What Is Doxing?

Doxing (doxxing) is the act of releasing identifying information about another person online, such as the true name, home address, workplace, phone number, bank information, and other personal details. Sensitive information is then disseminated to the general public without the victim’s knowledge or consent.

Politicians, celebrities and high-ranking corporate executives have experienced the practice,  fueling worry and anxiety from online mobs or communities and, worse, possibly death threats.

What Is the Definition of Doxing?

The term “doxing” or “doxxing” is derived from the phrase “dropping dox,” which means “documents” or “docs.” Doxing is a kind of cyberbullying in which sensitive or secret information, statements or documents are used to harass, expose, financially hurt or otherwise exploit the intended victim.

Dropping documents was a classic revenge technique that evolved from hacker culture in the 1990s. Hackers working outside the law at the time used the breach of anonymity to subject opponents to harassment or legal ramifications. As a result, doxing frequently has a negative connotation because the attack can be used as a means of retaliation through invasion of privacy.

How Does Doxing Work?

Cybercriminals and trolls can be highly creative in their methods of doxing. The process of doxing can start with a single clue and works all the way up until gradually deconstructing the online persona and revealing a person’s identity. Since everyone has data scattered around the internet, the search becomes easier for cybercriminals to get ahold of information. Once targeted data has been found, the data will be turned into a weapon and used against the target.

Being doxed can have serious ramifications. Some examples are given below.

• Posting personal phone numbers on internet message boards, which could lead to harassing phone calls late at night or at unexpected times.
• Disclosing information about a person’s family, workplace or other private matters.
• Individuals may uncover previous social media messages that are embarrassing to have been published.
• People may even vandalize the acquired home address or barge into the house if the address is made public.

What Does Doxing Someone Mean?

The purpose of doxing is frequently to humiliate or torment the victim. Hackers may reveal the identity of an anonymous message board troll, for example, to disgrace that individual. Hackers may wish for that victim to lose employment or be shunned by coworkers or friends.

Companies or individuals might face harassment, humiliation or embarrassment if certain files or information were leaked to the public. If private or personal information has been leaked, this poses the risk of becoming a doxing target.

Which Tools Do Doxers Use for Doxing?

Doxing does not have to be an internet tool. Doxers can utilize traditional tactics to reveal targets’ personal information. Given the high volume of data to be collected, a single tool cannot be trusted to capture data all at once. To acquire information, most of these tools must be utilized separately. Before conducting a doxing campaign, a doxer synthesizes the information and conclusions gathered using several technologies.

Of course, doxing has become much easier because of social media and internet forums. Twitter, Facebook, Instagram and other social media platforms make the search easier to disclose a target’s identity to a bigger audience. A doxer may post any information about the target on a public profile or feed for others to see. Information such as employment, friends, associates, family members, photos and personal interests are a few things that can be made available on social media.

Instant messaging apps and video conferencing platforms can pick up chat logs, pictures, comments and employment data. Using a reverse image search like TinEye can be dangerous to look for images appearing on the web.

How Is Doxing Used?

Searching for information becomes quite simple for cybercriminals, activists or others to utilize the usernames to identify accounts belonging to the target. People frequently use the same or similar usernames on several accounts for various websites and web applications. Data from each of these accounts can create a more comprehensive portfolio of papers revealing vital information.

What Do Doxers Aim to Capture?

Doxers aim to escalate the conflict with targets from online to the real world by revealing information. The information being sought is personal and private by nature and can affect a victim’s personal or work life if revealed.

Some of the information doxers aim to capture are listed below.

• Home addresses
• Personal photos
• Humiliating personal details
• Personal phone numbers
• Workplace details and employment history
• Bank account or credit card information
• Criminal history
• Database information
• Chat messages and daily logs

What Are the Common Techniques in Doxing?

Many tools exist to gather information about people. Anyone with determination, time, internet access and motivation will create a profile of someone. And if the target of this doxing campaign has made information reasonably accessible online, this becomes easier. The internet houses vast quantities of data that can be readily available to anyone who has access.

Common methods and techniques used to dox people are given below.

