What Is Doxing? How to Protect Your Online Information in 2024

Doxing (also spelled as “doxxing”) originated from the term “dropping dox” or “dropping documents.” It’s a form of cyberattack that threatens an individual’s physical safety by exposing real-world information about them. This can include revealing the person’s real name, present home address, contact numbers, financial information, and other personal data.

Unlike other forms of hacking or data leaks, doxing doesn’t require one to have technical know-how — virtually anyone on the internet can do it. A single piece of information, such as a person’s name published on social media sites, can be used to scour the web for other personal details.

Even “private” accounts can be doxed by people with time and dedication. For instance, a Google image search of your name can lead a doxer to your relatives’ social accounts, where details such as your birthday and home city could be posted.

While private information is often consensually or intentionally disclosed on social media, what makes doxing so dangerous is that it usually comes with harassment and the threat of real-world harm. In most cases, the victims are those who are already the subjects of bullying and intimidation online. Thus, exposure of their information could lead to physical attacks.

How Did Doxing Start?

Anonymous, the international hacktivist collective, contributed to popularizing the term “doxing.” The act was first prevalent in the hacker community in the 90s. During that time, anonymity was heavily valued and protected. So, when rivalries and feuds between hacker groups climaxed, those involved would dox their counterparts in an attempt to undermine or sabotage them.

Today, reasons for doxing could be as juvenile as a prank or as sinister as inciting direct physical violence. Regardless of the motivation, it’s a highly dangerous form of online attack that carries serious ramifications for the victims.

Is Doxing Illegal?

There is no clear-cut answer as to whether doxing is illegal. In most cases, it isn’t considered criminal if the data gathered and disclosed are publicly available information. This could include published names, marriage details, unsealed criminal records, and more.

On the other hand, doxing could be punishable by law when it involves the release of private details such as credit and banking information, unlisted phone numbers, and birth certificates. It’s also considered a jailable offense if it could be proven that the act directly led or contributed to criminal deeds like assault, harassment, or identity theft.

Since doxing is a grave form of cyberbullying, places with strict laws against it could charge doxers under such rulings. Additionally, some countries and states have passed anti-doxing laws. In Kentucky (US), it’s already illegal to dox anyone under 18.

Hong Kong has also signed into law an anti-doxing measure. However, it was met with heavy controversy due to assertions that it would most likely only protect government and law enforcement authorities. There are also claims that the law could prey on activists and civil society members who call out or expose corrupt officials.

How Are You Vulnerable to Doxing?

Doxers could target a wide variety of information. Some of the details most valuable to them include your personal photos, banking details, family tree, physical home and office addresses, social security number, and usernames across social media platforms. These pieces of information are frequently gathered and exposed using the following methods.

Social Media

The abundance of social media platforms has made it easier for people to dox each other. Seemingly innocuous information posted online is precious to those looking to exploit your vulnerabilities.

For example, sharing your favorite coffee shop or where you go to school could allow doxers to rally an online mob to physically assault or harass you in those locations. Hence, it’s recommended to refrain from exposing your whereabouts online. If unavoidable, connecting online only with people you know and trust is vital.

Live feed updates may reveal your current location, making you vulnerable to doxers.

Individuals who use live-streaming and vlogging platforms are more vulnerable to doxing. When on apps like Twitch and YouTube, users might accidentally share details that could later be used to identify them in the real world. Similarly, information gathered from the backgrounds of vlogs or TikTok videos — such as a home’s layout or pictures of family members — could be potentially damaging.

Username tracking

While there are pros to having the same username across social networking sites, including convenience and memorability, it could quickly become detrimental when you’re the target of doxing.

Suppose someone on TikTok decides to dox you, and you have the same username for all your online accounts. Your doxer would easily be able to find your Facebook account, where they could harass your friends and family. They could also locate your LinkedIn profile and collect your professional information.

