What Is Doxing? Is It Legal and How Do You Prevent It?

Woman looking at her data being spread online
In a hurry? Click here for a quick summary.
What is Doxing? A Quick Guide

Doxing is when a hacker or bad-acting internet user finds personal information on an individual or group and publishes it online without their consent. Anyone can be a target, though celebrities, politicians, business moguls and social media influencers have been doxed in the past few years.

Through many legal avenues, doxers can obtain private data like:

  • Phone numbers, email addresses and other contact information
  • Home or business addresses
  • Identity of family members
  • Online search histories
  • Social media accounts
  • Personal photos
  • Tweets, posts and statuses
  • Other personal details

The first step in protecting yourself from a doxing attack is using a VPN. A Virtual Private Network (VPN) stops would-be doxers and hackers from figuring out your IP address, which could lead to revealing your home address, Internet Service Provider (ISP) account and other private details. Surprisingly, it’s legal!

Interested in how doxing works and what you can do to protect yourself from attacks? Read the full article below to find out.

Doxing (short for “dropping documents,” “docs,” or “dox”) is when a hacker or some other internet user hunts down information on an individual or group and publishes it online without their consent. Though recent years have seen celebrities, politicians, and social media influencers doxed, anyone (and their personal information ) can become the target of someone else’s malicious intent.

Depending on what the perpetrator’s goals are, there’s a wide range of personal data — a home address, contact information, or bank account information — they could be looking to dig up and splash all over the internet.

But what is doxing, exactly? In this article, we’ll break down exactly what doxing is and how it works, how to protect yourself, and why there’s such a blurred line on whether the practice is illegal or not.

How Does Doxing Work?

Doxing (sometimes spelled “doxxing”) is an act with malicious intent where hackers or other online threat actors are either interested in exposing the identity of someone who is trying to stay anonymous or want to humiliate or harass someone who wishes to remain private.

With all of our personal information floating across the internet, doxers can access a lot of this private information by entirely legal means.

If you’ve ever uploaded your CV or resume to a public site while job-hunting, for example, your email address, home address, and mobile number could be publicly available to anyone interested.

Likewise, if you’ve ever owned or registered for a domain name and website, you might have provided a swath of personal information that can be easily accessed with a free, simple, and quick search.

Doxing Methods Used

Infographic listing all the common methods used in Doxing

There are all kinds of ways hackers and malicious online users can get ahold of your personal information and identity online. For determined and tech-savvy hackers and doxers, hunting down internet data can be pretty straightforward.

Here are some of the most common and effective ways doxers can get ahold of the information they want:

Cyberstalking social media accounts

Once set to public sharing, social media accounts are wide open for anyone who’s interested in looking through them. A nosey third party could access any personal or private data that an individual thinks they’re sharing with their family and friends online.

Various account security questions are often created from relationships with people, sibling and pet names, and schools you’ve attended. If any of that is made publicly available online, a user stalking social media could quickly find it.

Running a WHOIS Search on domain names

When business owners register for a domain for their website, they have the decision to opt out of or provide sensitive information like phone numbers, home or business addresses, and email addresses. A quick search pulls up this info without any savvy tech skills.

Tracking usernames

Doxers can track individual usernames across apps and websites and generate a profile based on their behavior. This is especially effective on social media sites like Reddit and Twitter, where targeted users think they’re anonymous but are pretty easily spotted. All that data is gathered together and used against the target.

Government records to steal personal details

Marriage bureaus, business license issuers, county records providers, the Department of Motor Vehicles (DMV), and many other government websites have public records available for searches. While employers can use these to check driving and criminal records, among other things, anyone can access this personal information that’s made available to the public.

Phishing scams to steal personal information

Phishing has long been a way for hackers and cybercriminals to steal sensitive data from victims. If doxers are looking for particular information, they could try to phish it out. They could pose as one of the mark’s financial institutions and request specific identifying information through email. Or they could try to dupe victims into clicking a malicious link that would let attackers access their device and sift through their sites and apps.

Tracking your IP address

Once a hacker has pinpointed your IP address, they’ve also found your physical location. This could open your Wi-Fi and Internet Service Provider (ISP) to hacks and cyberattacks.

Once they’ve got your physical address, they could also cross-reference it through other outlets to dig up all kinds of information. That’s not even considering that credit card companies often use addresses and zip codes to confirm card usage.

