What is doxing?

Doxing defined

Doxing, short for "dropping dox," is an online attack in which hackers dig up personal information and documents — hence, the “dox” part of “dropping dox” — to expose the real identities of people hoping to remain anonymous.

The goal is often to shame or harass a victim. Hackers might expose the identity of an anonymous message board troll, for instance, to embarrass that person. They might hope that person loses a job or is shunned by co-workers or friends.

The lesson here? Be careful with what you say online. You might think the online world gives you the freedom to say — or type — whatever you want. You might think that creating fake identities gives you the chance to express whatever opinions you want, no matter how controversial, without anyone ever tracing them back to you.

But doxing attacks are real. And it’s hard to completely hide your identity online. The best defense against doxing is to be careful what you post online, and to never share private information on forums, message boards, or social media sites.

Origins of doxing

Even though doxing is a mostly online attack today, this wasn't always the case. In a 2017 story, Wired.com pointed to doxing attacks launched against a U.K. office working to improve race relations. The internet wasn’t part of this attack. 

Instead, far-right activists posted an official's phone number in public toilets across London. This meant that the official's evenings were often interrupted by angry midnight phone calls.

This case shows that doxing doesn't have to be an online tool. Doxers can use old-fashioned methods to expose the personal information of their targets.

Of course, doxing is easier now thanks to social media and online forums. It's easier to expose a target's identity to a larger swath of the population on Twitter, Facebook, Instagram, and the rest.

And it didn’t take long for doxers to take to the online world to make exposing personal information an easier task.

The Wired.com story points to a 2006 YouTube channel called Vigilantes as an example of early social media-based doxing attacks. The Vigilantes channel doxed vloggers — video bloggers — who were considered racist or hateful.

The Cyberbullying Research Center said that today, doxing — which can also be spelled "doxxing" — typically involves someone collecting the private personal information of victims, everything from home addresses and Social Security numbers to credit card numbers or bank account information, and then disseminating this information to the public without the target's permission.

What information are doxers looking for?

What information do hackers look for when doxing someone? Anything that can help them expose the identity of someone who is trying to remain anonymous.

In a doxing attack, then, hackers might publish someone's:

• Real name
• Telephone number
  
• Social Security number
  
• Home address
  
• Employer
  
• Credit card numbers
  
• Bank account numbers
  
• Personal photographs
  
• Social media profiles
  

How doxing works and methods used

You might be surprised at how easy it is for someone to dig up information on you. It could be easier if you spend a lot of time posting on message boards and forums.

Maybe you mention that you are traveling to Europe for the first time. A hacker now knows you don't live in that continent. You might make another post saying that you've never visited Asia. Now this same hacker can determine that you don't live in that continent.

Maybe you complain about the high property taxes in your county online. A troll can now pinpoint in which county you live.

Think of your online activity as a trail of breadcrumbs. Determined trolls and others can follow that trail until they know where you live, your age, gender and race. Armed with this information, they can slowly determine your identity.

Packet sniffing

This isn't the only way people can crack your online anonymity, though. Experienced hackers can also rely on technology to glean clues about your identity. They might turn to a strategy known as packet sniffing. 

In this method, a doxer intercepts your internet data, looking for everything from your passwords, credit card numbers, and bank account information to old email messages.

Doxers accomplish this by connecting to an online network, cracking its security measures, and then snagging the data flowing into and out of the network.

IP logging

Another scary trick? Doxers can use IP loggers, too. IP loggers attach a code, one that victims can't see, to an email message. Once victims open these emails, the code tracks their IP addresses and sends them back to the IP logger. This easily gives a doxer quick information about you.

Reverse cell phone lookup

What can hackers learn about you if they have your cell phone number? Plenty, thanks to services such as Whitepages. These reverse phone lookup services let you type in a cell phone number — or any telephone number — to find out the identity of the person who owns the number.

But it’s not just your name that people can discover from such a service. A search on the Whitepages site might also turn up your current and previous addresses. Hackers can also use a reverse phone look-up to search for your criminal and traffic records, financial records, and properties that you own or have owned.

Sites such as Whitepages charge fees to provide anything beyond the city and state associated with a cell phone number. Those willing to pay up, though, can glean plenty of personal information about you from your cell phone number. Be careful, then, with this number: Don’t leave it on social media sites or on forums or message boards.

Social media stalking

Many doxers scour social media accounts to find private information about their targets. Not only do people willingly share personal information on sites such as Twitter, Facebook, and Instagram — such as vacations, new jobs and moves — they also provide plenty of key facts about themselves when signing up for these sites, information that determined doxers may uncover. That’s why it’s so important to keep your personal information safe on social media.