IP Logging

More tech-savvy doxers can use a hacking technique called IP logging. They will send you an official-looking email with a malicious link that, when clicked, will reveal your real IP address to them. This could be used to collect information such as the city you’re currently in and the browser you use.

Your real IP address could also reveal your internet service provider (ISP), including public Wi-Fi networks you connect to. This information would allow a hacker to launch cyberattacks focusing on that Wi-Fi connection, potentially compromising your data.

Data Brokers

With the rise of targeted online advertising, data brokers also came into play. These businesses collect and sort billions of user data, which are then sold to interested parties. Most of their clients are advertisers, but dedicated doxers could also use information from data brokers to find details about their targets.

Data brokers commonly gather data from sign-ups to free apps, public records, and online quizzes or surveys. They could also buy information from online ticketing companies, airlines, and other online services that ask for your data. Using free VPNs is also highly risky, as some apps might monitor and store your browsing logs, later selling them to data brokers.

Whois Lookup

The Whois database will show registration information for all URLs, but not all details are real or accurate.

To get a website domain for you or your business, you need to fill in personal information that includes your name, phone number, email address, and real-world address. Most people would register websites with fake details and decoy email addresses, and you could also hide your data by paying extra fees to your domain broker. However, those who use real personal information during registration or fail to obscure their details could be doxed through the Whois website.

The raw Whois data displays the registrant organization and email, admin country, server names, and more.

Phishing

Phishing is a form of social manipulation cyberattack that tricks individuals into disclosing sensitive data. Hackers and doxers would contact their targets pretending to be government or law enforcement representatives and then ask for personal information. Likewise, they could attempt to sneak malware into their victims’ devices through links disguised to look credible. The virus would then give the doxer unfettered access to their target’s personal files.

Popular Cases of Doxing

Data extrapolated from US-based statistics found that around 14% of the online population has been doxed at least once in their lives. This shows that this harassment targets not only hackers and public personalities but also average users. Some of the most infamous cases of doxing include:

Gamergate (2014)

Gamergate was a year-long cyberbullying campaign that made ripples in the US, being discussed even almost a decade after the event. It was popularized and spread through the hashtag #Gamergate, which mainly targeted women in or related to the gaming world.

Zoe Quinn is a programmer and developer who created the video game Depression Quest. When her ex-boyfriend, Eron Gjoni, made a blog post claiming that she engaged in intimate relations with a journalist in exchange for positive reviews for her game, the predominantly male gaming community was quick to spew hate.

There was no proof to back the allegations because the named reporter never posted a review of Depression Quest. Still, this didn’t stop gamers from harassing Quinn and eventually hacking her Tumblr account. Using the same password for Tumblr and eBay proved detrimental to Quinn, as people found her shipping address through the e-commerce platform.

Soon, her old and current home addresses and phone numbers were shared and reposted several times. This allowed the harassers to call her and her family members, slinging threats and verbal abuse.

In October 2014, Brianna Wu criticized Gamergate supporters, which led to her also getting doxed. An anonymous user on 8chan (an image board known for a host of controversies involving mass shootings and right-wing extremism) posted Wu’s email, phone number, and home address. Soon after, Wu started receiving death threats.

Actress and gamer Felicia Day was also victimized. Less than an hour after sharing her views about Gamergate on her Tumblr page, an anonymous user posted her personal email and real-world addresses. Many Twitter users were quick to note that Day was immediately harassed, while male celebrities who also spoke up against Gamergate weren’t targeted.

Boston Marathon Bomber (2013)

In 2013, the 117th Boston Marathon event turned into a tragedy after a terrorist bombing killed 3 people and wounded 260 others. The culprits were identified as brothers Dzhokhar and Tamerlan Tsarnaev. However, this discovery wasn’t made before several innocent people were falsely named and accused by a now-banned subreddit, r/FindBostonBombers, dedicated to finding the bombers.

Reddit issued an official public apology for fueling “online witch hunts and dangerous speculation.”

