Doxing can be exceedingly harmful, but it’s not entirely illegal, unfortunately. It can have a prolonged impact on the victim’s life.
Our apps and online accounts have made us comfortable with putting too much information about ourselves out there. Many of us don’t overthink before sharing this or that personal detail online. However, the risk of doxing is there, and anybody can become a victim, which is why you need to protect your digital identity.
This article will explain doxing in full detail and how it happens. Understanding it will help you protect yourself successfully.
So, how does doxing work?
Doxing (also “doxxing”) is a malicious act performed by an actor who aims to expose somebody else’s identity or digital activities to somebody who would remain anonymous and private instead. It’s all about harassment and/or humiliation.
Today, our personal information is floating around the digital ether more than we would like (or are aware of). Thus, a doxer can get much information to drop on their victims without using criminal resources.
Have you ever uploaded a CV to a job-hunting website? Such a document would probably expose your email address, home address, and phone number to anybody who could find it online. Something similar applies if you own a domain name or have previously registered one. These are just two examples, but think about your Facebook, Instagram, Twitter, and other accounts and how much they reveal about you.
What are some standard doxing methods?
So how can this happen? Unfortunately, anyone with some degree of digital literacy has plenty of resources to find out about you online. Here are some of the things they can do.
Close observation of social media
Once a social media profile of any platform is set to public sharing, all its information is up for grabs for any internet user. And something whose curiosity is determined enough can even find out things you thought you were keeping to your closest friends and family members.
And remember your security questions. They are often based on sibling or pet names, your High School’s name, etc. All that information could be on your social media, available to the public, providing clues about your security questions on other websites.
WHOIS searches
Every domain name on the internet has an owner registered in the WHOIS databases. That database often includes sensitive information about the individual or organization owning a domain, such as phone numbers and addresses (email or physical). Searching for this info is straightforward and takes next to no expertise.
Username tracking
Doxers also like to keep an eye on individual usernames across different apps, websites, and platforms. Then, they put all that information together to create a profile for somebody.
Public Records
Plenty of stuff in an individual’s life is a matter of public record. Do you have a license? Have you been married? Well, think about the Department of Motor Vehicles, the county’s records, business license issues, marriage bureaus, and other keepers of institutional memory. In addition, many governmental websites with searchable public records provide information from driving to criminal records. And it’s all public! Everybody can search for it!
Phishing
Hackers have been phishing to steal personal data since the internet became mainstream. So, if a doxer couldn’t collect a particular piece of data he especially wanted, he could try a phishing attack to squeeze it out of a victim. For example, they could pretend to be officers from a governmental agency or a financial institution. Or they could try to have the victim click on a link sent in a phishing email that will take him to a malicious website.
IP address tracking
If a hacker has your IP number, he knows where you are, more or less. That information, in turn, can tell them who your ISP is or what public WiFi hotspot you like best. Then they could orchestrate a cyberattack targeting that place.
On the other side of things, if they get your physical address, then they have a great starting point to cross-reference it and dig out even more information.
Reverse phone lookups
Is your mobile number available online? Then it’s an easy target for vishing or text scams. Also, that number can lead to the owner’s identity in a reverse mobile phone lookup.
And, just as it happens with the physical address, once you get a crucial bit of information, you can use it to dig deeper and get more and more.
Packet sniffing
A packet sniffer is a digital tool for monitoring network traffic.
Hackers can fine-tune a sniffer to filter the packets originating on a specific piece o hardware. If they can intercept and read those packets, they can figure out passwords, user names, credit card numbers, and everything else you type online.
Buying data
Data broker sites are here. They are a whole industry. Their clients are targeted advertisers for the most part, but they are in business selling data to anyone willing to pay for it. And your doxer could be one of those unusual clients.
What is a doxer’s goal?
The doxer’s goal can vary greatly, but it’s safe to assume that the following items are of interest to them:
- Tweets
- Posts on social media websites
- Personal pictures
- Social media accounts
- Financial information
- Credit or debit card details
- Online searches
- Family members
- Physical addresses
- Social security number
Is Doxing a crime?
There is no general answer to the legality of doxing as each situation is different. But the main thing to consider is this: as long as the information was collected legally, doxing it is legal too.
Doxing can cross the line of legality when it publishes something private that was never meant to be in the public’s eye, such as an unlisted phone number, credit card details, or bank account details.
It can also become criminal if it enables cyberstalking to the victim or other types of personal threats.
The severity is also a factor in how a doxing case is regarded. For instance, how is that different from publicity if a hacker publishes somebody’s business phone? Law enforcement tends to take doxing seriously when the published material is more private and potentially harmful.
