What is doxing?

Lukas Grigas
Cybersecurity Content Writer
doxing

Doxing, sometimes spelled as doxxing, refers to an act of exposing personally identifiable information such as a person’s name, home address, phone number, and other similarly sensitive information with malicious intent.

Today, doxing is considered a harshly unethical practice because we’re acutely aware of the importance of personal information. However the practice of exposing private information has existed for a long time. In fact, the term doxing can be traced back to the 1990s. Back then, rival hackers would “drop docs” on each other in order to reveal each others’ identities. With time, what was known back in the ’90s as “dropping docs” morphed into what we now call doxing.

Today, we’re taking an in-depth look at doxing. We’ll explore the way doxing works, what information attackers look for, and what steps you should take to prevent yourself from falling victim to a doxing attack. Without further ado, let’s jump in!

How does doxing work?

Doxing doesn’t require much sophistication to work. Because most of us have large amounts of personally identifiable data floating around online (not always fully protected), all that the interested party has to do is gather that information. Of course, gathering all that information takes time and effort and can be done in a variety of ways. Here are some of them:

Username tracking

Usernames, while typically for our various online accounts, are equivalent to our real names. Often we use the same username across multiple online accounts. The problem with that is that once the bad actor looking to dox you finds out your usernames, it is then possible to track that username across a variety of online platforms and services. By doing so, the hacker can get a comprehensive picture of your online activities and overall presence.

IP address tracking

Because your IP address is inherently linked to your physical location, it is another critical piece of personally identifiable information that doxers are after. They can determine an IP address in a variety of ways. You can also expose your IP address unknowingly by visiting a fake website crafted by bad actors or engaging in a faux email conversation.

Phishing

For the uninitiated, here's a quick definition of phishing. Phishing refers to a type of social engineering attack where a fraudster sends out a carefully designed fake message. At first, the message might appear legitimate because such messages often mimic the style and design of those coming from legitimate brands in order to trick unsuspecting users into revealing sensitive information. Phishing has been one of the most commonly used cyber attacks in recent years. Falling victim to a phishing scam can have disastrous consequences.

Packet sniffing

The term packet sniffing refers to a malicious network interception. Doxers carry out network interceptions by connecting to the same network as the potential victim to gather valuable information. You can fall prey to packet sniffing by using unsecured WiFi networks such as public WiFi hotspots. Once the hacker successfully intercepts your network connection, it is then possible for them to extract all sorts of information. This information includes your passwords, credit card details, email messages, and other sensitive information that can be later used for doxin.

Social media stalking

Thanks to social media, we can connect with friends and family whenever we like with almost no limitations. Today, most of us are active on more than one social media platform. The problem with social media as it relates to doxing is that it offers a whole lot of information about us for bad actors, especially if our accounts are public. Hackers can easily track down your location, workplace, family, friends, the places where you spend your off time and more. All such information is of extreme value to doxers.

Reverse Mobile Phone Lookup

Our phone numbers can be a valuable source of information about us. They can help hackers reveal such information as our physical location, full name, and mobile carrier. Using a reverse mobile phone lookup service, bad actors can easily identify us. Such services work in a very simple way. An interested party can type in a phone number and look up who is associated with it.

Checking WHOIS

If you run a website, you’re likely aware of services such as WHOIS search. But for those unaware and perhaps looking to launch a website, it is important to understand that each domain name stores information about its owner in a registry that is publicly available and can be checked using the WHOIS service. A bad actor wanting to dox someone is able to gather quite a bit of information from this service. That information can include the name, address, phone number, and email address of the person who owns the domain name.

Checking government records

While we rarely think of our information as it relates to government records, doxers are well versed in tracking down the information they need via publicly available governmental websites. Often such websites can reveal our names or provide marriage certificates, business licenses, and much more to those seeking details about us.

Using data brokers

Data brokers have been a topic of fierce discussion for the last decade or so. However, regardless of how you feel about them, the fact remains – they exist at the given moment. As the name suggests, data brokers gather user information, package it, and sell it to third parties, which in most instances are advertisers. The information they gather is typically vast and various. It can range from your name, address, and other publicly available information to your online search history, purchases, general activity on the internet, how much time you spend online, and so much more.