• Gathering information from social media: Social websites typically require users to input personal information to distinguish themselves from other profiles and users on the platform. With this, anyone can take the tiniest pieces of private information to use against others. Doxing on social media can obtain data such as likes, interests and the names of family and friends, which can cause trouble for the target.
• WHOIS: A WHOIS record will contain the name and contact information of an owner of an internet domain name.
• Phishing emails: The target may access a scammer who gets vital information by clicking malicious or faulty links or documents. Malware installed within the device can grant access to various types of data kept within.
• Data brokers: Data brokers exist to gather information about people and sell data for a profit. Data brokers obtain information from publicly available records, loyalty cards (which track online and offline purchasing habits), online search histories and other data brokers. Many sell that information for advertising, but other people-search websites provide extensive details about individuals for comparatively low fees. A doxer needs to pay a small cost to gain enough information to dox someone.
• Public government records: Databases circulated in hacker networks allow for the compromise of personal accounts and the acquisition of further knowledge. If a person uses the same login data on all of the sites visited, and one of those accounts is compromised, access to the rest of the information is simple. Databases containing personal information include company licenses, county records, marriage licenses, driver and vehicle records, and voter registration logs.
• Packet sniffing: This term refers to doxers intercepting internet data and searching for anything from credit card numbers, passwords and bank account information to old email communications. Doxers do this by connecting to an internet network, breaching security and capturing the data traveling into and out of the network.

What Are the Examples of Doxing?

Cases of doxing regularly make headlines, especially when public figures are involved. Doxers have different reasons for wanting important and secret information released to the public.

In 2015, hackers gained access to Ashley Madison, a dating site for people who are in committed relationships, and stole the data of 32 million users. The people behind the attack wanted cash to return the records but did not receive anything, so the hackers released all of the material online. These revelations caused professional and personal harm to the targets and their existing partners, leading to at least one divorce. Then, in 2020, Ashley Madison’s assailants returned for more.

Thousands of Reddit users jointly scoured news and information about the Boston Marathon bombing and related investigations during the search for the perpetrators in April 2013. The users wanted to supply law enforcement with information they could use to pursue justice. Instead, innocent persons not implicated in the crimes were exposed, resulting in a misunderstanding witch hunt.

What Is the History of Doxing?

Online vigilantism has existed since the beginning of the internet. Hackers would obtain and post private documents about a rival or enemy known as “doxing,” which was regarded as a brutal act by hackers who valued one’s anonymity.

The first doxing efforts mostly focused on internet discussion boards on Usenet. One of the first reported doxing occurrences was posting a “Blacklist of Net.Nazis and Sandlot Bullies,” which included the author’s objections to individuals’ names, email addresses, phone numbers and mailing addresses.

Since then, doxxing has spread from subculture websites such as 4Chan and Reddit to becoming a mainstream practice.

What Are the Statistics about Doxing?

According to one study, 32% of doxing victims on Instagram closed or changed the privacy settings after the attack, while 25% changed the Facebook settings. More than 90% of the doxed files contained the victim’s address, 61% contained a phone number and 53% held an email address. About 40% of victims’ online usernames were made public, and the same amount of victims’ IP addresses were published. While credit card numbers (4.3%), Social Security numbers (2.6%), and other financial information (8.8%) were less common, these were also divulged.

Is Doxing Illegal?

The answer is typically no: doxing is usually not illegal if the material released is in the public domain and was obtained legally. Doxing is technically not unlawful as long as the information is available. However, doxing may violate laws intended to combat stalking, harassment and threats, depending on the jurisdiction. Repercussions could be applied to people on both ends, the doxer or the victim.

What Are the Laws Regarding Doxing?

A doxer can be arrested for doxing someone depending on the state or nation that person lives in. For instance, the People’s Republic of China’s “Regulations on the Ecological Governance of Online Information Content” went into effect on March 1, 2020, making it clear that users and producers of online information content services and platforms are not permitted to engage in online violence, doxing, serious forgery, data fraud, account manipulation or other illegal activities.

On the other hand, the Hong Kong government attempts to reinforce safeguards against a growing trend of cyberbullying and doxing, which involves disseminating personal information for harassment. The government has recommended steps to form an independent criminal investigative team and enact new rules requiring social media platforms to remove doxed content.

Are There Any Anti-Doxing Laws?

Doxing is prohibited, especially if the disclosed material was not found in the public domain and was obtained illegally by the perpetrator. If the intent was to threaten, irritate, harass or intimidate the victim, it could violate state or federal law.

Three states, Nebraska, New Jersey and West Virginia, are debating anti-doxing legislation. California is considering toughening up the punishment for doxing reproductive health care professionals. So far, many states have adopted three approaches: laws allowing victims to sue doxers, laws making doxing a crime and laws protecting specific groups of people, such as health care workers, from online abuse. Doxing has been deemed a felony in some areas. If convicted, a doxing lawsuit could lead to jail time or fines.

Finally, a few states have enacted hyper-targeted doxing legislation to protect specific groups. It is now prohibited in Colorado to dox health care personnel. Oklahoma made doxing police officers a misdemeanor punishable by six months in prison or a $1,000 fine. In California, doxing reproductive health care staff or patients is currently a misdemeanor, but legislators are proposing a bill that would enhance punishment.

