What Is Doxing? Is It Legal and How Do You Prevent It?

Woman looking at her data being spread online
Click here for a summary of this article
Quick Guide: What is Doxing?

Anyone can become a target of doxing, or having your private information shared online without your permission. Doxers are always looking for information they can exploit, including:

  • Identifying information, such as phone number, home address, and contact details
  • Revealing information, such as search histories and social media content
  • Compromising information, such as financial details and government and criminal records

There are several steps you can take to protect yourself from a doxing attack. One of the easiest and safest ways is using a virtual private network (VPN). A VPN hides your IP address from hackers, encrypts your online activity, and protects your Wi-Fi network.

Want to learn more about how doxing works and how you can protect yourself from attacks? Keep reading below.

It can be dangerous to have private information about you circulating online. This is why we don’t share our home address, bank details, or family photos with just anyone — and precisely why cybercriminals are going after this data. This practice of hunting down and sharing someone’s personal information online is called “doxing.”

Doxing (short for “dropping documents,” “docs,” or “dox”) is not a new development — but it’s becoming more severe. Recent years have seen celebrities, politicians, and social media influencers doxed, but the truth is that anyone can become the target of this malicious act.

But what is doxing, exactly? In this article, we’ll break down how doxing works, how to protect yourself, and why the lines are blurred when it comes to the law. If you’re wondering what to do when your personal information gets splashed all over the internet, this guide is for you.

What is Doxing and Who is Affected by It?

What is Doxing iconDoxing (sometimes spelled “doxxing”) is the act of exposing someone’s identity or private information without their consent and with the intent to harm. It’s a deliberate way to humiliate or harass someone by publishing information they wish to remain private, such as a home address, contact information, or bank accounts.

With the rise of social media, more and more personal information is floating across the internet. This means doxers can often access them entirely by legal means. Anyone can participate in doxing, from hackers to regular internet users, and even groups of people who decide to work together.

More often than not, we don’t realize how easy doxing is. If you’ve ever uploaded your CV or resume to a public site while job-hunting, your email address, home address, and mobile number could be publicly available to anyone interested.

Likewise, if you’ve ever owned or registered for a domain name and website, you might have provided a swath of personal information that can be accessed with a free, simple, and quick search.

How common is doxing?

Recent findings show that 21% of Americans — that is, over 43 million people — have experienced doxing. In more than half of these cases, the person who published sensitive information was a complete stranger to the victim. However, being targeted by someone you know very well in real life happens in 25% of the cases.

The practice of doxing is not new. Back in 1990, hackers already realized the leverage of spreading sensitive information online. However, with the boom of social media, doxing has become mainstream.

The consequences of doxing can be very damaging. In 86% of cases, doxing has seriously harmed the victim’s personal life. Consequences include public shaming, loss of relationships, and professional damage. Doxing is also closely related to other forms of cybercrime, including identity theft, revenge porn, and cyberstalking.

Which people get targeted by doxers?

While celebrities, politicians, and other public figures might seem the most likely victims of doxing, the target group has expanded in recent years. As a result of growing social and political polarization, doxing has also been used to harm people on opposing sides of so-called culture wars.

For journalists, reporting critically on certain ideological issues — for example, abortion, migration, sexual rights, police violence, etc. — can put them at risk of being doxed. On top of that, there’s a clear pattern of racism and misogyny in the attacks.

More often than not, marginalized people are targeted by doxers and driven further out of online spaces as a result of relentless harassment, cyberbullying, and even death threats.

What are Some Examples of Doxing?

Doxing can be relatively trivial — like, for example, if your number is shared for prank calls. However, this is the exception; more often than not, having your private information freely accessible on the internet is risky.

This is what doxing can look like:

  • A perpetrator releases identifying information about you online, such as your phone number, email, social security information, or home address.
  • A perpetrator releases private information about you, such as personal communications, revealing information about your interests, activities, or private social media content.
  • A perpetrator releases information about you that is specifically damaging to your reputation, such as criminal records, medical documentation, nude photos, or evidence of alcohol or drug use.

There have also been plenty of high-profile doxing cases around the world. Whether they were personalized attacks or massive data dumps from online breaches of websites, doxing attacks have managed to make the news. Here are a few examples.

Hong Kong protests

Following riots in 2019, Hong Kong experienced “an unprecedented wave of doxing,” with police officers, protesters, journalists, and politicians on all sides being targeted. The attacks led to a controversial anti-doxing law that has been criticized for infringing upon citizens’ privacy. The law even saw Facebook, Twitter, and Google threaten to leave Hong Kong.

