What Is Doxxing—and How Does It Set You Up to Be Hacked?
Here's how to avoid becoming the next target of a doxxing attack and how to keep your personal information safe if it happens to you.
Doxxing—a digital attack that involves publishing personal information about someone on the Web—used to target high-profile figures like celebrities and politicians. But now, with sensitive data more widely shared and available online, the risk to ordinary Americans has soared. One in five Americans reports having been the target of doxxing (also spelled doxing), according to a new study by SafeHome.org.
“Doxxing has impacted over 40 million Americans at some point in their life, and [the consequences] can range from harmless insults to repercussions at work, with your family, in your community, and elsewhere, depending on the degree of information revealed,” says Ryan McGonagill, director of industry research at SafeHome.org.
So, what is doxxing, exactly, and how can you avoid becoming a target? We asked cybersecurity experts to explain how doxxing works, why it increases your risk of getting hacked further, and how to protect yourself. Whether you want to learn the signs your computer has been hacked, disappear completely from the Internet, create good passwords, or find out what someone can do with just your phone number, these online security tips can help you stay safe.
What is doxxing?
When someone is doxxed, their personal information is released online by bad actors hoping to embarrass or threaten them. Experts call this type of attack a “dox,” which refers to documents. That’s because the published information is usually found in private documents such as emails, tax records, phone numbers, home addresses, or Social Security numbers. No matter what form of information is shared, doxxing can cause serious harm.
“Doxxing is usually done to get revenge,” says Jason Glassberg, cofounder of Casaba Security. “Someone is angry at you, and they decide to get even by exposing your personal information on the World Wide Web in order to embarrass you or scare you.”
Revealing someone’s home address, email, or phone number can lead to harassment and abuse, while sharing someone’s Social Security number can expose them to hacking and identity theft, according to Chris Pierson, PhD, CEO of the cybersecurity company BlackCloak.
How does doxxing work?
A doxxing attack is typically sparked by a conflict between individuals online. In fact, according to the SafeHome.org study, more than half of all attacks were linked to disputes with strangers on social media. “Let’s say you post something on social media or an online forum using an anonymous account,” McGonagill says. “If someone takes offense or just disagrees with you, they might sleuth around and find personally identifiable information and publish it online, making you the target of subsequent harassment.”
A doxxer’s methods can range from searching on Google or data broker sites to requesting public records, hacking your email account, or buying your information from criminals on the Dark Web. An attacker could also send you a phishing or spam email with a link containing spyware. Clicking on the link allows doxxers to access and scour your computer for sensitive data that they can release online. Make sure you know how to block emails, especially spam that could put your information at risk.
What is an example of doxxing?
Recent real-life doxxing attacks have had disturbing—and even deadly—consequences. In 2017, social media users mistakenly identified a participant at a neo-Nazi rally as Kyle Quinn, a professor at the University of Arkansas. Though Quinn had nothing to do with the rally, his image and address quickly spread across the Internet. Soon, he was receiving thousands of hate messages and threats to sabotage his career. He and his wife ended up hiding out at a friend’s house until the online attacks died down.
In another recent example, friends playing an online video game decided to settle a conflict by placing a prank call to 911 and sending the police to one of the friends’ houses. But the prank caller shared an incorrect home address with the police, leading to the real occupant of the home getting shot and killed by law enforcement.
Is doxxing illegal?
Although finding someone’s personal information by searching through public records is not illegal, “if you use that information to threaten, bully, harass, or intimidate them, then it may be considered a crime,” according to Glassberg. Buying stolen data on the Dark Web and hacking into a person’s email and other personal accounts are also illegal, he says.
Pierson notes that several states have created laws that criminalize doxxing attacks that intentionally harass or torment people or make them fear for their safety, giving people some legal protection if they get doxxed. To avoid falling victim to other cybercrimes, you should also know the red flags that someone stole your identity and signs of Apple AirTag stalking.
What to do if you’ve been doxxed
First and foremost, victims of doxxing should never face their attackers alone. “It’s very important that doxxing victims do not try to confront the bad actor directly, as this can lead to other aggravations and heighten the tension,” Pierson says. He recommends keeping a record of the information released online and any communication with the offender. From there, victims should contact law enforcement to file a formal complaint against the person and ask the sites that are hosting the information to take it down.
Pierson also advises enabling two-factor authentication and changing the passwords on your Wi-Fi modem, router, and any online accounts, such as email, social media, and the cloud. “It is now easier than ever for someone to access private or semiprivate information about you,” he says. “People need to be vigilant about their personal information and do all they can to protect it.” As you reset your passwords, don’t use any from this passwords list that hackers will guess first.
How to avoid getting doxxed
While it’s possible to do damage control after the fact, it’s preferable, of course, not to get doxxed in the first place. Here are some tips that will decrease the likelihood that bad actors will get their hands on your personal information.
Protect your social media accounts
The best way to avoid becoming a doxxing victim is to limit the amount of personal information you share online. “Just adding a city to your Twitter profile makes it easy for someone to locate your home address without even subscribing to a data broker service,” Glassberg explains. He suggests setting your social media accounts to private, using strong and unique passwords, and enabling two-factor authentication when you can. Security apps can further protect your device in the event one of your accounts becomes compromised.
Scrub your personal information from the Web
While it’s tough to disappear completely from the Internet, you can delete yourself from Google searches to protect your privacy. In other words, Google is tracking you, but you can make it harder for the search giant to collect your data.
If you want to take extra precautions, you can use a third-party service to remove your public information from data broker sites and also sign up for a fake phone number through Google Voice that sends calls to your real number, Pierson says.
- SafeHome.org: “Doxxing in 2022: An Unexpectedly Widespread Cybersecurity Threat”
- Ryan McGonagill, director of industry research at SafeHome.org
- Jason Glassberg, cofounder of Casaba Security
- Chris Pierson, PhD, CEO of BlackCloak
- NPR: “Kyle Quinn Hid at a Friend’s House After Being Misidentified on Twitter as a Racist”
- NBC News: “Serial ‘swatter’ Tyler Barriss sentenced to 20 years for death of Kansas man shot by police”