How to Protect Yourself from Doxing?

Methods to protect yourself from doxing are given below.

• Perform a self-dox: Use available doxing tools to gather as much publicly available information, and then take precautions to preserve that information if confidential. The information gathered from various sources should be carefully evaluated to establish “connections” or “links.” Doxing attacks can be avoided by avoiding providing personal information in chat rooms and message boards. Security experts recommend erasing any sensitive information that leads to additional information.
• Protect IP addresses with a VPN: A VPN (virtual private network) provides exceptional protection against IP address exposure. A VPN encrypts and routes the user’s internet traffic through one of the VPN service’s servers before reaching the public internet.
• Use strong passwords and authentication processes: Passwords are the first line of defense against unwanted access to a computer, mobile device, cloud system or account. The more secure the password, the more secure the data will be against hackers and other threats. By adding more steps to the authentication process, strong security would further secure the user’s account and personal information.
• Separate usernames or accounts for different platforms: Using the same usernames across multiple accounts makes doxing easier. But using different usernames for different purposes, users’ movements across sites would be more challenging to monitor. Having a personal email separate from a work or spam email could do wonders in preventing hackers from finding information on users. Work emails can be used solely for communicating with colleagues and performing work-related tasks, while spam emails can be used to sign up for promotions, third-party services or newsletters.
• Be wary of pop-ups and app permissions: A harmless-looking pop-up will enter the screen every once in a while, or a website may ask for personal information to gain access. Think twice before allowing websites and apps to access and store personal information. Many websites and apps ask for permission to see social media information, email addresses or other data. Where feasible, avoid revealing vital information, such as a Social Security number, home address, driver’s license number, and any information about bank accounts or credit card numbers.

How to Report Doxing?

Obtaining legal recourse against doxers can be difficult: it’s not always clear what laws are being violated, and hackers frequently take pains to conceal one’s identity while exposing the targets.

There is a lot of doxing on social media, but the good news is that doxing, despite being legal, violates the terms of service of most networks. Reporting tweets or Facebook postings that contain personal information will usually result in posts or data being quickly removed and the offending user being suspended.

Report the action to the site and demand the removal of the dox posts. A detective may track down the callers if the doxxed information includes a phone number and one is receiving harassing calls.

What to Do If You Become a Doxing Victim?

If you become a doxing victim, take the following actions.

• Making a criminal complaint: Notify the platforms where personal information has been posted about the attack. Investigate the applicable platform’s terms of service or community rules to establish and follow the stated reporting process for this type of attack.
• Document the situation: As much as possible, take screenshots of the pages or places where the information has been posted. The photos can be used as evidence or references to help law enforcement or any related agencies investigate further.
• Secure personal and financial accounts: Doxers may have reached social media accounts, and worse, acquired bank details or credit card accounts. A victim must file a report immediately to the respective service providers and change account passwords. Using a password manager and multi-factor authentication can help boost privacy on the accounts.

Depending on where the victim is, one must search laws on cyberattacks and cyberbullying that cover the area. For the U.S., doxing is defined in certain jurisdictions as posting the victim’s residential address and cell phone number on the internet to incite others to blackmail the victim. Some state and federal laws prohibit the same or comparable actions, such as California’s Code of Civil Procedure section 527.6 and Penal Code sections 422 and 646.9. The applicable federal laws are 18 USC 119 and 18 USC 2261A.

What Are the Other Threats Similar to Doxing?

Doxing is not the only form of threat that people can experience. Other threats similar to doxing are listed below.

• Swatting: The practice of doxing someone and utilizing personal information to dispatch SWAT (special weapons and tactics) units in the guise of bogus threats or emergency tips. Swatting first made news in the early 2010s, when youths and adults would swat people deemed deserving of the action. These victims were mainly internet celebrities, streamers or those who competed against the swatter in a video game.
• Cyberbullying: Cyberbullying can occur via SMS, text and chat applications, as well as online in social media, forums or gaming, where people can see, engage with or exchange content. Cyberbullying is defined as sending, uploading or spreading nasty, harmful, false or derogatory content about another person. Using personal or private data to humiliate or torment the target seems to be the common goal of cyberbullying and doxing.
• Phishing: Malicious links and contents can be brought by deceit. Cyberattacks to gather personal information through fake emails and websites are similar to the cause of doxing.
• Identity theft: Data is available for doxers and can be used against targets. Taking the identity of users and using the likeness to gain access to websites or fool people into doing something illegal or unethical may be a case of identity theft.