What is Doxing?

What Does it Mean to Dox Someone?

When someone is doxed, their personal or private information is released into the world. The motivation for doing such a thing could be personal revenge, political gain, as the result is almost always disastrous for the person whose information has been leaked. Doxing can reveal information like a home address or phone number, private pictures, social security numbers, private messages or emails, and information about a person’s family or job.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn more

Some individuals may dox with the intent of exposing someone who has committed a crime or been involved in an unsavory situation. However, this sense of vigilantism can mean that people are wrongly doxed and suffer harm in the form of harassment and intimidation. News anchors, celebrities, political figures, and activists are frequent targets of doxing, as they are in the public eye and may stand to lose the most.

Most doxing happens online, with people gleaning information from social media, online forums and message boards. However, doxing can be analog as well—consider all the phone numbers written in bathroom stalls. Nearly all of those were written with the hope that the owner of the number would receive annoying, unsolicited calls.

Is Doxing Legal?

Currently, there is no specific anti-doxing law. The legality of each incident is typically determined on an individual basis. It is generally legal to compile and publish information that is publicly available. This information can include arrest records, marriage certificates, divorce records and even traffic violations. Because this information is considered public domain, if someone gathers and publishes it, they’re not breaking any laws. Even though this is legal, it’s certainly unethical and is almost never performed with good intentions.

Doxing can be illegal, however, if the published information isn’t already public, like financial documents and birth certificates. When hackers are accessing this information, they are acting illegally. Doxers can be charged with harassment, stalking, identity theft, and incitement of violence. For example, during a recent political campaign, a popular singer endorsed a candidate on social media. Followers of the candidate’s opponent doxed the singer and posted her address online and invited others to burn down her house. In the United States, doxing a government employee is seen as a federal offense and falls under federal conspiracy laws.

Whether an act of doxing is considered legal or illegal, it is almost always carried out with the intent to intimidate, control, or blackmail others. Releasing personal or sensitive information can expose the victim to harassment, loss of employment, identity theft, and humiliation.

How Does Doxing Work?

It can be surprising to learn how easy it can be for someone to locate your personal information. Consider your online activity as a series of clues. If someone is truly determined to hurt you, they can follow those clues and assemble a complete picture—learning where you live, where you work, and other identifying information.

There are many different methods that a hacker might use to collect information about a person or an organization.

IP/ISP Doxing

Hackers obtain your IP address, which is linked to your physical address and then tricks your internet service provided into providing more information about you. This kind of tech support scam can yield a lot of personal information with a single phone call.

Social Media Doxing

Hackers can collect lots of personal information from public social media profiles and activity on public forums. In many cases, this information can provide doxers with the answers to your security questions, which typically focus on personal details like the name of your first pet or the name of the street you grew up on. If your social media presence is outsized, this information may be readily available to those with malicious intentions, especially if you use the same username across multiple sites or forums.

Phishing

Phishing emails are designed to trick the recipient into giving up sensitive information like an account number and password. They may appear to be from a credible source, like your bank, your credit card provider, or even Apple. These emails typically contain messaging that asks you to click a link or enter your account information to prevent your account from being closed. The ultimate goal in these instances may be identity theft or fraud, but the information gained from these emails can be used to dox someone as well.

WHOIS Searches

If you own an internet domain name, anyone can run a WHOIS search and find basic information about you. This will typically contain your name and contact information, which can then be used as a starting point for a hacker to locate more information.

Data Brokers

A data broker will collect information about people and sell that information for a profit. This information is gathered from public records, online search histories, loyalty cards that track your buying behavior, and other information from other brokers. Most data brokers sell this information to advertisers, but for a fee, these facts can be purchased off a people-search website. An individual who feels negatively towards another person might be tempted to pay this fee and wield this information with malice.

How to Protect Yourself from Doxing

Much of your personal information can be readily available to a hacker who wants to look for it, but there are some steps you can take to protect yourself from being doxed.

• Use a VPN. A virtual private network, or VPN, can disguise your IP address and allow you to browse the internet anonymously.
• Use strong passwords. A strong password typically contains a combination of upper and lowercase letters, numbers, and special characters. Try not to reuse passwords for multiple accounts and make sure you’re regularly changing your passwords.
• Create multiple email addresses and usernames. It may seem like a hassle to have one email address for personal use, another for professional use, and a third to sign up for accounts or services. However, maintaining this separation can mean that only trusted people have access to your personal and professional addresses. If you’re active on message boards, consider using a different username on each platform to make it difficult for a hacker to track your activity.
• Review your privacy settings. Many social media websites default to making information public. Make sure you’re comfortable with the amount of information that’s being shared and who it’s being shared with. If you use Facebook to share photos, you may want to keep that account private so that prying eyes don’t have access to your identifying details.
• Use multi-factor authentication. With MFA, you, or anyone else trying to access your account, will need two pieces of information to log in. Typically, those pieces are a password and your phone. Once a password is entered, multi-factor authentication will prompt the individual to confirm their identity, possibly by responding to a phone alert or entering a randomly generated PIN that is sent via text message.
• Delete unused profiles. You haven’t logged in to MySpace in over a decade, but your profile, and everything you every put there still exists. These old online profiles might be obsolete to you, but to a hacker, they can be an information goldmine.

Look at your internet footprint and learn what kind of information can be found out about you. Google yourself and carry out a reverse image search with your social media profile pictures to learn what’s already out there. Take a close look at the privacy settings on your social media accounts and read up on data breaches. If you have a professional website, make sure that information like your home address, cell number or personal email address are not present.

Additionally, take the time to talk to your kids about online safety. Younger people may be especially vulnerable to hacking attempts like malware and phishing and may put personal information without thinking about it. Explain why it’s important to be safe online so that you and your family do not have to worry about being doxed.