Doxxing is the short form of dropping dox which is the practice of digging up personal information to expose the true identity of persons who want to remain anonymous online. Hackers execute this kind of cyber attack to shame or harass their victims online.
What Is an Example of Doxxing?
The act of doxxing is releasing the personal data of a private person on an online forum that can damage their reputation and those of their personal or professional associates. This data could include information about where they live, where they work, their internet connection, their Google search results, etc.
A famous case of doxing is the one involving the company Ashley Madison. Ashley Madison is a dating site that caters to people who are looking for a discrete relationship outside of their current relationship. A group of malicious hackers demanded to know the identities of the management behind Ashley Madison. The company’s management team held their ground which led to the hackers releasing their personal information online.
Millions of people were doxxed in the process, causing massive humiliation and embarrassment and putting at stake the personal and professional reputations of the victims. The core aims of doxxing are to violate someone’s privacy and to put victims in awkward positions.
A doxxer could feel attacked by their target and therefore seek revenge. Unknowing online users could become victims of doxxing because of controversial opinions they post on message boards or social media sites. They could also just be someone who the doxxer doesn’t like.
What Happens if You Dox Someone?
If you dox someone, you expose their identity online or on social media by sharing their personal data with the malicious intention of harassing or shaming them. This personal information could include their home address, telephone number, employer, credit card accounts, bank account information and personal photographs.
Most doxxing victims prefer to stay low-key or anonymous on online forums, making them targets for hackers. People may choose to remain anonymous online because of controversial beliefs or they just lie low by nature.
Most online users pay less attention to the information they share or post online. Hackers and cyberbullies use hints of such information and trace them back to their victims, eventually accessing their personal data.
While doxxing is predominantly conducted online today, doxxers can execute malicious attacks on victims outside the internet as well. It started back in the U.K. in 2017 when Wired.com aired a story that highlighted an instance of a U.K. office making efforts to improve racial relations. Far-right activists posted an official’s phone number in public toilets, exposing him to midnight harassment calls.
Methods for Doxxing
The methods that doxxers use to find personal information and use it to dox people are discussed below.
Many online users use the same login credentials over several online services. Potential doxxers can track their interests and browsing patterns to uncover the target’s identities. Then, if they can figure out the login information for one site, they can use that same information to access personal information stored on other sites.
Reverse Mobile Phone Lookup
Reverse phone lookup services like white pages services charge a fee for users looking to find out more identifying information about a target using their mobile phone number. A doxxer can use a victim’s phone number to find out more information about them. White pages services could give more information beyond a victim’s city or state. The option of paying for a reverse mobile phone lookup service makes it easy to find out information about a user.
Use of Data Brokers
Several data broker websites sell the personal information of online users for a profit. Data brokers gather data from publicly available records which include voter registration logs, marriage certificates and loyalty cards.
Many data brokers also rely on website users’ online search histories and can also get further information of their prospective targets from other data brokers. Some data brokers sell online users’ personal information to advertisers to use to tailor their advertising. There are also some sites that serve as a searchable database where people’s information is sold for $20 a pop.
Doing a WHOIS Search on a Domain Name
People who own a domain name always have personal information stored in a publicly available registry. Online users who don’t make their personal data private when purchasing their domain name become easy targets for doxxers. Personal information on the public registry could include a person’s name, address, phone number, business name and email address.
Social Media Stalking
Social media users with public accounts represent a soft spot for doxxers. Also, anyone could find out more information about them through cyberstalking, not just doxxers.
Doxxers could uncover a target’s personal info using their insecure email account through phishing – a form of social engineering attack often used by hackers to steal private data such as credit card numbers. Attackers posing as trusted entities lure victims into opening email accounts or messages that contain malicious links. Doxxers could use the malicious link to reveal an online user’s sensitive information.
IP Address Tracking
Once doxxers get ahold of their victim’s real IP address, they can use social engineering tricks to access extra information.
Packet sniffing is a technique used by doxxers to intercept your internet data. An attacker can access a victim’s private data ranging from old email messages and bank account information to credit card numbers and passwords. Once a doxxer has access to an online network, they can crack the security protocol and capture the data flowing in and out of the network. Online users can prevent online data from being intercepted by using a virtual private network or VPN.
