The term 'Doxing' is short for "dropping dox" 'dox' being slang for documents. Typically, doxing is a malicious act, used against people with whom the hacker disagrees or dislikes.
What is Doxing?
Doxing (sometimes written as Doxxing) is the act of revealing identifying information about someone online, such as their real name, home address, workplace, phone, financial, and other personal information. That information is then circulated to the public — without the victim's permission.
While the practice of revealing personal information without one’s consent predates the internet, the term (term?) doxing first emerged in the world of online hackers in the 1990s, where anonymity was considered sacred. Feuds between rival hackers would sometimes lead to someone deciding to "drop docs" on somebody else, who had previously only been known as a username or alias. "Docs" became "dox" and eventually became a verb by itself (i.e., without the prefix "drop").
The definition of doxing has expanded beyond the hacker world community and now refers to personal information exposure. While the term is still used to describe the unmasking of anonymous users, that aspect has become less relevant today when most of us are using our real names in social media.
Recently, doxing has become a tool in the culture wars, with rival hackers doxing those who hold opposing views the opposite side. Doxers aim to escalate their conflict with targets from online to the real world, by revealing information which includes:
- Home addresses
- Workplace details
- Personal phone numbers
- Social security numbers
- Bank account or credit card information
- Private correspondence
- Criminal history
- Personal photos
- Embarrassing personal details
Doxing attacks can range from the relatively trivial, such as fake email sign-ups or pizza deliveries, to the far more dangerous ones, like harassing a person's family or employer, identity theft, threats, or other forms of cyberbullying, or even in-person harassment.
Celebrities, politicians, and journalists are amongst those who have been doxed, making them suffer from online mobs, fearing for their safety, and – in extreme cases – death threats. The practice has also spread to prominent company executives; for example, when Proctor & Gamble's Gillette released its, We Believe ad, which claimed to target toxic masculinity, Chief Brand Officer Marc Pritchard's LinkedIn profile was shared on 4chan — with the poster calling others to send angry messages to him.
Doxing entered mainstream awareness in December 2011, when hacktivist group Anonymous exposed 7,000 law enforcement members' detailed information in response to investigations into hacking activities. Since then, Anonymous has doxed hundreds of alleged KKK members, and their most recent targets have included Q-Anon supporters.
The motivations behind doxing vary. People feel they have been attacked or insulted by their target and could be seeking revenge as a result. If someone becomes known for their controversial opinions, they could target someone with opposing viewpoints. However, this tends to be the case when the topic is especially polarized, rather than everyday political disagreements.
Intentionally revealing personal information online usually comes with the intention to punish, intimidate, or humiliate the victim in question. That said, doxers can also see their actions as a way to right perceived wrongs, bring someone to justice in the public eye, or reveal an agenda that has previously not been publicly disclosed.
Regardless of the motivation, the core purpose of doxing is to violate privacy, and it can put people in an uncomfortable situation — sometimes with dire consequences.
How does doxing work
We live in an age of big data; there is a vast ocean of personal information on the internet, and people often have less control over it than they believe. This means that anyone with the time, motivation, and interest to do so can turn that data into a weapon.
Some of the methods used to dox people include:
Many people use the same username across a wide variety of services. This allows potential doxers to build up a picture of the target's interests and how they spend their time on the internet.
Running a WHOIS search on a domain name
Anyone who owns a domain name has their information stored in a registry that is often publicly available via a WHOIS search. Suppose the person who bought the domain name did not obscure their private information at the purchase time. In that case, personally identifying information (such as their name, address, phone number, business, and email address) is available online for anyone to find.
If the person uses an insecure email account or falls victim to a phishing scam, the hacker can uncover sensitive emails and post them online.
Stalking social media
If your social media accounts are public, anyone can find out information about you by cyberstalking you. They can find out your location, workplace, friends, photos, likes and dislikes, places you have visited, the names of your family members, the names of your pets, and so on. Using this information, a doxer may even work out the answers to your security questions — which would help them break into other online accounts.
Sifting through government records
While most personal records are not available online, there is a fair amount of information that can be gleaned on government websites. Examples include databases of business licenses, county records, marriage licenses, DMV records, and voter registration logs – all contain personal information.