Reverse phone lookup services

If your mobile number is available online, it’ll be pretty easy to target it through text or vishing scams. Also, once cybercriminals have the number, they can use reverse mobile phone lookup services to find out more about the person behind it.

That number could also create a domino effect in revealing more valuable information in a doxing attack.

Packet sniffing

Packet sniffers are pieces of hardware or software that analyze and monitor network traffic.

Malicious actors can use them to filter information coming from one particular source. Once they’ve breached the network’s security protocols, they can pick up information like passwords, bank account logins, and credit card numbers.

Using data broker sites

An entire industry is devoted to serving targeted advertising agencies by pooling together user data, search habits, and trends.

While most buyers are within the advertising world, anyone can access these vast collections of data. If a doxer is looking for an individual user, they can easily track a device down through GPS coordinates and IP addresses.

What Information Do Doxers Want?

Infographic showing the different types of information doxers are after

There are a number of things doxers might be interested in while sifting through a target’s personal information using these methods mentioned above. It might be easier than you think to pull up and dox:

  • Phone numbers, email addresses, and other contact information
  • Social security numbers
  • Home or business addresses
  • Family members
  • Online search histories
  • Credit card provider, numbers, and details
  • Bank account information
  • Social media accounts
  • Personal photos
  • Tweets, posts, and statuses
  • Other personal details

In short? It depends on the situation. Doxing isn’t illegal if the personal information gathered was done so by legal means. For doxing to enter illegal territory, doxers must post private information that was never meant to be made available. This could be a credit card number, bank account details, or an unlisted phone number.

If doxing results in cyberstalking or personal threats to a victim, it would also be considered a crime and could involve law enforcement.

Doxing is handled differently based on its severity as well. If a hacker was to release someone’s name or their business’s public phone number, that might not be taken as seriously in the eyes of the law as sharing someone’s home address or financial accounts.

Regardless of how governments and law enforcement see it, many websites have doxing rules in their terms of service. So if a hacker used a particular social media platform to dox someone, their account could be suspended or deleted, though legal repercussions might be minimal.

How to Protect Yourself from Doxing

Infographic showing things you can do to protect yourself from Doxing

With all of the means available to savvy hackers and would-be doxers, it seems that anyone could become a victim if targeted. If you’ve ever posted on social media platforms, left social media comments, been involved in a chat in an online forum, or been active in comments sections of media articles, you could become a target.

While the aftereffects of doxing can be devastating, there are some tools at online users’ disposal that could help protect them from doxing:

1. Mask your IP address with a VPN

Once a hacker has figured out your local IP address, they’ve also managed to figure out a physical address and corresponding account with the Internet Service Provider (ISP). This would not only reveal your home address and other details, but it could make your Wi-Fi connection a target for hacks. You can also use proxy sites to hide your IP, though they are not always effective.

A Virtual Private Network (VPN) hides your true IP address and assigns you a new anonymous one from one of its thousands of servers located around the world. VPNs also encrypt all your data running from end to end on a network, so hackers won’t be able to intercept the data over unsecured Wi-Fi networks.

As the first line of defense against doxing attacks, we can recommend NordVPN. It’s consistently ranked at the top of our reviews and lists for security and privacy.

Check out NordVPN

2. Take advantage of premium cybersecurity

With the wave of recent ransomware and other malware attacks, users are taking their cybersecurity very seriously. Make sure to get good anti-virus software that protects you from doxing attacks that come in the form of malware and malicious downloads.

Good software can find and quarantine the newest threats before they latch onto your system. That way, you can ensure your active and constantly updated protection against threats, should you mistakenly download malicious files or click a bad link.

Visit Kaspersky Anti-Virus

3. Strong passwords

Make sure to choose passwords with combinations of capital and lowercase letters, numbers, and symbols. Remember to make them different across websites and other accounts. One of the worst mistakes users can make is having one password stolen in a breach and having hackers successfully use that password across other accounts.

It’s also a good idea to set up separate email accounts across different platforms.

If you have trouble creating and remembering complex passwords, it may be time to look into a password manager. Check out 1Password, our number recommendation this year.

Visit 1Password

4. Private social media accounts and usernames

When creating new usernames for accounts, make sure it’s not your first and last name followed by a number. If a hacker or doxer gets a hold of your name, a quick LinkedIn or Instagram cross-check will pull up that username.

