Many people are happy to share personal information and pictures of themselves on social media. Here, curious people can follow and see what's going on in their lives. Most people have some personal information that they don't want to share with others. You have all the rights to that information since it's your information about you. Such information, however, can be exploited by others through doxxing.
How doxxing works
The term doxxing or doxing is an abbreviation for "dropping dox". "Dox" is slang for "documents" meaning that:
Doxxing is the disclosure of another person's personal information without the victim's permission.
The information can be a person's:
- Full name
- E-mail address
- Phone number
- Criminal record
- Intimate photos
The information is published online for all to see if you're victim of doxxing.
Doxxing can be done through simple web searches or through hacking attacks, where cyber criminals force their way into a person's sensitive information.
Doxxing through social media
Many people have accounts on various social media platforms which is why you should be cautious when using them. Doxers can find a lot of information about people through cyberstalking, as it is publicly available to everyone. This information is (almost) always information that the victim has posted online. It can be information about the person's:
- Family members
- Hobbies, etc.
This information may seem harmless, but it can actually be misused by doxers. Doxers can use the information to guess passwords and answers to security questions, and thus gain access to even more confidential information.
Doxxing through publicly available databases
Most personal records, such as medical records, are not available online. However, there are large amounts of personal data that can be collected by doxers on public websites. It can be databases such as:
Databases of business licences
Regional and local authority records
Online search histories
all of which contain personal information.
Doxxing through wi-fi
An unstable wi-fi network can be hacked by cyber criminals. If a person connects to the network, hackers can access their online behaviour, such as entering login details or search history through key logging.
You should thus be aware of public networks since hackers is able to create a bridge between your device and their device - because public networks are more unstable and insecure than private networks.
Doxxing hidden IP addresses
Doxers use various methods to find out a person's IP address, which is linked to the physical location of their device. If they find the IP address, they can use social engineering attacks against people's ISPs to acquire more sensitive data about them.
Another safety precaution you can do is to improve the security on your router. Change the default password to a unique password to make it even more difficult for the hacker to infiltrate your WiFi - and place the router further away from the street to prevent outsiders to use your internet.
What is the purpose of doxxing?
In all cases, regardless of the purpose behind it, doxxing is an invasion of privacy. Some of the reasons why hackers do doxxing is to:
- Damage the reputation or professional life of individuals
- Humiliate or ridicule individuals
- Blackmail people
- Harass of victims
- Cyberstalking of persons
- Obtain information for cyber attacks
Is doxxing illegal?
Sharing information about a person that is publicly available online is not illegal, as the person has published the information themselves - and anyone on the internet can see the information.
However, doxxing can (in some countries) be considered a criminal offence or be part of a criminal offence if it's used for stalking, harassment, blackmail or threats.
In the US, doxxing a government official is illegal and the person behind it can be punished quite severely as it's considered conspiracy and thus a serious crime.
Examples of doxxing
- "Gamergate" is the name of a hate campaign against female gamers that began in 2014. The first and biggest victim was game developer Zoë Quinn, who received many threats and had her personal information leaked. A number of other women in the gaming community were also doxxed over a period of about a year.
- In 2015, the hacktivist group Anonymous released what it claimed was data on hundreds of KKK members and other hate groups.
- Members of the online dating site Ashley Madison, which refers to people seeking affairs outside of marriage, had their database of user data hacked in 2015. The cybercriminals who hacked the database leaked information on millions of users. The users were publicly humiliated and for many of them the doxxing had consequences for their personal relationships, both with their partners, family and friends.
- After the Boston Marathon bombing in 2013, cybercriminals released the name of a Brown University student they believed was a potential suspect, even though the student had committed suicide before the attack. Many online users, especially users of the online platform Reddit, began their own "investigations" into the attack for to find the perpetrator, and many innocent people were accused.
Protect your personal information from doxxing
We've gathered some tips on how you can protect your personal information from doxxing:
Limit the sharing of your personal information
You can check how much is actually written and shared by and about you online by searching for your name on a search engine. This will give you an overview of how much information there's about you online. Often, there is more information about a person online than they expect.
It's then a good idea to remove information about yourself that is not necessary to keep - or can be considered to be more sensitive. The vast majority of information is likely to come from Google and SoMe platforms.
Protect your IP address and internet traffic with a VPN
A VPN, or Virtual Private Network, protects your online identity by anonymising your IP address, which, as mentioned above, can be exploited for doxxing. A VPN also protects your online traffic and behaviour by encrypting your data and sending it through a VPN server before the data ends up on the public internet. That way, only you and the VPN provider can see what you're doing online.
Use different usernames for different platforms
If you use online platforms like Reddit, YouTube, TikTok, etc., make sure you use different usernames and passwords for each of the services when you create an account. If you use the same information on all sites, doxxers can search your comments or posts on the different platforms and use this information to put together a profile of you. Using different usernames for different accounts makes it harder for others to track your information or behaviour across social media and platforms.
Create different email accounts for different purposes
Consider having different e-mail accounts for different purposes - for example, for professional and personal use. You can use your private e-mail address for private correspondence with close friends, family and acquaintances. Make sure the address is not made public. You can also set up a spam e-mail address to use when signing up for services, promotions or competitions.
It's often advantageous to have your professional e-mail address publicly available, for instance to expand your network. As with publicly available social media accounts, avoid providing too much identifying information in your e-mail address.
Avoid websites that collect large amounts of data
There are certain websites that collect a huge amount of data in the form of surveys, questionnaires, etc. If possible, avoid using those websites. They can be hacked by cyber criminals, which, ultimately, can lead to them possessing a lot of personal information about you.
Adjust your privacy settings
There are privacy settings for every account and application that we use online. You can adjust your privacy settings so your information isn't seen by everyone, but only those you allow. It's a quick and easy way to protect your privacy on the internet.
Ask to have your data deleted
Due to GDPR, one of the rights of individuals is the "right to be forgotten". This means that you can ask a company to delete your data if one of a number of conditions mentioned in the GDPR is met.
The conditions for erasure may include that the company's purpose for processing your personal data is no longer relevant, or that you have withdrawn your consent and the company is therefore no longer entitled to process your data.
What to do if you have been doxxed?
If you've been doxxed, you need to act quickly to stop the spread of your personal data. Here are a few suggestions of what you you can do if you've become a victim of doxxing:
- Document the evidence. Take screenshots of everything in case you need to report it to the police.
- Report the doxxing to the platforms that hold your information. Sites like Facebook and X (previously known as Twitter) have terms of service that prohibit doxxing, and they may suspend the doxxer's account.
- Protect your accounts. Create new, strong passwords for your accounts and use a password manager to generate and store these passwords. Protect your accounts with multi-factor authentication and enforce privacy settings on all your accounts.
- Consider changing your information. Depending on what information has been leaked about you, you may want to consider changing your phone number, usernames or other personally identifying information where it's possible.
This post has been updated on 31-07-2023 by Sofie Meyer.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.View all posts by Sofie Meyer