Tracking IP addresses
Doxers can use various methods to discover your IP address, which is linked to your physical location. Once they know it, they can then use social engineering tricks on your internet service provider (ISP) to discover more information about you. For example, they can file complaints about on the owner of the IP address or attempt to hack into the network.
Reverse mobile phone lookup
Once hackers know your mobile phone number, they can find out more about you. For example, reverse phone lookup services like Whitepages let you type in a mobile phone number — or any telephone number — to find out the identity of the person who owns the number. Sites such as Whitepages charge fees to provide information beyond the city and state associated with a mobile phone number. Though, those willing to pay can discover additional personal information about you from your mobile phone number.
The term packet sniffing is sometimes used in relation to doxing. This refers to doxers intercepting your internet data, looking for everything from your passwords, credit card numbers, and bank account information to old email messages. Doxers do this by connecting to an online network, cracking its security measures, and then capturing the data flowing into and out of the network. One way to protect yourself from packet sniffing is by using a VPN.
Using data brokers
Data brokers exist to collect information about people and sell that information for profit. Data brokers gather their info from publicly available records, loyalty cards (which track your online and offline buying behavior), online search histories (everything you search, read, or download), and from other data brokers. Many data brokers sell their information to advertisers, but several people-search sites offer comprehensive records about individuals for relatively small amounts of money. All a doxer has to do is to pay this small fee to obtain enough information to dox someone.
By following breadcrumbs — small pieces of information about someone — scattered across the internet, doxers can build up a picture that leads to uncovering the real person behind an alias, including the person's name, physical address, email address, phone number, and more. Doxers may also buy and sell personal info on the dark web.
The information found can be wielded in a threatening manner, for instance, tweeted
at someone in response to a disagreement. Doxing can be less about the availability of the information and more about how it is used to intimidate or harass a target. For example, someone who has your address can locate you or your family. Someone with your mobile phone number or email can bombard you with messages that disrupt your ability to communicate with your support network. Finally, someone with your name, date of birth, and Social Security number could also hack into your accounts or steal your identity.
Anyone who has the determination, time, access to the internet, and motivation — will be able to put together a profile of someone. And if the target of this doxing effort has made their information relatively accessible online — this is made even easier.
Examples of doxing
The most common doxing situations tend to fall into these three categories:
- Releasing an individual's private, personally identifying information online.
- Revealing previously unknown information of a private person online.
- Releasing information of a private person online could be damaging to their reputation and those of their personal and/or professional associates.
Some of the most famous and commonly cited examples of doxing include:
Ashley Madison was an online dating site that catered towards people interested in dating outside of committed relationships. A hacker group made demands of the management behind Ashley Madison. When those demands were not met, the group released sensitive user data, doxing millions of people in the process and causing humiliation, embarrassment, and the potential for harm to both personal and professional reputations.
Cecil the Lion
A dentist from Minnesota illegally hunted and killed a lion living in a protected game preserve in Zimbabwe. Some of his identifying information was released, which resulted in even more personal information publicly posted online by people who were upset by his actions and wanted to see him publicly punished.
Boston Marathon bombing
During the search for the Boston Marathon bombing perpetrators, thousands of users in the Reddit community collectively scoured news and information about the event and subsequent investigation. They intended to provide information to law enforcement that they could then use to seek justice. Instead, innocent people who were not involved in the crimes were outed, resulting in a misguided witch hunt.
Is doxing illegal?
Doxing can ruin lives, as it can expose targeted individuals and their families to both online and real-world harassment. But is it illegal?
The answer is usually no: doxing tends not to be illegal, if the information exposed lies within the public domain, and it was obtained using legal methods. That said, depending on your jurisdiction, doxing may fall foul of laws designed to fight stalking, harassment, and threats.
It also depends on the specific information revealed. For example, disclosing someone's real name is not as serious as revealing their home address or telephone number. However, in the US, doxing a government employee falls under federal conspiracy laws and is seen as a federal offense. Because doxing is a relatively recent phenomenon, the laws around it are constantly evolving and are not always clear cut.
