Is Your Privacy at Risk? The Terrifying Rise of Doxing Attacks

What is doxing?

Doxing, sometimes written as "doxxing", is the act of publicly revealing or publishing online personally identifiable information about an individual without their consent.

This information can vary, but it can include private and personal details such as full names, addresses, phone numbers, email addresses, social media accounts, where they work, and other sensitive data.

Doxers may gather the details from various public sources or, if they have the skills, will come across them through hacking or social engineering with phishing tactics. Almost always, the details are then published online, often on social media channels or forums.

Whichever way the information is gathered or shared, it is almost always done with malicious intent. Doxing is often used as a form of harassment or as an act of “revenge” for some real or perceived grievance.

Online “vigilantes” use doxing as a way to publicly shame people for their “bad behavior” or for saying/doing things that the doxer disagrees with. Often, online trolls will use doxing to cause harm to some innocent internet user for no reason other than they can.

Why is it called doxing?

The term "doxing" originates from the word "documents" and its shortened form “docs” or “dox”. In 1990s hacking culture, “dropping dox' was a slang term for a hacker revenge tactic. Feuding hackers would often “drop dox” on their rival. This involved publishing documents that revealed the identity of their rival who had previously enjoyed the anonymity provided by an alias or username. The term dropping dox was eventually shortened to “doxing”.

What exactly happens in a doxing attack?

So why does a doxer “dox”? How do they obtain the information? And what happens to people who are the victim of a doxing attack?

How it starts

Doxing can often stem from an online argument that escalates but it's also a popular tool for all sorts of activists to attack their adversaries. It's a method used by all sides of every argument, from race wars, culture wars, views on climate change, and political persuasions.

The hackivist group, Anonymous, often uses doxing in its attacks on politicians and government figures. Recently, Anonymous broke into the Iranian Parliament database and obtained and released the personal information of lawmakers who support the dictator. Doxing has also been used as an intimidation tool against pro-democracy protestors in Hong Kong.

How it happens

Doxers go out of their way to find personal details about their victim. Sometimes that information will be compiled of information that's available to the public. Most people won't be looking for it though, or even know where to look. But doxers spend time pulling it all together and presenting it. This publicly available information might include new articles, government records, business records, real estate transactions, or data the person has shared on their own social media.

To get to the non-public data, doxers may use the help of data brokers who will scour online and offline sources to create a “profile” on a person. They may use hacking, spyware, a variety of phishing techniques, or account takeover attacks to get their hands on the info they want.

The impact

Being doxed can have a huge impact on a person, on their physical, mental, and emotional well-being. It can lead to feelings of fear, anxiety, and emotional distress as they grapple with the violation of their privacy and the sense of helplessness.

For many victims, doxing leads to cyberbullying and trolling, but this can also spill over into real-world harassment and put them at risk of physical harm.

Depending on what is revealed about the victim, a doxing attack can also lead to legal issues, loss of employment, damage to their professional reputation, and ruined personal relationships.

Many victims of doxing end up removing themselves from social media completely and isolating themselves in real life to regain some sort of privacy or just to feel safe.

How common is doxing?

Although doxing is nothing new, the digital era has allowed it to become much more common and easier to pull off. Now, you don't have to be a hacker with a certain set of skills to find a person's information.

Our increased digital footprint means that people leave extensive trails of personal information all over the web. From social media to online services, and other platforms, so much personal data is readily available.

There is also the argument that social media platforms make it simpler for individuals to harass others online. Disgruntled individuals or online trolls can hide behind usernames and avatars to intimidate, bully, or seek revenge against someone without fear of immediate consequences.

Cyberattacks and data breaches have also become more frequent and sophisticated. These security breaches can expose sensitive user information that can be used by malicious actors for nefarious purposes, including doxing.

Let's take a look at some of the most recent doxing examples:

Game community manager doxed by disgruntled player

In July 2023, a Destiny 2 player, Jesse James Comer, was ordered to pay nearly $500,000 in damages after racially abusing and terrorizing a Bungie community manager and his family. Comer initiated a campaign of harassment against the Bungie worker for promoting a Black artist in the Destiny community.

Comer found the worker's personal information, including his address and phone number, and sent threatening messages and unpaid pizzas to his home. The worker and his wife feared for their safety, leading Bungie to implement expensive security measures, including round-the-clock protection.