Filtering Government Records
Government records contain personal information that doxxers can use for their malicious attacks. Such private information may not be readily available online but can be found in government records such as county records, marriage certificates and voter registration logs.
What Happens When You Get Doxxed?
Getting doxxed has dire consequences, such as receiving threats from hackers online or a person’s home getting vandalized because of an exposed home address. Employers could gain access to past information that puts the reputation of their employees at risk. A person’s telephone number could be listed on public internet message boards leading to late-night harassment from strangers. Victims should lock down their social media accounts and verify that accounts owned, such as Gmail, have not been hacked.
There are actions you can take if you’re ever doxxed. These actions are detailed below.
Report the Attack
Victims should report doxxing attacks to the online platforms where their personal info has been posted.
Involve Law Enforcement
When a doxxer makes personal threats, the best action a victim could take would be to contact the nearest police department and report the threat.
Document the Doxxing Incident
Documenting the doxxing incident helps law enforcement with investigations into what happened. Victims should capture screenshots or download pages containing the sensitive information that was posted.
Protect Your Financial Accounts
Individuals who have fallen victim to doxxing should report incidents of their bank account numbers or credit card numbers being posted online to their financial institution. Taking such a step is necessary to protect your financial accounts. The credit card service provider will issue new cards to doxxed victims and advise them to change their passwords.
Improve Your Privacy Settings
Victims of a doxxing attack need to configure their social media privacy settings to avoid future cases of snooping and doxxing.
What Does It Mean to Get Doxxed on Facebook?
A Facebook user could get doxxed if their information on the platform is public. Doxxers could use Facebook to find your location, friends, photos, your workplace, likes and dislikes, the places you’ve visited and even the names of your family members. A doxxer will use this information to cyberstalk you and go to the extent of answering your security questions using your online accounts, including your online bank account.
Online users should get used to the practice of using different usernames and passwords for their other social media sites such as Discord, YouTube and Reddit to avoid getting doxxed easily. Online users using the exact same login details for all of their social media handles become an easy target for doxxers. Facebook users should keep their information as private as possible to stay safe online.
Facebook users and users of other social media sites also need to be aware of data brokers. Doxxers could easily pay to get access to users’ private info for malicious attacks. Facebook users should avoid using their Facebook login details to sign in to other third-party websites since these websites often keep requesting more information. This makes online users vulnerable to data breaches.
Warning:If a user’s password leaks, it could fall into the hands of doxxers who could use the information to search for more information about their victims.
Why Is It Bad to Get Doxxed?
Doxxing may appear harmless until the victim suffers the consequences. Despite being an age-old practice, doxxing is setting a more dangerous precedent in recent times. The practice entered mainstream awareness in December 2011 after an anonymous hacktivist group revealed the identities of 7,000 law enforcement officers after investigations were conducted into hacking activities.
Online users purposely put their personal information online for social networking. But trouble kicks in when someone with malicious motivations starts digging through an online user’s private information that they don’t remember posting in the first place. Doxxed victims suffer from prank calls, exposed anonymous identities and being forced to delete their social media accounts.
Doxxing happens online with ripple effects that could change the victim’s way of life in ways that aren’t limited to identity theft, cyberattacks, public shaming, professional or personal reputation damage, legal prosecution and swatting. It could also lead to losing a job, home or family when relationships become strained because of the damage. Worse, it may cause assaults, harassment and even the loss of life.
How to Avoid Getting Doxxed
Prevention is always better than reaction. People who are active on social media sites may take one or more actions to protect their internet communications. A list of these actions is presented below.
Enable Multi-factor Authentication on Email and Passwords
Individuals who enable multi-factor authentication on their email and other accounts will require a two-step identification process to log into their accounts. The common procedure is having a password followed by a verification code or a user’s phone number. Doxxers trying to intercept your online communications will find it difficult to access your password and crack your PIN.
Hide IP Addresses
Use a VPN, antivirus and malware detection software on your devices to hide IP addresses. A VPN works as a sifter for internet communications. It works by encrypting your data, such as your IP data and location. A user’s internet traffic from their PC goes through a VPN, acquiring its identifying properties.
When this happens, a user’s internet service provider can’t detect a user’s IP address and can’t see what the user is doing online. Suppose an IP logger targets the IP of an online user, they can only capture the IP of the VPN and not the real person’s IP.