Regardless of the law, doxing violates many websites' terms of service and, therefore, may result in a ban. This is because doxing is usually seen as unethical and is mostly carried out with malicious intent to intimidate, blackmail, and control others. Exposing them to potential harassment, identity theft, humiliation, loss of jobs, and rejection from family and friends.
How to protect yourself from doxing
With the vast array of search tools and information readily available online, almost anyone can be a doxing victim.
If you have ever posted in an online forum, participated in a social media site, signed an online petition, or purchased a property, your information is publicly available. Plus, large amounts of data are readily available to anyone who searches for it in public databases, county records, state records, search engines, and other repositories.
While this information is available to those who really want to look for it, there are steps you can take to protect your information. These include:
Protecting your IP address by using a VPN
A VPN or virtual private network offers excellent protection against exposing IP addresses. A VPN takes the user's internet traffic, encrypts it, and sends it through one of the service's servers before heading out to the public internet – allowing you to browse the internet anonymously. Kaspersky Secure Connection protects you on public Wi-Fi, keeps your communications private, and ensures that you are not exposed to phishing, malware, viruses, and other cyber threats.
Practice good cybersecurity
Anti-virus and malware detection software can stop doxers from stealing information through malicious applications. Regularly updated software helps to prevent any security 'holes' that could lead to you being hacked and doxed.
Use strong passwords
A strong password normally includes a combination of uppercase and lowercase letters,
plus numbers and symbols. Avoid using the same password for multiple accounts, and make sure you change your passwords regularly. If you have problems remembering passwords, try using a password manager.
Use separate usernames for different platforms
If you are using online forums like Reddit, 4Chan, Discord, YouTube, or others, make sure you use different usernames and passwords for each service. By using the same ones, doxers could search through your comments on different platforms and use that information to compile a detailed picture of you. Using different usernames for different purposes will make it more difficult for people to track your movements across multiple sites.
Create separate email accounts for separate purposes
Consider maintaining separate email accounts for different purposes — professional, personal, and spam. Your personal email address can be reserved for private correspondence with close friends, family, and other trusted contacts; avoid publicly listing this address. Your spam email can be used to sign up for accounts, services, and promotions. Finally, your professional email address (whether you are a freelancer or affiliated with a particular organization) can be listed publicly. As with public-facing social media accounts, avoid including too much-identifying information in your email handle (for example, steer clear of email@example.com).
Review and maximize your privacy settings on social media
Review the privacy settings on your social media profiles and make sure you are comfortable with the amount of information being shared and with whom.
Be strategic about which platforms you use for which purposes. If you are using a platform for personal reasons (like sharing photos with friends and family on Facebook or Instagram), tighten your privacy settings. Suppose you are using a platform for professional purposes (such as monitoring breaking news on Twitter and tweeting links to your work). In that case, you may decide to leave some of the settings public — in which case, avoid including sensitive personal information and images.
Use multi-factor authentication
This means that you — and anyone else trying to access your account — will need at least two pieces of identification to log onto your site, usually your password and your phone number. It makes it harder for hackers to access a person's devices or online accounts because knowing the victim's password alone is not enough; they will also need access to a PIN number.
Get rid of obsolete profiles
Review how many sites have your information. While sites like MySpace may now be out of fashion, profiles that were put up over a decade ago are still visible and publicly accessible. This applies to any site that you might have formerly been active on. Try to delete obsolete and old/unused profiles if you can.
Be alert for phishing emails
Doxers might use phishing scams to trick you into disclosing your home address, Social Security number, or even passwords. Be wary whenever you receive a message that supposedly comes from a bank or credit card company and requests your personal information. Financial institutions will never ask for this information by email.
Hide domain registration information from WHOIS
WHOIS is a database of all registered domain names on the web. This public register can be used to determine the person or organization that owns a given domain, their physical address, and other contact information.
If you plan to run a website anonymously without disclosing your real identity, make sure your personal information is private and hidden from the WHOIS database. Domain registrars have controls over these privacy settings, so you will need to ask your domain registration company about how to do so.
Ask Google to remove information
If personal information appears in Google search results, individuals can request its removal from the search engine. Google makes this a simple process through an online form. Many data brokers put this type of data online, usually for background checks or crime check information.