In the subreddit, CCTV footage and stills of the suspects leaving the scene of the bombing were posted. Even though the group’s rules didn’t allow individuals to be named without evidence, people were soon mentioning characters whom they believed resembled the suspects. Sunil Tripathi, a 22-year-old who had then been missing for a month, was one of those named.

In reality, Sunil suffered from depression and was — a week after the Boston bombing — found dead by suicide. His death was estimated to have happened before the bombing.

This blow to the Tripathi family came after they endured much harassment from people who were convinced that Sunil was one of the bombers. Members of the subreddit also doxed other individuals they suspected, leading to many innocent people and their families getting bullied online.

Nuremberg Files (1996)

Neal Horsley’s “Nuremberg Files” was one of the earliest and most infamous cases of doxing. Horsley, an extreme anti-abortionist, created a website that listed around 200 abortion providers along with their photographs, phone numbers, and home addresses.

A grueling legal battle erupted around the controversial website. On the one hand, arguments were made that the “Nuremberg Files” was a mere expression of Americans’ freedom of speech. Conversely, it was asserted that the website was nothing less than a threat.

The “Nuremberg Files” rejoiced about abortion providers’ deaths while not-so-subtly spurring others to harm other “abortionists” on the list. Names were written in font formats that followed a legend: black for working, gray for wounded, and strikethrough for dead.

Eventually, the website was found to resemble a hit list and was thus legally declared a threat. While Horsley complied with the order to take down the “Nuremberg Files,” other extremists continued to host the site in other databases. Even today, anti-abortionists use doxing to harass, intimidate, and attempt to shut down the operations of abortion providers.

Protect Yourself Against Doxing

Given the potentially disastrous or tragic consequences of doxing, it’s important to know how to protect yourself from such attacks. Follow the tips below to reduce your susceptibility to doxing:

1. Identify Your Vulnerabilities

Most doxers rely on easily obtainable data to build a “profile” of their victims. This is where self-doxing comes in. If you suspect you’ll be targeted or are simply worried about your vulnerabilities, you can try doxing yourself (also called “self-doxing”) to see what information about you is available online.

Start by searching for your name on Google and checking whether any of your personal accounts appear in the results. Be sure to also review Google Images and, if there are relevant photos, note the website where they came from. You can then follow the links to see if there are other details people can get.

Similarly, you could use a different account to stalk yourself on social media. If you’re worried about getting doxed by strangers or outsiders, you could check your profile using an account that’s not your friend or follower.

Lastly, you could use sites like haveibeenpwned.com to know whether your accounts have been in known data breaches. Then, delete information that you don’t want to remain exposed, and keep a list of other vulnerabilities so that you can easily trace them in case you get doxed.

The website lists the largest recorded breaches and the most recently added breach databases.

2. Consider Password Managers

As evidenced by Zoe Quinn’s dreadful experience, password strength matters when there are people who are actively trying to jeopardize your online privacy and safety. Passwords that are a combination of lowercase and uppercase letters, numbers, and special characters are more difficult for hackers to guess. You may also use passphrases to increase complexity.

Additionally, make sure not to use a password for more than one profile. This decreases the chances of all your accounts getting compromised if a doxer manages to hack into one. If you find it difficult to keep track of several complicated passwords, use open-source password managers. Most of these apps also come with a feature to generate passwords, so you can ensure their strength.

3. Diversify Your Online Accounts

Similar to using different passwords per account, it helps to use various usernames. That way, doxers won’t be able to easily find your profiles across platforms. Ideally, usernames containing your real name should only be used for professional sites like LinkedIn.

Likewise, refrain from using your full name in all your social media profiles. On sites like Facebook, where you’re required to input a first and last name, you may use a nickname or a variation of your real name. For instance, you could change the spelling of your first and last names. For sites without strict naming guidelines, such as Instagram and Twitter, it’s best not to publish your real name.

4. Regulate Information Sharing

Personal details you share on social media may seem trivial, but doxers can use the smallest details to find or exploit vulnerabilities in your online security. As much as possible, refrain from sharing posts and information with the public and limit your circle to people you personally know and trust. It’s also recommended to avoid geotagging to prevent outsiders from mapping your movements and potentially pinpointing your home’s approximate location.