Ashley Madison breach

In 2015, a website tailored for dating outside committed relationships and marriages suffered a massive data breach. Hackers belonging to “The Impact Team” threatened to dox usernames, emails, and other revealing personal information, including home addresses and credit card details.

Per Ashley Madison’s privacy policy, user information is never deleted. As a result, millions of people were exposed when the company refused to meet the hackers’ demands.

Boston Marathon

In the hectic aftermath of the Boston Marathon bombing in 2013, people gathered on Reddit to identify the perpetrator. As a result, many innocent individuals were doxed. Though the hunt for the perpetrators had good intentions, one of the innocent doxing victims was later reported to have died by suicide.

Kiwi Farms

More recently, a platform known as Kiwi Farms has come into the spotlight for its coordinated doxing campaigns. On Kiwi Farms, which has been dropped by its hosting provider Cloudfare in September 2022, perpetrators deliberately target individuals from marginalized identities and dox their information for harassment purposes. The damage is irreparable — Kiwi Farm campaigns have been linked to three suicides already.

What Information Do Doxers Want?

There are a number of things doxers might be interested in while sifting through a target’s personal information. Each of these can be used to harm a victim’s reputation, harass or humiliate them, or deliberately put them at physical risk.

Infographic showing the different types of information doxers are after

We emphasize the following information as sensitive:

  • Contact information, including phone numbers, and email addresses
  • Social security numbers
  • Business or home address
  • Information related to friends and family members
  • Online search histories
  • Financial details including credit card and banking details
  • Social media accounts
  • Personal photos
  • Tweets, posts, and statuses
  • Other personal details

It’s often easier than we think for doxers to collect information. In most cases, we already leave this information online in some capacity or another without realizing the potential risks. Still, perpetrators will go to lengths to find even more compromising information.

It can help to be aware of the different methods doxers use to extract these private details from us.

Methods of Doxing: How Does It Work?

There are all kinds of ways hackers and malicious online users can get their hands on your personal information. The internet is full of big data. Often, we have less control over this data than we think. Hunting down internet data is often straightforward for tech-savvy hackers and determined doxers.

Here are some of the most common and effective ways doxers can get a hold of the information they want:

Infographic listing all the common methods used in Doxing

Cyberstalking social media accounts

If you’ve got a public social media account, your identity is exposed to anyone who’s interested. You might think the only people looking at your profile are friends and family, but a nosey third party can very easily access any personal or private data.

Doxers are not only interested in your photos. They are interested in what your photos reveal about you. By collecting breadcrumbs, they can build a complete profile on you. Whether it’s the names of your siblings or pets or what schools you used to attend, it can all be used against you.

After all, this is the kind of information that is most often used for account security questions and passwords. The more someone stalks your social media accounts, the easier it will become for them to connect the dots and invade your privacy even further.

Running a WHOIS Search on domain names

WHOIS is a public database that gathers information on all registered domains on the web. When business owners register a domain for their website, they have the decision to opt out of providing sensitive information like phone numbers, home or business addresses, and email addresses.

However, if you make this information available, anyone can pull up them up and use them to their own advantage.

Tracking usernames

It’s very tempting to use one username across all accounts. After all, this makes it easier for us to remember our login details. Doxers, however, can track individual usernames across apps and websites and generate a personal profile based on what they find.

This is especially effective on social media sites like Reddit and Twitter, where targeted users think they’re anonymous but are pretty easily identified and tracked. All this data can be used against the target.

Go through government records

Many institutions require personal information. Marriage bureaus, business license issuers, county records providers, the Department of Motor Vehicles (DMV), and many other government websites make this information public and available for searches.

While employers might use these government records to check driving and criminal records, they are publicly accessible and often used by doxing perpetrators.

Phishing scams

Phishing has long been a way for hackers and cybercriminals to steal sensitive data from victims. If doxers are looking for particular personal information, they could try to phish it out in a variety of ways.

They could pose as one of the target’s financial institutions and request identifying information via email. Or they could try to dupe victims into clicking on a malicious link. In some cases, even businesses are compromised for doxing purposes.

Tracking your IP address

Once a hacker has pinpointed your IP address, they’ve found your physical location. This can open you to a wide range of Wi-Fi and internet service provider (ISP) hacks and cyberattacks.

Your ISP can be targeted with social engineering techniques to dig up personal information about you or extract financial accounts.

