What is Doxxing? And is it Illegal? 

Doxxing

Imagine a situation where a celebrity sues a person or website for sharing sensitive information about them online. Maybe this information disclosed personal details or affected their career in a negative way, and the publisher didn’t ask for the celebrity’s consent.

Summary: Doxxing someone means releasing sensitive personal information about them online without their consent. Revealing personal information may or may not be legal, depending on the case and situation. Personal accounts of social media users, private documents, phone numbers, and many other types of data can be doxxed. Getting protected against doxxing is crucial in the virtual world, and you’ll learn all the necessary steps on how to do so below.

Tip: Don’t become a victim of cybercrime. Protect your security and privacy by installing antivirus software and a VPN service. 

What is Doxxing?

Doxxing, also known as doxing, is a term that derives from the expression “dropping dox” or dropping important files (documents) about an enemy or adversary. The motivation behind doxxing comes from different sources. It can be political, an act of revenge, etc. A doxxer may act with the goal of exposing a perpetrator or criminal.

Unfortunately, plenty of doxxing examples show people who have been wrongly doxxed and suffered harm as a result. Journalists can be doxxed and open to intimidation or harassment. Also, private information such as phone numbers of lawmakers can be released online to put pressure on them before important rulings. The idea behind the action may be to remove the person from their position, get them fired, perform identity theft, or even cause physical or psychological harm to the victim.

Attackers often find information on publicly available records and databases, Open-Source Intelligence (OSINT), social media accounts, profiles, social engineering, and other forms of platforms. So any instance of exposing private data like this is doxxing.

The Origins of Doxxing

Doxxing was mainly used by early hackers when websites and forums had plenty of anonymous users. Hackers used to dox users with controversial views in order to expose their identity and bring them to the attention of the authorities.

Today, doxxers use pretty much the same methods as the early hackers. However, the severity and the frequency of doxxing attacks has grown tremendously. Today, doxxing attacks are usually oriented towards regular users for often trivial reasons.

Doxxing attacks also have a compounding effect on marginalized communities and discourage them from using social media and other public spaces.

What’s more, doxxing is often targeted at institutions, campaigns, and people with certain characteristics in an attempt to silence them and hinder their freedom of speech.

How Doxxing Works?

A doxxer works by collecting breadcrumbs about someone. These refer to small data pieces that can be found all over the internet. As they gather more private data, doxxers assemble the pieces and eventually reveal the identity of the person behind the information.

Many internet users register on different websites, apps, and services with the same username. Doxxers can track usernames in order to get a more detailed picture of how a person spends their time, what are their interests, and more.

Types of Doxxing

A doxxer can collect information about internet users in a variety of ways that include IP or internet service provider (ISP) doxxing, social media doxxing, data broker doxxing, phishing, sniffing, WHOIS lookup, and more.

IP/ISP Doxxing

IP or ISP doxxing is done through the IP address of a user that gets linked to their physical location. The hacker can use a range of social engineering methods to trick internet providers into sharing more identifying information about the user.

They can use spoofing apps to trick the user into believing they are receiving a call from their internet provider’s tech team. The doxxers can also request access to information such as full name, personal email, ISP account number, and others. It takes a lot of work to get one such call to work, especially since the action involves tricking an ISP worker as well. However, if done properly, one call can get the doxxer a lot of private information.

Social Media Doxxing

Social media doxxing refers to collecting personal info from social media accounts. This can include the place of work, age, birthdate, location, photos, liked and disliked posts, and more.

This kind of doxxing is dangerous. It can help hackers find the answers to security questions, offering them free entry to your other accounts.

Say you post daily photos of your pet Gigi online, relaying her name and tagging her in photos. But also, your security question for your Google account is, “What is the name of your last pet?”. It’s easy to connect these two pieces of information and gain access to your other online accounts.

If you’re active on YouTube, Reddit, Discord, and similar social networks, use different nicknames and passwords for each site. Otherwise, dedicated doxxers can combine the information from different accounts and create a comprehensive picture of your online activities.

Data Broker Doxxing

Sometimes, doxxers can purchase your personal information from data brokers. Usually, brokers sell personal info to advertisers, but they can also expand their business to people-search engines. This can include your online and offline buying behavior, customer loyalty cards, online search histories, and more.

Note that data broker sites can gain information about you from any publicly available record.

Phishing

Phishing is the malicious intent of using communication to trick the victim into revealing their personal information. This can include spear-phishing attacks that collect information about someone.

Antiviruses can help users protect themselves from phishing attacks by sending a warning whenever such an attempt occurs.

Sniffing

Sniffing occurs when hacking software interrupts internet traffic from the sender to the receiver. Normally, the traffic is transmitted in data packets, small pieces of information. Sniffers use hardware or software tools to collect these packets and access the private data inside them. A VPN is often the best protection from such attacks.

Sifting Government Records

This includes your voter registration logs, business license databases, DMV records, marriage licenses, government records, and more.

