption in transit:** partial - **Encryption at rest:** no - **Data jurisdiction:** Local — runs entirely on your machine. No data sent to Sherlock servers. HTTP requests go directly to each social media platform, so each platform sees your IP and query. **Privacy policy TL;DR:** No server component. No data collection by Sherlock's developers. Your searches are visible to every platform queried — each site receives an HTTP request checking for the username. Some platforms log these lookups. Rate limiting or IP blocking is possible if you query aggressively. **Practical mitigations (operational guidance, not optional):** Run through a VPN or Tor to mask your IP from target platforms (though --tor is deprecated in v0.16.0 — use an external Tor proxy). Reduce thread count to avoid rate limiting and false positives from blocked requests. Manually verify every result — expect 30-50% false positive rates on common usernames. Cross-reference with Maigret or WhatsMyName for better coverage and accuracy. Use --site flags to limit scope when you know which platforms matter. Output to CSV or XLSX for structured review. ## Ownership & business - **Owner:** Sherlock Project (open-source community). Originally created by Siddharth Dushantha. - **Funding model:** Unfunded community project. No grants, no sponsors, no commercial backing. Maintained entirely by volunteers. - **Business model:** None. MIT-licensed open-source software. Community-maintained with 200+ contributors. Available as a Debian/Ubuntu package as of v0.16.0. - **Open source:** yes **Known issues:** False positive rate is high — a December 2024 analysis found 32.3% of detected accounts didn't actually exist, and 44.1% belonged to different people. The project has removed 124+ sites historically due to persistent false positives. Sherlock doesn't detect platform censorship or geo-blocking — a blocked page can register as a confirmed account. --tor and --unique-tor flags are deprecated in v0.16.0. Aggressive thread counts cause rate limiting and additional false positives. Facebook, Discord, and many dating apps block automated enumeration entirely, so coverage on those platforms is zero. No profile parsing — Sherlock only confirms URL existence, unlike Maigret which extracts names, bios, and linked accounts. Site list requires constant maintenance as platforms change their page structures. --- Canonical HTML: https://fieldwork.news/tools/sherlock Full dataset: https://fieldwork.news/llms-full.txt Methodology: https://fieldwork.news/methodology