Cloudflare SAN Scan
Websites on the same Cloudflare account will share a TLS certificate. Cloudflare SAN Scan analyses past TLS certificates and finds other domains which are on the same Cloudflare account.
Cloudflare is a Content Delivery Network which provides benefits above just content delivery. Cloudflare offers excellent DNS and free TLS certificates for all websites, even on the free plan.
When you inspect a certificate of a website using Cloudflare you will see in the Subject Alternative Name section that it has multiple different domains assigned to the same certificate. Cloudflare assigns up to 50 domains to a single TLS certificate.
If you add multiple domains to a Cloudflare account, they will all be assigned to the same certificate, and that will be publically visible through the Subject Alternative Name (SAN) of the certificate.
By analysing past TLS certificates, Cloudflare SAN Scan is able to determine which other domains are consistently showing in a domain's certificate. If they appear over a considerable amount of time it is likely that they are attached to the same Cloudflare account. Although unrelated domains will show on a domain's certificate, over time they are likely to move away and will not remain on the same certificate.
The source for Cloudflare SAN Scan is available on GitHub.