Doxing: What It Is and How to Prevent It
Navigating the internet without leaving bread crumbs of your presence is increasingly becoming difficult as our real-life identities are tied to our online ones. As a result, online privacy is vital as you do not want personal information in the hands of hackers, extortionists, and other malicious individuals.
What is Doxing?
You might have heard of a famous crypto influencer or a gamer being doxed and wondered what it is. There was also a time in 2014 when Newsweek claimed to have doxed Satoshi Nakamoto, only for their findings to yield inconclusive results and add mystery to who the founder of Bitcoin is.
So what is Doxing?
Doxing, or doxxing, is the act of intentionally revealing sensitive personal information on the internet. Most of the time, doxing is done with malicious intent, although it can be a means of outing criminals or internet trolls who otherwise want to remain hidden on the internet using pseudonyms.
The word ‘dox’ is an abbreviation for ‘dropping documents’ or ‘dropping dox.’ It has its origins in the old-school 1990s hacker culture, whereby individuals used it as a revenge tactic to break someone’s anonymity and expose them to harassment or even law enforcement.
A hacker would simply say on a forum or messaging platform that so-and-so pissed him off because of a such-and-such reason before saying he was ‘dropping his dox.’
What Sensitive Information are Doxers Usually Looking For?
A doxing attack primarily targets sensitive personal information to make it public without an individual’s consent. The information includes:
- A person’s full name
- Home address
- IP address
- Social security number
- Phone number
- Credit card numbers
- Bank account numbers and statements
- Social media profiles
- Medical records
- Personal and sensitive photographs
- Criminal history
- Private conversations on email, messaging apps and social media
- Blockchain addresses
Examples of Doxing
Instances of doxing have made headlines on mainstream media because known victims have been celebrities, athletes, politicians, prominent internet trolls, and hateful organizations. Doxing has also affected regular innocent people and caused irreversible damage to their reputations and personal lives. Below is a short list of doxing instances.
- In 2013, former US first lady Michelle Obama, current US president Joe Biden, former Secretary of State Hillary Clinton, former FBI Director Robert Mueller, rapper Jay Z, actor Mel Gibson, and other prominent US individuals were doxed by hackers who posted their social security numbers, credit information, and other sensitive data.
- In 2015, former President Trump revealed Senator Lindsey Graham’s phone number.
- Former Red Sox pitcher Curt Schilling doxed online trolls harassing him and his daughter, resulting in job losses and suspensions for the individuals.
- Also, in 2015, the hacktivist organization of Anonymous leaked the identities of 350 alleged Ku Klux Klan members.
- Rapper Cardi B was doxed in 2020 by a Trump supporter who posted her home address.
- Doxing is also prominent in the online gaming community in the dangerous activity known as Swatting.
How Doxing Happens and Methods Used
According to research, approximately 21% of Americans, or over 43 million, have experienced some form of doxing. It is estimated that 25% of doxers know their victims personally. The practice has become more common with the expansion and popularity of social media platforms that have the possibility of creating an almost infinite network of online friends.
We are often unaware of or ignore the massive amounts of personal data we leave online, increasing the chances of getting doxed. A malicious individual, with a few minutes and effort, can carry out doxing in the following ways.
1. Tracking usernames
Our online personalities are hidden behind usernames that give us the added benefit of potentially remaining anonymous on various online platforms. Just like personal names, we sometimes use the same usernames, or a slight variation of them, across several online accounts, making it easier for a bad actor to connect the dots of your online activity. As a result, the malicious individual or hacker gets a general profile of your online presence, character, and activities.
2. Social media tracking and stalking
As earlier pointed out, we live in a connected world as a result of the popularity of social media. We often casually share personal information on Twitter, Facebook, Instagram, and LinkedIn.
We willingly share personal experiences such as vacations, new jobs, new home purchases, new vehicle purchases, weddings, university graduations, and links to our other social media accounts. A doxer can easily and quickly dig into social media accounts to reveal private information on their intended victim.