How to protect yourself: The best measures against doing
Now that you know what doxing is and how it’s done, you could probably think that anybody can become a target as long as somebody is willing to do the work. And you’d be right. If you have ever posted a comment on social media posts or articles, chatted on an online platform, left comments on social media sites, or posted on them, you’re ripe as a doxing victim. And to keep yourself protected, you need to make internet security and privacy best practices your friend.
And what can you do to avoid getting doxed? Let’s see.
Spoof your IP using a VPN
If a hacker can get your IP address, he has a lot of information to start. But you can make sure that they can never see it.
A good VPN keeps your IP address hidden from the rest of the internet. Instead, it gives you a new IP address corresponding to its server network. Furthermore, the VPN encrypts all your traffic, thus rendering interception useless.
Use premium cybersecurity
Ransomeware has grown exponentially lately, and it’s been in the news often. This has motivated a lot of otherwise indifferent users to take digital security more seriously.
So get a premium antivirus suite. Please pay for the license and make sure it’s online at all times. That will keep you safe against malware and other malicious things.
Have strong passwords only
Password choice is essential. It would be best if you had a different password for every account, and each of them must be solid. By solid, we mean that it must not be a common word you can find in a dictionary and use a combination of lowercase letters, numbers, symbols, and capital letters.
Get a premium password manager if you find you can’t keep track of that many passwords.
Keep some privacy on social media accounts
Using your first and last name as your username for any account is terrible, even if you add numbers and things. That just makes things easier for hackers.
Yes, some websites require you to use your real name, primarily if they are related to professional activities. But then, make sure to set your social media privacy to the highest possible level. Your personal information is for your closest contacts only.
Consider this rule: if you don’t want something doxed on you, keep it away from your social media accounts.
Use different usernames
Using the same username on Twitter, Facebook, Instagram, Reddit, Snapchat, Tiktok, and every other platform is very convenient for hackers. It allows them to profile you very effectively in a matter of minutes.
To increase your odds of staying safe online, use different usernames for each platform. Like with passwords, use a password manager if you find it’s too much of a nuisance, but remember that it’s vital for your security.
Avoid quizzes from unknown sources
Personality quizzes and other types can be a bit of fun. If you are doing them on a site where you don’t need to log in, go ahead and enjoy them! But if a site wants you to log in through Google, Facebook, or anything else to take the quiz, avoid it.
Those quizzes are not always as innocent as they look. Then can make you spill the beans on information that is usually on account security questions, like your first pet’s name.
Examples of Doxing
Doxing examples are a dime a dozen. Nevertheless, plenty of high-profile personalities have suffered them worldwide. Here are some prominent cases.
Ashley Madison
Ashley Madison became infamous for promoting illicit love affairs through the web. Then a massive data breach hit the website. The authors threatened to publish the personal details of many users seeking one-night stands. To make everything even worse, Ashey Madison’s policy never deleted any user information. When the company failed to meet the hacker’s demands, all that information went public.
Boston Marathon
After the Boston Marathon bombing in 2013, many innocent people became doxing victims as some Reddit users tried to find the suspects.
Protests in Hong Kong
Following the attacks on riot officers and cops in Hong Kong, some Beijing minions went after doxers. Dissidents started to release personal information of family members during the anti-government manifestations. Everything resulted in a controversial anti-doxing law that does more harm to individual privacy than doxing itself. This law forced Google, Twitter, and Facebook out of the former British protectorate.
So you’re doxed. What to do now?
Being at the center of a doxing is unpleasant and shocking. But your priority is to keep your nerve. Then follow the next steps:
- Get safe. If the released information puts your safety at risk, then find a secure place to be. Contact your local authorities.
- Concentrate on documentation. Whatever they posted about you, document it. Take screenshots and save them for future reference. Any legal action on your part will need that evidence. Copy and save every URL, user name, account information, and anything that could be relevant.
- Change passwords. If the doxing attack included breaking any of your accounts, you’d know until it’s too late, so be proactive and change all your passwords at once.
- Review your financial status. If your doxing case included financial information, cancel any compromised card, and alert your banks.
- Make a report. Report your doxing case to the platform in which it happened. Most of them have anti-doxing policies. You can request Google to remove your personal information on this Google help center page.
FAQs
Yes, using a VPN helps to protect you against doxing attacks by hiding your IP address, which can give away a lot of information about you.
Doxxers can trace your online activities using an IP logger. In conjunction with searches on membership of specific sites, an IP logger can reveal your identity. Your internet provider actually owns your IP address.