The problem lies in the questionable reputation of data brokers. Some are known to be flat out unethical in their practices because they sell personally identifiable information to whoever pays up. Anyone looking to dox someone could simply buy information from such brokers.

What information are doxers looking for?

Simply put, doxers look for any kind of information that can be used to fully identify the potential victim. In most instances, that would include information we’ve discussed earlier, such as phone number, location, email address, photos, social security number, or bank account details.

Is doxing illegal?

Unfortunately, at the moment, no specific and wide-ranging anti-doxing laws exist. The legality of a doxing event can at best be determined only on a case-by-case basis. What further complicates the legality question is the fact that the doxed information is often publicly available online, which in turn means that the doxed party at one time or another chose to make it public. The essential thing with regard to legality is that the way boxers use the information can be deemed illegal, especially if it aims to harass, stalk, or threaten a doxed person. Most people see doxing as highly unethical, and by making their voices heard push for a change in the legal system.

For more than a decade, people have been trying to understand how legal systems governs their data, and it looks like there's progress. For instance, back in 2021, Kentucky and Hong Kong passed an anti-doxing law in each of their jurisdictions. The great hope is that more states and countries will follow.

Examples of doxing

Doxing is a real problem as we increasingly rely on IT technologies and move our lives online. According to research, 21% of Americans, which rounds up to 43 million, have personally experienced doxing. Here are some real-life examples of doxxing:

  • Major League Baseball pitcher Curt Schilling exposed sensitive information of people that were harassing him and making derogatory claims about his daughter. For some of those doxxed, this action resulted in a job loss or suspensions from school.

  • During the “gamergate” incident, two female game developers were doxed and experienced an extraordinary amount of hate directed towards them.

  • Back in 2015, Anonymous – a hacktivist organization – gathered and exposed data on a large number of KKK members and other hateful organizations.

  • In 1997, a website known at the time as Nurnberg Files doxxed a list of abortion providers’ personal information as a hit list intended for anti-abortion activists. This was one of the first doxing campaigns in the US.

  • In 2019, during the prolonged Hong Kong protest for liberty, protestors revealed the personal information of thousands of Hong Kong police officers along with the details of other local law enforcement agencies and their employees. During the protest, information about the protesters themselves as well as the journalists covering the events was also exposed.

Doxing is a sensitive topic due to the ethics behind it. Even though most of the information exposed is available publicly online, everything changes once innocent people are caught in the crosshairs. Due to doxing, a situation can turn nasty really quickly, and reversing the damage can be tricky, to put it lightly.

How to protect yourself from doxing

Making yourself completely immune to doxing may be an impossible feat. After all, every day we rely on online technologies and services for a variety of tasks, from shopping to banking. However, certain tactics can help you hide your personally identifiable information or at the very least, make it a whole lot harder for bad actors to access it.

Here are a few recommendations that should help you lower the chances of being doxed.

Protect your IP with a VPN

A virtual private network, usually referred to as VPN, is a type of service that provides network protection. A VPN does that by creating a secure tunnel for data flow. The secure tunnel is encrypted using advanced algorithms, which almost completely removes the possibility of an unauthorized network interception. By using a VPN service, you effectively mask your IP address and all the information related to it. A VPN is a must-have tool in the 21st century. It protects against doxing as well as a variety of other online threats.

Use strong passwords

Passwords are the kryptonite of the modern-day internet user. Everyone knows that password security and management today can be annoying and frustrating. So it’s not surprising whatsoever that a vast number of people tend to reuse simple and easy-to-guess passwords across multiple websites and apps. Such poor password hygiene opens up the door for bad actors because it provides them with a way to access most of the hacked person’s accounts by hacking a single password.