Reverse phone lookup services

If your mobile number is available online, it’s pretty easy to use a reverse mobile phone lookup service to gather more information. These services can reveal who a number belongs to and where they live. You often have to pay for details, but it’s an easy way for cybercriminals to collect a lot of data.

Having your phone number can also easily create a hacking domino effect by revealing personal communications and private photos on top of contact information.

Packet sniffing

Packet sniffers are pieces of hardware or software that analyze and monitor network traffic. Malicious actors can use them to filter information coming from one particular source.

Once they’ve breached a network’s security protocols, they can pick up personal information like passwords, bank account information, and credit card numbers.

Using data brokers

In the age of algorithms, an entire industry is devoted to targeted advertisements based on user data, search habits, and trends. While most data buyers work within the advertising world, anyone can access these collections of data. For a relatively small price, data brokers sell comprehensive records of individual data. Doxers can also use the dark web to buy data. Since this is a largely unregulated sphere, it’s nearly impossible for law enforcers to keep an eye on what data is legally and illegally obtained.

This brings us to a complicated issue: is doxing considered a crime?

Lady JusticeIn short? It depends on the situation. Doxing can be extremely harmful and damaging to the victim, but if personal information was obtained legally, doxing is not considered a crime. Having said that, doxing is often closely related to online violations that are illegal, including sextortion, cyberstalking, identity theft, and revenge porn.

For doxing itself to enter illegal territory, doxers must post private information that was never meant to be made available. This could be a credit card number, bank account information, or an unlisted phone number.

Doxing is also handled differently based on its severity. For example, you may involve law enforcement if doxing has resulted in personal threats to a victim, including swatting.

Regardless of how governments and law enforcement see it, many websites have doxing rules in their terms of service. So if a hacker used a particular social media platform to dox someone, their account could be suspended or deleted, even when legal repercussions are minimal.

How to Protect Yourself From Doxing

The reality of doxing is that anyone can become a target. The chances of falling victim are higher if you’re an active social media user, posting comments on online forums or conducting the majority of your business affairs online.

But should you stay off the internet forever? No. While the aftereffects of doxing can be devastating, there are tools at your disposal that can protect you against it:

Infographic showing tips on how to protect yourself from Doxing

1. Mask your IP address with a VPN

Once a hacker has figured out your local IP address, they can piece together a physical address via your internet service provider or target your Wi-Fi connection for hacks. Your corresponding account can also reveal other details. While you can use proxy sites to hide your IP, they are not always effective.

A virtual private network (VPN) hides your real IP address and assigns you a new, anonymous one. Because a VPN encrypt all your data, it is way more difficult for doxers to target you.

As the first line of defense against doxing attacks, we can recommend NordVPN. We’ve tested dozens of VPNs, and it consistently outranks others in terms of speed, security, and privacy. Want to learn more? Our detailed NordVPN review will tell you everything about the tests we conducted with this provider. You can also check NordVPN out for yourself by clicking the button below.

Our pick
Our pick
Only $2.99 a month for a two-year subscription with a 30-day money-back guarantee!
  • Excellent protection and a large network of servers
  • Nice and pleasing application
  • No logs
Visit NordVPN

2. Antivirus: Use premium cybersecurity

With the wave of recent ransomware and other malware attacks, users are urged to take their cybersecurity very seriously. Make sure to get good antivirus software that protects you from doxing attacks in the form of malware and malicious downloads.

Antivirus scanners detect and quarantine threats before they latch onto your system. While it doesn’t protect against all forms of doxing, antivirus will ensure you’re optimally protected against hacking.

We specifically recommend Bitdefender, which protects you from spyware, adware, ransomware, and phishing. It even comes with webcam and microphone protection and a VPN, making it an excellent basis for protecting yourself against doxing and other online dangers. For more information, check out our Bitdefender antivirus review.

Get Bitdefender Antivirus

3. Strong passwords

In order to practice good cybersecurity, make sure to choose passwords with combinations of capital and lowercase letters, numbers, and symbols. Remember to update them regularly and use different passwords across platforms, online forums, and websites. This limits the chances that a doxer is able to use a singular password to hack into all your online accounts.

If you have trouble creating and remembering complex passwords, it may be time to look into a password manager.

4. Private social media accounts and anonymous usernames

When creating new usernames for accounts, make sure they are separate from your real identity. If a hacker or doxer gets a hold of your name, they can pull up usernames easily.

If you do use accounts that are connected to your real identity, make sure to optimize your privacy settings, such as on LinkedIn, Instagram, and Facebook. Never share anything you don’t feel safe someone else sharing publicly.