Online account owners could also use a proxy server in place of a VPN. It works using the same principles as a VPN but doesn’t encrypt your internet traffic. However, a proxy server fails to hide the identity of a real person’s VPN, making them vulnerable to doxxing. PC owners should also employ extra security measures on their devices by installing malware detection and antivirus software.
Antivirus software protects your device against computer viruses that hackers or doxxers create to get access to your private information. Installing malware detection on your device also gives your device extra protection against cyberattacks. A malware detector acts as an early warning system for your computer. The detector will secure your devices against any malware or cyberattacks, preventing hackers from accessing your computer to collect information.
This is important:Individuals who have antivirus and malware detection software on their computers should update the software regularly to help prevent any security leaks that hackers could use to invade their privacy. Virus definitions change often and need to be kept up-to-date to be effective.
Keep Social Media Accounts Private
Personal information available on social media includes users’ names, home addresses, photos of friends and family members, birthdates and so much more. Doxxers will have an easy time identifying information from users having such public social media profiles.
Online users may be deluded into having no enemies online, but nobody can be safe in online forums. Google account owners and social media users should keep their personal information private by taking advantage of the privacy settings provided by social media platforms. Internet users should tighten their privacy settings on social sites for personal reasons, such as sharing photos of family and friends. For sites used for professional services or sharing news, one could keep the settings public but refrain from sharing sensitive information.
Create Strong, Secure Passwords
Creating a strong and secure password for your Google accounts and other online accounts requires using a combination of lowercase letters, uppercase letters, numbers and special characters. It’s also important to use a different secure password for all online accounts. Online users who use just one password for several online accounts risk being doxxed. Use a password manager to cut off unauthorized access and store your passwords.
Disengage From Data Broker Websites
Search and remove yourself from online data brokers that could be selling your information online. Some websites are good at mining internet data such as your physical address, phone number, email address and social media accounts to gather them in one place. Examples of such websites are PeopleFinder.com and Whitepages. The amount of personal information that these sites store in their databases can be shocking.
Luckily, internet users can opt out of such websites if they encounter sensitive data that could put their lives at risk. Data broker companies can be flexible enough to get you off of their websites.
On the contrary, internet users who have chosen to opt out could find this to be a tall order because of the difficult and lengthy process that may ensue. Such cases occur because data broker sites try hard to safeguard their business interests. Internet users can use services like DeleteMe to erase the entirety of their data from such sites.
Limit Personal Information on Search Engines
Too much personal information on a search engine, such as Google, exposes you to online attackers. Users can search for their names on Google to learn how much of their information is on the internet.
Note:Individuals who find plenty of their personal information online can submit a request for Google to remove some of their personal information by completing an online form. Data brokers can get access to an online user’s private data for checking information related to crime.
Keep WHOIS Domain Registration Information Private
All internet domain names are registered on a database referred to as WHOIS. Anyone online can identify the personal details of domain name owners such as their contact information and physical address via the WHOIS public registry.
You can keep your personal information private by registering anonymously on the WHOIS database. The registry provides privacy options to allow you to hide your real identity. Check with your domain registration company to see how to keep your WHOIS information private.
Use Separate Usernames for Different Platforms
The online world has innumerable services that one could use for all activities including shopping, book subscriptions, online games, etc. Avoid having the same username for your accounts to stay safe from malicious activities of hackers and doxxers.
Pro Tip:It’s best not to use real names on online forums such as Reddit. Users on the platform should ideally use pseudonyms as their usernames. Users need to avoid using personal details such as their birthdate, real name, location or any information that could make them easily identifiable.
Have Separate Email Accounts for Separate Purposes
Another way individuals can boost their online privacy is to create separate email accounts for different kinds of correspondence, such as professional or personal. A user could use a personal email account to maintain communication with their close family members and friends. Such email accounts shouldn’t be used to communicate with persons who are not part of your family or friends.
Pro Tip:One could also have a separate email address to sign up for music sites, online forums, message boards, social media sites and streaming services. A third email address could be used for professional services where a person can communicate with colleagues, network with industry peers and correspond with their supervisors.
Avoid Sharing Sensitive Data Online
Keeping it private means that you don’t post all kinds of information online, such as your home address, Social Security number, driver’s license number, etc. Check for other sensitive information such as bank accounts and banking information from your credit card provider.