Trans “Twitch” streamer goes into hiding after doxing attack

Trans Twitch streamer Clara "Keffals" Sorrenti was targeted by a transphobic hate group called Kiwi Farms in August 2022. After a swatting attack (an attack that sends law enforcement to a person's address), she moved into a hotel. But her harassers tracked her down, doxing her and sending pizzas to her location under her deadname.

Sorrenti's friends and family have also been doxed and swatted, and even an elderly gentleman with the same surname was also terrorized. The Twitch streamer has since had to go into hiding for her own safety.

Hacked law enforcement portal leads to doxing attacks

In March 2023, the US Justice Department charged two men, Sagar Steven Singh and Nicholas Ceraolo, in connection with a doxing operation that involved hacking into a law enforcement portal and a police official's email account.

The suspects, part of a cybercrime group called 'Vile,' allegedly extorted individuals by threatening to publicly release personal information on their website unless they paid a fee.

The personal details included names, physical addresses, email addresses, phone numbers, social security numbers, and more.

They used various methods to get the information but the charges specifically focused on the theft of a police officer's credentials to gain access to a restricted law enforcement database. The group also impersonated law enforcement officers to gather data from online service providers.

Is doxing illegal?

Doxing is considered illegal in many jurisdictions due to its potential to cause harm, invade privacy, and facilitate harassment or stalking. Hong Kong has criminalized it, and the Netherlands has also voted to make doxing illegal with the law coming into effect in 2024.

Stateside, Kentucky became the first to explicitly outlaw doxing in 2021. Other states have since followed suit, including California, Arizona, and Texas.

If you happen to live in a state or in a country where there is no specific law against “doxing”, the activities will usually fall under various other legal violations. A doxer could be charged under privacy, cyberstalking, hacking, or harassment laws.

What are social media platforms doing to stop doxing?

We mentioned before that social media platforms have made it easier for people to dox other users. So, what are they doing about it?

Prior to 2022, Facebook had an exemption in its rules that allowed users to share a person's private residential address if the information was publicly available. After a review by the Oversight Board, Meta removed this exception to reduce the risk of doxing.

TikTik also has a “no doxing” rule in its Community Guidelines, but it struggles to make it effective.

Following the Supreme Court's decision to overturn Roe v. Wade, TikTok users created protest videos, some of which doxed the Supreme Court judges who voted against the federal right to abortion.

The videos shared their home addresses and credit card information. While TikTok removed some of these videos, the information was reposted through smaller accounts.

In 2020, Twitter allowed posts doxing Indian interfaith couples to stay up for months. Even after the posts were finally removed by Twitter, none of the offending accounts were suspended, despite Twitter admitting that it was against their Twitter Rules.

Twitter started to take a more strict approach to doxing when Elon Musk took over in 2022 and the Chief Twit was himself a victim of doxing. Twitter was much quicker to suspend the offending @ElonJet account.

The account belonged to a 20-year-old Florida student who was tracking and posting the real-time whereabouts of Musk's private jet using data that was publicly available.

What can you do to reduce the risk of being doxed?

While it's challenging to completely eliminate the possibility of doxing, you can take several precautionary measures to minimize the risk:

Limit personal information online: Be cautious about the personal information you share on social media, forums, or other online platforms. Avoid sharing sensitive details such as your home address, phone number, and full birthdate publicly.

Use strong passwords: Create strong and unique passwords for all your online accounts. Use a combination of letters (both uppercase and lowercase), numbers, and special characters. Avoid using easily guessable information like birthdates or common words.

Use Hoody: Reputable privacy tools, such as Hoody, can help protect your online identity by encrypting your internet traffic, hiding your IP address, and stopping all digital fingerprinting.

Check privacy settings: Regularly review and adjust the privacy settings on your social media accounts and other online profiles. Limit who can view your information and posts to trusted contacts only.

Use pseudonyms or aliases: When participating in online communities or forums, consider using a pseudonym instead of your real name. This can help prevent the direct association of your online activities with your real identity.

Avoid oversharing: Be mindful of what you share online, even in private chats or groups. People you trust today might not be trustworthy in the future.

Use encrypted messaging apps: For sensitive conversations, use end-to-end encrypted messaging apps that offer a higher level of privacy and security.

Don't get doxed

Doxing has become an alarmingly common and accessible cyber threat with far-reaching real-world consequences, but following the steps above can help reduce the risk. By being proactive and vigilant, you can safeguard your digital identity, your privacy, and your personal well-being.

For more ways to safeguard your privacy, check out: 10 Ways To Improve Your Privacy Online