Revealing details like your birthday, school, workplace, or the name of your family members can also be more harmful than you think. Remember that most online accounts ask users to set security questions that involve trivial personal information. If a hacker or doxer happens across such questions, they might be able to take control of your account and unearth more private details about you.

5. Find a Reliable Antivirus Suite

Dedicated doxers will go beyond scouring the web for information and following leads. Those with technical savvy might not hesitate to trick you into downloading or clicking on malware to try to infiltrate your systems or accounts.

A dependable antivirus suite can help flag such threats. While there are free apps out there, they are often outdated and fail to tackle and block viruses comprehensively. On the other hand, premium software will prevent you from falling victim to the latest spoofing, ransomware, or spyware attack strategies.

6. Use a Trusted VPN

Doxers can collect much sensitive information just by spoofing their victims’ IP addresses. It won’t directly reveal anything more than your approximate location and ISP. But hackers could then use phishing to deceive your ISP into revealing your personal information, including your name, contact number, home address, and billing information. To prevent this, use a reliable VPN to encrypt your data and hide your browsing activity from prying eyes.

Editors' Note: Expressvpn and this site are in the same ownership group.

What to Do if You Get Doxed

If you learn that you’ve been doxed, the first thing you need to do is avoid panicking. Doxing is a serious threat, so it’s crucial to maintain your presence of mind so that you can efficiently proceed with the following steps:

1. Review what information was released. You must understand the gravity of the exposure so you can weigh the risks and decide what to do next. For example, if you learn that the doxing was a simple prank, you could easily contact the persons responsible and ask them to take down the information.
2. Move to a safe place if there’s a threat of physical harm. If your home address is among the details published, and you think there’s a real possibility that your online harassers will act on that information, relocate to a safe and unexposed place as soon as possible. Preferably, stay with a friend or family member who will provide you with emotional support during this distressing period.
3. Inform law enforcement with jurisdiction on addresses that were exposed. Authorities should be made aware if there’s a credible threat that doxers or harassers will appear at your doorstep to inflict harm. Even if you’ve relocated to a safe place, law enforcement could monitor your compromised addresses and apprehend anyone who shows up with proven malicious intent.
4. Alert your banks. If your banking or credit card information was shared, immediately report the incident to your financial institutions. Make sure to provide a detailed narrative, including when the doxing began and when your financial data was first compromised. Ask them to lock down your accounts and flag transactions that occurred since the doxing started.
5. Document the doxing to use for possible litigation. Stealing and indiscriminately spreading private information could be punishable by law. Also, incitement to violence is another crime that doxers could be penalized for. Hence, it’s important to keep a record of the threats made, preferably documentation that shows the timeline of the doxing, the gravity of the threats, and the people responsible.
6. Change passwords and usernames for all your accounts. Changing your username and published name could potentially misdirect your online bullies. You can also prevent further exposure by locking down your accounts. Set all your profiles, posts, and images to private, and try to purge your social media accounts of people you don’t personally know.
7. Contact affected platforms. If the doxing targets specific sites, you may try to contact those platforms and request to take down your information. Some even have anti-doxing policies that might help stop the doxers from releasing more information and hold them accountable for their actions.

Wrapping Up

Doxing is one of the most dangerous forms of cyberbullying because of its real-world consequences. It weaponizes what has become a staple in most of our lives — information sharing over the internet — and uses it to harass, intimidate, blackmail, or threaten individuals. As such, it’s essential to arm yourself with the knowledge of how to avoid being victimized and what to do if you or someone you know lands in the crosshairs of a doxer.

While we can’t dictate the actions of strangers on the web, we have the power to control the details about our lives that we put out into the world. As long as we interact with the digital space with utmost responsibility and awareness, we can reduce the risks of being doxed and mitigate its effects to ensure our personal safety.