What is doxxing?

In a modern online world, malicious or vindictive people can collect and publish personal information about others - without their permission.

02-06-2022 - 8 minute read. Posted in: cybercrime.

What is doxxing?

Many people today are happy to share personal information and pictures of themselves on social media so that curious people can follow their lives. Most people also have some personal information that they do not want to share with others and where they reserve all rights to that information. Such information can be exploited by others through doxxing.

How doxxing works

The term "doxxing" or "doxing" is an abbreviation for "dropping dox". "Dox" is slang for the English word "documents". Doxxing is the disclosure of another person's personal information without the victim's permission.

The information can be the person's full name, address, workplace, email address, phone number, criminal record and intimate photos. The information is published online for all to see.

Doxxing can be done through simple web searches or through hacking attacks, where cyber criminals force their way into a person's sensitive information.

Doxxing through social media

Many people have accounts on various social media sites. For example, the vast majority have a Facebook profile. Doxers can find a lot of information about people through cyberstalking, as it is publicly available. This information is (almost) always information that the person has posted online. It can be information about the person's location, friends, family members, hobbies, etc.

This information may seem harmless, but it can actually be misused by doxers. Doxers can use the information to guess passwords and answers to security questions, and thus gain access to more, more confidential information.

Doxxing through publicly available databases

Most personal records, such as medical records, are not available online. However, there are large amounts of personal data that can be collected by doxers on public websites. These include databases of business licences, regional and local authority records, marriage licences and online search histories - all of which contain personal information.

Doxxing through wi-fi

An unstable wi-fi network can be hacked by cyber criminals. If a person connects to the network, hackers can access their online behaviour, such as entering login details or search history.

Doxxing hidden IP addresses

Doxers use various methods to find out a person's IP address, which is linked to the physical location of their device. If they find the IP address, they can use social engineering attacks against people's ISPs to acquire more sensitive data about them.

What is the purpose of doxxing?

In all cases, regardless of the purpose behind it, doxxing is an invasion of privacy. Doxxing is carried out for a number of reasons, including:

  • Causing damage to the reputation or professional life of individuals
  • Humiliating or ridiculing individuals
  • Blackmailing persons
  • Harassment of persons
  • Cyberstalking of persons
  • Obtaining information for cyber attacks

Is doxxing illegal?

Sharing information about a person that is publicly available online is not illegal, as the person has published the information themselves and anyone on the internet can see the information.

However, doxxing can (in some countries) be considered a criminal offence or be part of a criminal offence if it is used for stalking, harassment, blackmail or threats.

In the US, doxxing a government official is illegal and the person behind it can be punished quite severely as it is considered conspiracy and is considered a serious crime.

Examples of doxxing

  • "Gamergate" is the name given to a hate campaign against female gamers that began in 2014. The first and biggest victim was game developer Zoë Quinn, who received many threats and had her personal information leaked. A number of other women in the gaming community were also doxxed over a period of about a year
  • In 2015, the hacktivist group Anonymous released what it claimed was data on hundreds of KKK members and other hate groups.
  • Members of online dating site Ashley Madison, which refers to people seeking affairs outside of marriage, had their database of user data hacked in 2015. The cybercriminals who hacked the database leaked information on millions of users. The users were publicly humiliated and for many of them the doxxing had consequences for their personal relationships, both with their partners, family and friends
  • After the Boston Marathon bombing in 2013, cybercriminals released the name of a Brown University student they believed was a potential suspect, even though the student had committed suicide before the attack. Many online users, especially users of the online platform Reddit, began their own "investigations" into the attack for to find the perpetrator, and many innocent people were accused

Protect your personal information from doxxing

Here are some tips on how to protect your personal information from doxxing.

Limit the sharing of your personal information

You can check how much is actually written and shared by and about you online by searching for yourself on a search engine. This will give you an overview of how much information about you is actually online. Often, there is more information about a person online than they expect.

It is then a good idea to remove information about yourself that is not necessary to keep or that may be considered more sensitive than other information. The vast majority of information is likely to come from Google and SoMe platforms.

Protect your IP address and internet traffic with a VPN

A VPN, or Virtual Private Network, protects your online identity by anonymising your IP address, which can be exploited for doxxing. A VPN also protects your online traffic and behaviour by encrypting your data and sending it through a VPN server before the data ends up on the public internet. That way, only you and the VPN provider can see what you're doing online.

Use different usernames for different platforms

If you use online platforms like Reddit, YouTube, Tik Tok, etc., make sure you use different usernames and passwords for each of the services when you create an account. If you use the same information on all sites, doxxers can search your comments or posts on the different platforms and use this information to put together a profile of you. Using different usernames for different accounts makes it harder for others to track your information or behaviour across social media and platforms.

Create different email accounts for different purposes

Consider having different email accounts for different purposes - for example, for professional and personal use. You can use your private email address for private correspondence with close friends, family and acquaintances. Make sure the address is not made public. You can also set up a spam email address to use when signing up for services, promotions or competitions.

It is often advantageous to have your professional e-mail address publicly available, for example to expand your network. As with publicly available social media accounts, avoid providing too much identifying information in your email address.

Avoid websites that collect large amounts of data

There are certain websites that collect a huge amount of data in the form of surveys, questionnaires, etc. If possible, avoid using those websites. These websites can be hacked by cyber criminals and that can make them suddenly in possession of a lot of information like you.

Adjust your privacy settings

There are privacy settings for every account and application that we use online. You can adjust your privacy settings so your information isn't seen by everyone, but only those you allow. It's a quick and easy way to protect your privacy on the internet.

Please ask to have your data deleted

Due to GDPR, one of the rights of private individuals is the "right to be forgotten". This means that you can ask a company to delete your data if one of a number of conditions mentioned in the GDPR is met.

The conditions for erasure may include that the company's purpose for processing your personal data is no longer relevant, or that you have withdrawn your consent and the company is therefore no longer entitled to process your data.

What to do if you have been doxxed?

If you have been doxxed, you need to act quickly to stop the spread of your personal data. Here are a few simple things you can do after you've been doxxed:

  • Document the evidence. Take screenshots of everything in case you need to report it to the police.
  • Report the doxxing to the platforms that hold your information. Sites like Facebook and Twitter have terms of service that prohibit doxxing, and they may suspend the doxxer's account.
  • Protect your accounts. Create new, strong passwords for your accounts and use a password manager to generate and store strong passwords. Protect your accounts with multi-factor authentication and enforce privacy settings on all your accounts.
  • Consider changing your information. Depending on what information has been leaked about you, you may want to consider changing your phone number, usernames or other personally identifying information where it is muligt.
Author Sofie Meyer

About the author

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

Similar posts