Scrub your data
You can remove your information from data broker sites. If you want to do it yourself without incurring costs, it can be labor-intensive. If you have limited time, start with the three major wholesalers: Epsilon, Oracle, and Acxiom.
You will need to regularly check these databases because your information can be republished even after being removed. You can also pay a service like DeleteMe, PrivacyDuck, or Reputation Defender to do this for you.
Be wary of online quizzes and app permissions
Online quizzes may seem harmless, but they are often rich sources of personal information that you happily provide without thinking twice. Some parts of a quiz may even serve as security questions to your passwords. Since many quizzes ask for permission to see your social media information or your email address before showing you the quiz results, they can easily associate this information with your real identity, without much context on who is launching the quiz and why it is best to avoid taking them altogether.
Mobile apps are also sources of personal data. Many apps ask for access permissions to your data or device that should not concern the app software at all. For example, an image editing app has no logical use for your contacts. If it is requesting access to your camera or photos, that makes sense. But if it also wants to look at your contacts, GPS location, and social media profiles, then proceed with caution.
Avoid disclosing certain types of information
Wherever possible, avoid disclosing certain pieces of information in public, such as your Social Security number, home address, driver's license number, and any information regarding bank accounts or credit card numbers. Remember, hackers could intercept email messages, so you should not include private details in yours.
Check how easy it is to dox yourself
The best defence is to make it harder for abusers to track down your private information. You can find out how easy it is to dox yourself by checking what information can be found out about you. For example:
- Google yourself.
- Carry out a reverse image search.
- Audit your social media profiles, including privacy settings.
- Check to see if any of your email accounts were part of a major data breach by using a site such as Haveibeenpwned.com.
- Check CVs, bios, and personal websites to see what personal information your professional presence conveys. If you have PDFs of CVs online, be sure to exclude details like your home address, personal email, and mobile phone number (or replace them with public-facing versions of that information).
Set up Google alerts
Set up Google alerts for your full name, phone number, home address, or other private data you are concerned about so you know if it suddenly appears online, it may mean you have been doxed.
Avoid giving hackers a reason to dox you
Be careful what you post online, and never share private information on forums, message boards, or social media sites. It is easy to think that the internet gives people the freedom to say — or type — whatever they want. People may believe that creating anonymous identities gives them the chance to express whatever opinions they want, no matter how controversial, with no chance of them being traced. But as we have seen, that is not the case – so it is wise to be careful about what you say online.
What to do if you become a doxing victim
The most common response to being doxed is fear, if not outright panic. Feeling vulnerable is understandable. Doxing is intentionally designed to violate your sense of security and cause you to panic, lash out, or shut down. If you become a doxing victim, here are steps you can take:
Report the attack to the platforms on which your personal information has been posted. Search the relevant platform's terms of service or community guidelines to determine their reporting process for this type of attack and follow it. While filling a form out once, save it for the future (so you do not have to repeat yourself). This is the first step to stop the spread of your personal information.
Involve law enforcement
If a doxer makes personal threats against you, contact your local police department. Any information pointing to your home address or financial information should be treated as a top priority, especially if there are credible threats attached.
Take screenshots or download pages on which your information has been posted. Try to ensure that the date and URL are visible. This evidence is essential for your own reference and can help law enforcement or other agencies involved.
Protect your financial accounts
If doxers have published your bank account or credit card numbers, report this immediately to your financial institutions(s). Your credit card provider will likely cancel your card and send you a new one. You will also need to change the passwords for your online bank and credit card accounts.
Lock down your accounts
Change your passwords, use a password manager, enable multi-factor authentication where possible, and strengthen your privacy settings on every account you use.
Enlist a friend or family member for support
Doxing can be emotionally taxing. Ask someone you trust to help you navigate the issue, so you don't have to deal with it alone.
Doxing is a serious issue made possible by easy access to personal information online. Staying safe in an online world is not always easy, but following cybersecurity best-practices can help. We recommend using Kaspersky's Total Security Solution, which guards you against viruses on your PC, secures and stores your passwords and private documents, and encrypts the data you send and receive online with a VPN.