WHOIS Lookup

WHOIS is a free service that lets people gain information about owners of particular web domains. If you own a domain, you can set your WHOIS information to private. However, if you ever forget to do so, your email address, name, or phone number become publicly available to whoever checks your domain name.

Reverse Mobile Device Lookups

When a hacker gets access to your mobile phone number, they can dig up plenty of information about you. Whitepages and similar phone lookup services reveal the identities of people behind a specific number. Other than your name, doxxers can also gain information about your home address and other personal details.

What Type of Information Doxxing Exposes

Doxxers can find different types of information:

• Home address

• Phone numbers

• Workplace information

• Bank account information

• Credit card information

• Social security number

• Private messages

• Private photos

• Criminal history

• Personal details

A doxxing attack can be trivial, like fake pizza deliveries, or more dangerous, like harassing an employer or identity theft.

Real-World Examples of Doxxing

Most doxxing situations fall into one of the following situations:

• Publishing personally identifying information about a person online

• Publishing private information that was previously unknown about a person online

• Publishing information about a person that could damage their reputation, as well as the reputation of their private or professional connections

Here’s an overview of the most famous doxxing examples in the real world.

The Anonymous Case

Doxxing became a widely known phenomenon in December 2011. It was at this time that Anonymous, a world-famous hacktivist group, published details about 7,000 law enforcement officers who were trying to investigate their hacking activities.

Since then, Anonymous has doxxed numerous members of the KKK, Q-Anon supporters, and others.

1997 Anti-Abortion Case

Before Anonymous, different groups used doxxing attacks in order to achieve their goals. In 1997, anti-abortion activists in the U.S. targeted abortion providers on the Nuremberg Files website. This is where the personal information about them was posted online. However, five years later, the website was shot down because the court ruled it was a threat to the safety of the people involved and could incite violence.

2013 Boston Marathon Case

In 2013, there was a bombing at the Boston Marathon. In order to try to help identify those responsible, people gathered on Reddit, a large online community, exposing the personal information of the suspects. In the end, none turned out to be correct.

2017 Antifascist Case

In 2017, a group of white supremacists organized marches in Virginia. Some of them lost jobs after they got doxxed. However, some innocent people were falsely identified as marchers and received many threats by email.

2019 Hong Cong Case

In 2019 and 2020, there were major protests in Hong Kong. Protesters used doxxing to expose personal information about the city’s police officers, law enforcement agencies, and other parties that support the government. The protesters and journalists themselves later got doxxed as well.

Ashley Madison Case

Ashley Madison was a dating site for those wanting to date outside of their relationship. When a hacker group couldn’t obtain information about the management, they released sensitive data about the site users. This ended up doxxing and humiliating millions of people and eventually caused potential harm to their personal and professional reputations.

Cecil the Lion Case

A Minnesota dentist once hunted and killed a lion (illegally) in Zimbabwe. Outraged, hackers released his personal information online, which led to even more data being published by people who were appalled by his actions and wanted to shame him publicly.

Is Doxxing Illegal?

Doxxing isn’t illegal as a particular offense. Since no anti-doxxing laws have been enacted, courts can only determine whether the act is legal or not depending on the case. If the doxxing attack consists of collecting and publishing information that’s publicly available, then this isn’t considered illegal.

However, hacking another person’s computer or another personal device without their permission remains illegal. This is true regardless of what is being done with the information and whether it’s released or not. For hacking someone else’s personal device, you can even get jail time and make it to federal court. Also, harassment, stalking, identity theft, and the incitement of violence are illegal.

Still, doxxing is most often done through OSINT, which is information that’s widely available online.

It was only in 2021 that governments started proposing and passing anti-doxxing laws. Kentucky and Hong Kong are among the first places in the world to declare that doxxing is illegal.

In the rest of the U.S., the Interstate Stalking Statute and the Interstate Communications Statue can apply to doxxing. Again, this depends on the specific case. For example, there’s also no law that prohibits swatting, but a perpetrator of such an act can get sued under other laws.

For those unfamiliar with the term, swatting is making prank calls to emergency services trying to get police officers to visit a specific home address.

Can Doxxing Result in Jail Time?

Yes, it’s possible to go to jail for swatting or doxxing someone. There was a notorious “Call of Duty” swatter who called the police to the house of his co-player, but the address was incorrect. In the end, the occupant of the house where the police arrived got killed by one police officer. As a result, the prank caller got sentenced to 20 years of prison.

Prevent Getting Doxxed

Doxxing is never a pleasant experience. It’s crucial to prevent getting exposed by minimizing the personal information available about you on the web. In that regard, following the steps below can help.

Use a VPN to Secure Your IP Address

Proxy server or VPN software lets you hide your IP address so not even your internet provider knows where you’re connecting from. This is a good tool to use when connecting to public networks like airport or mall Wi-Fi.

There are tons of browser-based proxies that are free of charge. However, they only secure your browser traffic. For a more comprehensive security package, you can invest in VPN software that covers your whole device, or even multiple devices, depending on the plan.