Consider Facebook. When you sign up for the site, you have the option to provide everything from your date of birth to your high school and college. Be smart when signing up for social media sites: Don't fill in these fields. Leave them blank.

And when posting on social media accounts, don't be too specific about what you're doing or where you've been. Consider making your social media accounts private so that only specific people can view your posts.

Studying government records

You might be surprised at how much information people can find out about you through government records. Your birth certificate contains your birthday, the city and hospital that you were born in, your parents' names, and even the name of the physician attending the birth.

If you get a driver's license, your local department of motor vehicles contains personal information such as your name, Social Security number, weight, height, and traffic violations.

Your marriage certificate is usually filed in your local county clerk's office. The public can gain access to such information as the name of your spouse, the county where your marriage certificate was filed and the date of your marriage.

If you purchased a home, your county assessor's and county recorder's office will hold records of the real estate transaction. These files include the location of the home, the date of the sale, a description of the property and the estimated value of the home.

Court records and arrest records are also public information that anyone can gain access to.

Phishing

Scammers rely on phishing emails to steal personal information about you. Often, they’ll send you an email that looks like it comes from your credit card provider, bank or some other service provider. The email might ask you to click on a link to prevent your account from being closed down. Or it might say that the bank or credit card provider has noticed unusual activity on your account. The email might then ask you to click on a link to view this suspicious activity.

When you click, you’ll be taken to a new webpage. This page will ask for your personal information, everything from your full name to your Social Security number and account number. If you fill this out and click “Submit?”  You’ll be sending your personal information to a scammer, who can then use it to dox you.

WHOIS

Do you own an internet domain name? If so, anyone can run a WHOIS search on your domain to find basic information about you. A WHOIS record will contain your name and contact information.

Following your username

Do you use the same username at several websites? A doxxer can track your username across the Internet, finding your posts at online forums, message boards and Reddit subreddits.

This person can then use this information to learn your likes and dislikes, not to mention your favorite websites, and expose them to others. And if you’d posted something embarrassing at a forum or message board? That could come back to haunt you.

Data brokers

Those who are willing to pay might enlist the services of data brokers to find out information about you. Data brokers scour public records, your online search histories, your social media use and the purchases you make through loyalty records to dig up information about you.

Is doxing illegal?

You know that doxing can upend the lives of targets. But is the practice illegal? That depends.

Doxing isn’t illegal if the information exposed is part of the public record. This includes arrest records, marriage certificates, major traffic violations, and divorce records. If someone publishes these records, even without your consent, they are not doing anything illegal.

Doxing can be illegal if someone publishes information that isn’t in the public record, such as your bank account information, credit card numbers, or birth certificate. Doxers are acting illegally when they access this information and publish it.

Doxing is always unethical, though, even if the perpetrators are trafficking only in information available through the public record.

Examples of doxing

What does doxing look like? It takes on many different forms.

Consider what happened to Scott Bixby, a reporter at the online news site The Daily Beast in early 2020.

Bixby published a story that exposed the disparaging remarks about fellow candidates made by a staffer working for Sen. Bernie Sanders' presidential campaign. In response, several Sanders' supporters waged an online attack against Bixby. As part of this, Sanders' supporters published public records showing the price and address of an apartment that they said was rented by Bixby.

Rap star Cardi B, also in 2020, said that supporters of former president Donald Trump doxed her after she criticized the politician and expressed her support for candidate Joe Biden. The rapper said that one Trump supporter posted her address online and encouraged people to set her residence on fire.

Sometimes doxers release incorrect information. In the summer of 2017, neo-Nazi white nationalists held a march on the campus of the University of Virginia. Someone incorrectly identified one of the participants as a professor at an engineering lab in Arkansas.

That night, the professor's image and address were spread across social media. Others demanded that he resign from his university. It was soon discovered that the professor was not involved with the rally or neo-Nazis. Instead, he was the victim of what is referred to as faulty doxing. 

Swatting is another form of doxing, and one that can lead to fatal results. In a swatting attack, someone wrongly accuses someone else of a crime, calls the police and sends law enforcement to their victim's home.

This happened in late 2017, when a video gamer was asked by another gamer to swat a third player. That player gave the first gamer his previous home address, daring him to swat him. Unfortunately, that home was now occupied by a new family. 