For many accounts that are connected to your professional life — like LinkedIn, Facebook, and Twitter — you’ll want to use your real name. In those cases, make sure to check your privacy settings and set them to the highest level.

You only want your address, phone number, job history, or other private information available to people you accept to connect with. This should also go for all your accounts. Never share anything you don’t feel safe with someone else sharing publicly.

5. Different usernames for different platforms

If you use the same username for Reddit, Snapchat, Twitter, and Instagram and are active on all platforms, a doxer could round up your history in a matter of minutes.

If you’re active in online forums and in comment sections, make sure to use different usernames for different sites and subscriptions. For people actively making political posts or voicing opinions in movie forums, something you said in one group could be used against you in another.

Remembering all those usernames and passwords can be a chore, so here’s another opportunity when a password manager might be helpful.

6. Don’t take online quizzes from untrusted sources

Personality or other kinds of quizzes can be fun if you’re on a prominent site like Buzzfeed, Mental Floss, or Zimbio that doesn’t require you to log in. But be cautious when a random site asks you to log in via Facebook, Google, or some other means.

These online quizzes often ask questions that draw out answers for various account security questions – like your first pet’s name, the middle school you attended, and your oldest friend’s first name.

While you think you’re just taking a fun quiz, the personal data you’re exposing could be a treasure trove for doxers and online cybercriminals.

Examples of Doxing

There have been plenty of high-profile doxing cases around the world. Whether they were personalized attacks or massive data dumps from online breaches of websites, doxing attacks have managed to make the news. Here are a few examples:

Hong Kong protests

Beijing-backed policies in Hong Kong began going after doxers following attacks on police and riot officers. Dissidents began publishing information like home addresses and identities of family members during anti-government protests. The attacks led to a controversial anti-doxing law that many critics have said infringes on citizens’ privacy. The law even saw Facebook, Twitter, and Google threaten to leave Hong Kong.

Ashley Madison breach

In 2015, a website tailored for dating outside marriages and committed relationships suffered a massive breach. Hackers threatened to dox usernames, emails, and other revealing personal information, including home addresses and private details gained from credit card transactions. Due to Ashley Madison’s privacy policy of never deleting user information, millions of people were exposed when the company refused to meet the hackers’ demands.

Boston Marathon

In the hectic aftermath of the Boston Marathon bombing in 2013, many innocent individuals were doxed by users on Reddit trying to locate the suspects. Though the hunt for the perpetrators had good intentions, one wrongly identified person was later reported to have committed suicide after being doxed and said to be a suspect. Reddit later apologized for the incident.

What To Do if You’ve Been Doxed

Infographic showing some steps to take when you've been doxed

Being doxed can be a shocking experience and it’s essential to keep a cool head when you’ve first been victimized. If you’ve had your private data exposed by someone with malicious intent, there are some steps you should take:

  • Get to safety: First things first, if you’re concerned for your safety for any reason, get away from any known addresses and locations. Try to find someone that can help you get settled and contact your local police department.
  • Focus on documentation: Even if the information that was posted was something embarrassing or information you really don’t want out there, you should screenshot it and save it for later. You’ll need it if you want to take any legal action. Make sure to get the full URLs, usernames, account information, and anything else that can help authorities with identifying the doxer when you document.
  • Change passwords: In doxing attacks, it’s possible that an account has been breached. If you have any of the same passwords across different accounts, more sensitive information could be accessed. Make sure the passwords are strong (different uppercase, lowercase, numbers, and symbols) and different.
  • Lock up your finances: If your personal financial information has been strewn across the internet, make sure to cancel credit and debit cards and alert your bank or other financial institution.
  • Report attacks: Contact the platform that you’ve been doxed on as most social media companies include anti-doxing rules in their terms of service. Google has a page where you can request to remove your personal information. If you’ve been doxed, you can also contact your local police department or file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Key Takeaways

While it may not be considered entirely illegal, doxing can have life-changing and long-lasting effects on victims. In today’s world, we tend to put a lot of personal details online without thinking twice. All it takes is for one interaction with someone on the internet to go sour and all those details could become targets of malicious internet users. This could result in all sorts of trouble, like for example swatting. In short, you need to protect your identity online.

Make sure to adjust your privacy settings on social media accounts to their highest levels, and take precautions — like getting a VPN and setting strong passwords — to protect yourself from doxing attacks.

Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For VPNOverview.com he follows news and developments in online privacy, cybersecurity, and internet freedom.