But using strong, complex passwords can be done, and it can be done smoothly, without annoyances and frustration. This is where password managers prove their worth. With a password manager, you get a single secure place to store all your passwords. Plus, today’s password managers come with a variety of features designed to make your online life easier than ever. Autofill, autosave, and password-generator features remove the frustration of manually typing passwords. On top of that, most password managers offer further security features such as a way to check your password strength to help you improve your overall online security posture.

Use a variety of usernames and separate email accounts for different purposes

As we discussed earlier, reusing a single username can be risky. One of the simplest ways that you can shrink your attack vector is by using different usernames for different online services. As a consequence of doing so, you’ll significantly lower the chances of being doxed because bad actors will have a lot more trouble following your digital footprint.

Adjust your privacy settings

Unfortunately, we don’t devote as much attention and time to our online privacy as we should. When we create a new social media profile, few of us check and adjust privacy settings. The situation is surely getting better due to the wide attention that the topic of privacy settings receive, but there’s always room to improve.

To further improve your online security and to limit the information that others can freely access on your social media profiles, make sure to adjust your privacy settings. We recommend making your profiles private. This way, only the followers or friends you’ve approved will have access to your profile information and other details you share through social media.

Watch out for phishing emails

These days, phishing scams are extremely common and sophisticated. Being aware of this fact alone can limit the chances of getting scammed or doxed. However, making yourself acquainted with what a perfectly crafted phishing email looks like will take you a step further. As a rule of thumb, it is always a good idea to avoid replying to messages or downloading attachments that come from dubious senders. You can find a detailed overview of what phishing is and how you can protect yourself from it in one of our previous blog posts.

Be cautious when granting permissions to apps

Not all apps are worthy of your trust. Some of them may be designed to flat out gather your information. Usually such apps are created by questionable vendors. However, even legitimate apps often overstep when it comes to data collection. Therefore, we advise you to always explore the ways that the app might collect data. Some of these ways could be tracking your location or gathering contact information stored on your device – all details that could be valuable to doxers. Thus, be sure to adjust data-gathering permissions accordingly.

Protect your financial accounts

Your online financial accounts hold an extraordinary amount of critically important information. Such accounts encompass everything: your name, address, workplace, social security number, and – most importantly – your money. Use strong passwords to protect such accounts. Also enable multi-factor authentication (MFA) so it serves as an extra layer of security.

Remove your data from the data brokers’ databases

You can legally remove all the information that data brokers hold in their databases. Doing this yourself can be time-consuming and at times frustrating because data brokers make it intentionally tricky to achieve the complete removal of your data. Here are a few links to major data brokers’ websites that will lead you directly to opt-out forms, which may save your valuable time:

Alternatively, you can use paid services such as PrivacyDuck, Reputation Defender, or DeleteMe to get all your data off the data brokers’ servers.

Hide domain registration information from WHOIS

If you run a website or other online platform that requires a domain name, it is extremely important to make sure that all of the information about you as a domain name holder is hidden from the WHOIS database. Usually this can be done by adjusting privacy settings at the domain registrar’s website.

Be aware of what you share

Sharing is the backbone of social media platforms. It is what makes them fun to use. However, it is best to always think twice before you post anything on social media. A single picture from your vacation could reveal way too much information for bad actors looking to dox you. Also, be sure to check sharing settings. You may want to limit your posts to your friends’ feeds only and not show them to the whole world.

What to do if you have been doxed

Getting doxed can be a stressful and exhausting experience. It can lead to harassment in the real world and more. However, if you have been doxed, it is important to stay cool and collected and follow a few steps that will help you minimize the damage done and expose the parties behind this devious attack.

  • Report the incident.

    The first thing you should do if you have been doxed is to contact financial institutions and local law enforcement agencies to get a better understanding of what concrete actions you should take.

  • Secure all your online accounts.

    Make sure to change all the passwords on all your online accounts, including bank accounts, social media profiles, and email. Enable MFA to further improve the security of your accounts.

  • Get support from family and friends.

    As mentioned above, doxing can be a troubling experience. You don’t have to go through it alone. Let people you trust know what has happened and let them express their support.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.