5. Don’t take online quizzes from untrusted sources

Personality quizzes can be fun if you’re on a prominent site like Buzzfeed, Mental Floss, or Zimbio that doesn’t require you to log in. But be cautious when a random site asks you to log in via Facebook, Google, or other means in order to do a fun quiz.

Malicious online quizzes can be designed to draw out answers for various account security questions — like your first pet’s name, the middle school you attended, and your oldest friend’s first name. The personal data you’re exposing could be a treasure trove for doxers and online cybercriminals.

6. Use multi-factor authentication

With doxing getting more targeted and more severe, passwords are not enough to keep our online data protected. By using two-factor authentication, you make it a lot harder for someone to get a hold of your private information.

Multi-factor authentication uses a combination of authentication techniques that keep your accounts protected against hacking. For example, you may be asked to use a special code sent to your phone to log in. This means that, even if a hacker gains access to your password, they won’t be able to get into your accounts.

What to Do If You’ve Been Doxed

Being doxed can be a shocking experience and it’s essential to keep a cool head when you’ve been victimized. If you’ve had your private data exposed by someone with malicious intent, there are some steps you should take.

Infographic showing some steps to take when you've been doxed

1. Get to safety

First things first, if you’re concerned about your safety for any reason, get away from any known addresses and locations. Try to find someone that can help you get settled and contact your local police department.

2. Focus on documentation

Even if the information that was posted was something embarrassing or information you really don’t want out there, you should screenshot it and save it for later. You’ll need it if you want to take any legal action.

On top of that, make sure to get the full URLs, usernames, account information, and anything else that can help authorities with identifying the doxer when you document.

3. Change passwords

In doxing attacks, it’s possible that an account has been breached. If you have any of the same passwords across various accounts, more sensitive information could be accessed. Make sure your changed passwords are strong (different uppercase, lowercase, numbers, and symbols) and different across accounts.

4. Lock up your finances

If your financial information has been strewn across the internet, make sure to cancel credit and debit cards and alert your bank or other financial institution as soon as possible.

5. Report attacks

Contact the platform that you’ve been doxed on. Most social media companies include anti-doxing rules in their terms of service. Google has a page where you can request to remove your personal information. You can also get in touch with notable data brokers, or parent companies of data brokers such as Intelius.

If you’ve been doxed, you can also contact your local police department or file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Staying Safe Online

Security and privacy iconIn today’s world, we tend to put a lot of personal details online without thinking twice. All these details can make us targets of malicious internet users. While it may not be considered a federal crime, doxing can have life-changing and long-lasting effects on victims.

Luckily, there are different ways you can protect yourself online, including:

  • Optimizing your privacy settings on social media
  • Setting strong passwords
  • Using two-factor authentication
  • Investing in anti-virus software
  • Getting a virtual private network.

If you’re concerned hackers may have already accessed your personal information online, check out our article on dark web monitoring to see where your data might have been leaked and what to do.

What is Doxing?: Frequently Asked Questions

Do you have any concerns about doxing and how to prevent it? Check out our FAQ section below. Just click on a question to see the answer!

Doxing is the malicious act of revealing someone’s personal or private information online without their consent. Since so much of our personal data is already online, doxers can easily get access to anything from passwords to banking details. Luckily, there are steps you can take to prevent the chances of being doxed.

Doxers can use a variety of methods to get their hands on your data, including:

  • Stalking your social media accounts and track your usernames
  • Going through government records
  • Running a WHOIS search on your domain name
  • Phishing attacks
  • Tracking your IP
  • Using data brokers

Yes and no. If the private information was obtained in a legal way, for example via government records or social media, doxing is not illegal.

However, if someone reveals truly private details, such as credit card numbers, it’s a criminal offense. Sometimes, doxing is a part of a different crime, such as revenge porn. In that case, it’s also useful to involve law enforcement.

If a hacker or doxer gets their hands on your IP address, it’s easier for them to trace your real address. With a VPN, you can hide your IP address and encrypt your online activity. It doesn’t 100% prevent doxing, but it’s an excellent precaution to take.

International Censorship & Security Journalist
Lauren Mak is an internal censorship and security-focused journalist with a keen eye for how technology affects society. With a background in International Relations and North American Studies, Lauren brings a unique perspective to the VPNOverview team. Lauren has a passion for helping others understand the importance of privacy, freedom, and internet safety and brings that passion to VPNOverview.
Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For VPNOverview.com he follows news and developments in online privacy, cybersecurity, and internet freedom.