Steer Clear From Third-Party Logins

How often do you register with a new website or service using your Facebook or Google account? Every time you sign in to a site with another third-party service, you provide the website with more information about you. As you increase the number of websites you sign in to with your account, it becomes simpler for a hacker to collect your personal information online.

This can also leave you vulnerable to data breaches. If one password gets leaked, the breacher can access all linked accounts. As you can imagine, getting your personal information in this way would be a piece of cake.

Keep Your Social Media Private

Our social media is packed with private information – location, age, background, education, work history, birthdate, photos, family, and much more. Doxxing is super easy when you have access to information like this.

For the best protection, don’t share any kind of personal information you wouldn’t want to be exposed. You can also make your profiles private so that only your friends or followers can see the personal data you share. Alternately, tweak the privacy settings for advanced protection.

Stay Anonymous on Online Forums

If you’re a frequent user of online forums, it’s best to keep your username anonymous there. The least you can do is come up with a nickname. Also, you don’t want to share any information that can identify you.

Ask Data Brokers to Delete Your Information

Data brokers gather a lot of personal data for the purpose of selling to marketers, advertisers, and other companies. The data they retain can include personal search history, buying habits, financial history, medical history, and more.

At the time of data breaches, this information can get into hands of internet users around the world. And once your information makes it to the dark web, it’s highly unlikely it will ever be removed.

That’s why it’s important to get in touch with data brokers and ask them to remove your data from their database. They will have to comply according to the law, but this can be a long-drawn-out process. You can use breach guard software available by different security companies. They can monitor the activities on the dark web and in data brokers for you, and let you know when you should react. Some services even contact the brokers on your behalf in order to get your information removed.

Use Separate Email Addresses for Different Websites

It would be best if you had a separate email address for personal, professional, and spam purposes. Keep your private email for sending files and messages to your friends and family and trusted contacts. Don’t list that address publicly.

You can then use the professional address for professional correspondence and make this address public.

Finally, the spam email address should be reserved for services, promotions, and different accounts.

Pro Tip: Avoid naming email addresses after your first and last name or the year of birth.

Maximize Your Social Media Privacy

Always make sure you’re comfortable with the information you share and with whom you share it. It’s wise to have stricter privacy settings on platforms that you use for sharing personal photos, videos, and opinions.

Use Two Factor Authentication

Two factor authentication will make sure only you can access your account at any time. This type of identification requests your password and personal phone number. You usually receive a code to enter on the website or app in order to access content.

This way, hackers can’t break into your account even if they know your password. They’d still be missing an important piece to the puzzle, which is access to your phone.

Remove Obsolete Accounts

If you’ve been on the internet for a while, you may be registered on more sites than you think. Remember that old MySpace networking platform? If you haven’t deleted your profile by now, then all information you posted there may still be visible to the public.

The same goes for other online forums and accounts you may have but no longer use. Delete those unused profiles to lower your digital footprint.

Learn to Recognize Phishing Emails

A doxxer can resort to phishing emails to trick users into sharing their home addresses, bank account details, and other personal information. If this happens to you, you should know that no financial or other institution will ask for your personal details via email. This includes credit cards and bank accounts as well.

How to Know if You’ve Been Doxxed

It’s only a matter of time before you’ll find out whether you’ve been doxxed. You may not see the data online yourself, but your friends and acquaintances will likely inform you about it.

You may also receive threats, messages, or harassment content on your email, social media, phone number, or in person.

I’ve Been Doxxed – What to Do?

If you believe you have been doxxed, it’s important to act fast to prevent your personal information from spreading online. Here’s what you can do in this situation.

Take Screenshots

As soon as you run across a case of doxxing that involves your personal information online, take a screenshot and report the crime.

Report It to Social Network

Report the doxxing case to the platform on which it occurred. Twitter and Facebook have special terms that prohibit doxxing. These platforms should react to your request and eventually suspend the doxxer’s account.

Protect Your Financial Accounts

One of the first things you should do if you get doxxed is report it to your financial institution. Inform them that your bank account details may have been compromised. Your bank can cancel the card and send you a new one. It’s also wise to change your online banking information.

Report It as Cybercrime

In some areas, doxxing is actually considered a cybercrime. If you live in such an area, you can report it to the authorities.

Protect Your Accounts

Set up strong passwords for your accounts. You can use a password manager (most devices already have an in-built one) to protect your accounts with multi-factor authentication and similar privacy tools.

If you ever receive a threatening massage, make sure to lock down your accounts across the web.

Get Help From a Friend or Family Member

If you experience emotional stress after being doxxed, make sure to talk to someone close to you. It’s important to get help and address the issue with a person you can trust.

Change Your Number

If your phone number was involved in the doxxing attack, consider changing it.

Keep Your Data Safe From Leaks

Install robust antivirus software and take proper internet security measures to protect your data from exposure. Some programs can help you remove your information from large broker databases. This can, in turn, reduce the amount of data doxxers can find about you online.

Resources

• Avast
• Kaspersky
• Fortinet

Frequently Asked Questions