Get Rid of Redundant Online Profiles
Internet users could have lots of information online in old profiles without their knowledge. Individuals should review their online information to find out how many sites could be storing their information. One could find profiles that were created decades ago still bearing their personal information and still publicly accessible. Delete such profiles to keep your personal information private.
Stay Alert for Phishing Emails
Phishing emails are among the many tricks that doxxers use to trap their victims and steal their private information, especially online bank account numbers, home addresses and Social Security numbers. Be wary of such schemes when you receive messages from a credit card provider or a bank company. Typically, financial institutions don’t request this kind of information via email.
Take Precautions Against Online Quizzes and App Permissions
Numerous sites require users to enter their personal information as a response to a security question. While this may seem safe, that’s not always the case. Some sites may request personal information such as email accounts and social media details. These sites could easily tie this information to an individual’s real identity.
This is important:Internet users should also be wary of mobile apps that request access to personal data that’s not needed for the app to function. Users should proceed with caution if asked to provide sensitive information such as their GPS location, contacts or social media profiles.
Can You Dox Someone With Their IP Address?
A typical method used by doxxers to access the private information of their victims is using a piece of invisible code called an IP logger. The doxxer attaches the hidden code to an email message in a way that the potential victim won’t see it. The victim will open the email, oblivious of the danger that lies ahead. The code immediately begins tracking the user’s IP address and communicates it to the IP logger, allowing the doxxer to track information about the victim.
Doxxers also use social engineering tricks to access the internet service provider information of a user on a blog or website. If a user on a blog posts information on the blog’s forum, the administrator or owner of the blog will see the user’s IP address through the comments. Blog owners and administrators can filter through users’ comments and block the IP addresses of site users with unwanted comments on the site.
Doxxers can also use this opportunity to pounce on a user’s IP address and use it to locate their internet service provider. The doxxers will then use the user’s internet provider’s phone number and pretend to be part of their technical team. They may say that they’re calling to help out with a technical issue, but the endgame is to gain access to your personal data, such as credit card numbers and bank account numbers.
Is Doxxing Difficult?
Doxing isn’t difficult. A person can follow a quick procedure to check how easy it is to dox themselves. This procedure is detailed below.
- Conduct an identity search on Google.
- Do a reverse image search.
- Check email accounts for significant data breaches using sites like Have I Been Pwned.
- Check personal information online that relates to your professional services such as resumes, bios, PDFs, etc. Remove personal data such as telephone numbers, home addresses or update them with shareable information.
Is Doxxing Legal?Doxxing can either be legal or illegal since each specific case or incident is likely to be different from the others. Doxxers can’t be arrested or convicted if the information exposed is part of your public record. Public record information could include marriage and divorce certificates or traffic violations.
No specific laws govern doxxing. However, a doxxer can be charged for other crimes related to doxxing. Common crimes that doxxers could be charged with include but are not limited to harassment, identity theft, stalking and violence. The U.S. has two explicit laws, the Interstate Communication Statute and the Interstate Stalking Statute, that could be used to charge a doxxing perpetrator depending on the particulars of the case.
Can You Go to Jail for Doxxing?
Yes, you can go to jail for doxxing someone. The chances of going to jail are higher if you engage in false reporting or swat someone. Swatting is the act of making a prank call to a local police department or a related government agency to send armed police officers to a particular address.
An example of a convicted case of doxxing involved a teenager who was disappointed with losing a $1.50 bet in the game Call of Duty. He lied to the police about a hostage situation at his opponent’s residence, but the address he gave to the police was an old one where his opponent no longer lived. Police arrived at the address and ended up shooting and killing a 28-year-old man who wasn’t involved in the game. The teenager is now serving 20 years in prison after being charged with 52 criminal counts.
Why Is Doxxing Not Illegal?
Doxxing isn’t illegal because it isn’t unethical to publish personal information online that’s already in the public domain. A doxxer obtaining a target’s information legally for ethical use isn’t considered unlawful. However, the laws governing doxxing can vary between jurisdictions.
Revealing a person’s phone number or home address is more dangerous than mentioning their name. Doing so could be considered illegal and immoral and could have legal consequences such as imprisonment. Some cases will need to involve law enforcement, who may find difficulty in detecting and prosecuting different cases of doxxing.