The first gamer called police and said that he, pretending to be the swatting victim, had killed his father and was holding the rest of his family hostage. One of the police officers responding to the scene shot and killed the new owner of the house. The gamer who launched the swat attack has since been sentenced to 20 years in prison.

How can I avoid getting doxed?

While there is no way to guarantee that you won’t ever get doxed, there are some strategies you can follow to lessen the odds. The key is to be mindful of what you post on social media sites and message boards. Here are some tips to follow:

Don’t overshare: Don’t overshare on social media or online forums and message boards. Sharing personal information could easily give doxers too much to work with.

Change your privacy settings: Make your posts on social media sites private so that only select people can view them.

Don’t provide personal information: When signing up for social media platforms, don’t provide personal details, such as your date of birth, hometown, high school, or employer information.

Use a VPN: Signing up with a virtual private network, or VPN, can help shield your private information from doxers. When you connect to the internet by first logging into a VPN, your real IP address will be hidden. This means that hackers won’t be able to mine this address for your location or other identifying information.

Use different usernames on different social media platforms: If you visit a variety of social media sites, refrain from using the same usernames on each. Don’t use the same username on Facebook that you use on Twitter, Instagram and Pinterest. Why? It’s easier for people to track your history of posts on social media if they only must follow one username across the Internet.

Be alert for phishing emails: Doxers might use phishing scams to trick you into disclosing your home address, Social Security number or even passwords. Be wary whenever you receive a message that supposedly comes from a bank or credit card company and requests your personal information. Financial institutions will never ask for this information by email.

Strong passwords are key: Keep snoops away from your most personal of information by using strong passwords on sites such as your online bank account, credit card portals and work dashboard. Strong passwords can also keep spies from accessing your social media sites, preventing them from changing your personal information on these sites, nabbing your account information or posting their own messages under your name. The best passwords contain a mix of lowercase and uppercase letters, numbers and symbols.

Certain information should never be shared: Make a vow to never post certain pieces of information online, such as your Social Security number, home address, driver’s license number, and any information regarding bank accounts or credit card numbers. Remember, hackers could intercept email messages, so you shouldn’t include private details in yours.

Use more than one email address: You can boost your privacy by creating separate email accounts for different types of correspondence. For instance, you might create one account that you only use to sign up for streaming services, music sites, forums, message boards, and other services.

You can then use a second email address that you use in your professional life. Use this email address to network with industry peers, communicate with your co-workers and send reports to your supervisors.

Finally, use a third email address for personal communication with your friends and family members. Don’t give this email address out to anyone not in your circle of relatives or friends.

How do I recover If I've been doxed?

What do you do if you've been doxed? There are some steps you can take to limit the damage.

Report it: Report the attack to the platforms on which your personal information has been posted.

Involve law enforcement: If a doxer makes personal threats against you, contact your local police department.

Document what's happened: Take screen shots or download pages on which your information has been posted. This can help law enforcement or other agencies that might investigate the doxing.

Protect your financial accounts: If doxers have published your bank account or credit card numbers, report this immediately to your financial institutions. Your credit card provider will likely cancel your card and send you a new one. You will also need to change the passwords for your online bank and credit card accounts.

Increase your privacy settings: Configure the privacy settings on your social media profiles to the most private options to help keep snoops and doxers away.

Frequently asked questions about doxing

What is doxing? Doxing happens when someone uses documents, public records, social media comments and online activity to expose the real identities of people who want to remain anonymous.

Why is it called doxing? The word “doxing” is short for “dropping documents.” That’s because people often rely on public documents, and publish these documents online, to expose people’s identities.

What happens if you get doxed? Getting doxed can have serious consequences. Your employer might discover past social media messages that you’re ashamed to have written. Your home address might appear online. Someone might list your telephone number on message boards across the Internet. This could lead to late-night harassing phone calls. People might even vandalize your home if your address has been exposed.

Is doxing illegal? Doxing might be unethical. But it’s not always illegal. It’s not illegal to publish information that is in the public record, including someone’s arrest records, marriage certificates and record of driving violations.

How can I avoid getting doxed? You can take several steps to reduce your odds of being doxed. Avoid phishing emails that try to trick you into giving up personal information. Don’t share personal information on social media sites. Use a VPN to mask your online activity. And set the strongest privacy settings on your social media sites.

How do I report doxing? You should first report doxing attacks to social media sites such as Twitter, Facebook and Reddit. These sites consider doxing to be a violation to their terms of service. If a doxing attack includes illegal activity, such as publishing your credit card or bank account information online, or if someone encourages others to vandalize your home or send you threatening messages, contact your local police department.