We also provide social media platforms with our data when signing up, trusting that it is safe with them. However, data breaches are common, as was the case with Facebook in 2021 when 530 million user profiles were posted on a hacking forum.
3. IP Address tracking
Unbeknownst to many, an IP address is linked to your location and is highly sort after by doxers. IP addresses can be exposed in various ways, including phishing, visiting unsafe websites, downloading random files, engaging online advertisements, or even accessing a public WiFi connection.
IP addresses can also leak on the blockchain, as was demonstrated by OMNIA’s co-founder and CTO, Alex Lupascu, when he exposed a critical vulnerability on MetaMask, helping secure the privacy of its over 21 million users.
4. Packet Sniffing
Internet network or web traffic interception is becoming increasingly common. Malicious actors use readily available software to intercept a victim’s internet traffic and gather sensitive information through packet sniffing. A doxer can extract passwords, credit card details, email messages, and private chats. Packet sniffing is more likely to occur in unsecured WiFi networks such as those available in restaurants, bars, universities, or airports.
5. Reverse phone number lookup
Our telephone numbers can reveal a lot of personal information in the wrong hands. Unfortunately, there exist services that allow anyone to do a reverse phone lookup to find the true identity of the person who owns the number. Such services include Whitepages.com, MyLife.com, and even TrueCaller.
Personal phone numbers are sometimes randomly available online due to an uploaded document containing it or willingly having it public on platforms such as LinkedIn. Such a scenario makes it easy for anyone to do a google search on a phone number to find out who it belongs to and additional personal details.
6. Meta-data on photos and files
The recently released Netflix documentary on the late John McAfee, Running With the Devil, has revealed that files, such as screenshots and pictures taken using smartphones, can sometimes contain metadata such as GPS location. Similar metadata can be obtained from printed documents or using tools such as Google’s reverse image lookup.
7. Accessing government records
Our official identities are tied to government records and documents such as birth certificates, ID numbers, driver’s licenses, vehicle registrations, marriage certificates, and even real estate transactions. In rare situations, we find ourselves in court or detained by authorities, with such instances dutifully logged in government databases.
Some information, such as marriage records and arrests, are available to the public, and a curious individual can easily access them. In the case of a marriage certificate, it can identify your spouse resulting in an additional trail of data for a doxer.
Other sensitive personal data such as social security numbers, medical records, and biometric data are tied to ID or driver’s license numbers. A doxer can obtain the latter information through a lost wallet or even peeking through your handbag in the case where the malicious actor is a friend or relative.
Hackers can also obtain the same information by exploring weaknesses in government databases. For example, in July 2022, one billion Chinese residents had their data stolen from the Shanghai police database. Their data was then partially leaked and ransomed for 10 Bitcoins in what could be the largest data breach in history.
8. Phishing
Phishing is a form of social engineering by a malicious hacker sending fake messages to trick the victim into parting with sensitive information. To the untrained eye, such attacks look legitimate as they often mimic genuine emails, advertisements, and phone calls. It has also evolved to include fake job offers on LinkedIn, as was the case with the Axie Infinity hack worth $600 million.
9. WHO.IS lookup
Website owners and internet sleuths are aware of the WHO.IS tool that works like a reverse phone number lookup, but for domain names. Each domain name stores information about owners in a publicly available registry and the WHO.IS service simplifies the process of getting such data, including the domain owner’s name, address, phone number, and email address.
10. Online data brokers
Data brokers buy and sell consumer data daily. They compile personal information using offline and online tools. They then package and sell it to third parties, including marketing and advertising firms.
As highlighted above, in the case of data breaches, online personal information is sometimes at the mercy of the highest bidder. Anyone with malicious intent can simply buy information from data brokers.
Is Doxing Considered Illegal?
At the time of writing, there are no clear anti-doxing laws. Cases of doxing are more or less handled on a case-by-case basis and depending on the jurisdiction or country where it occurred.
In addition, most of the information used in doxing is publicly available through social media, which means at some time in the past, the victim willingly provided it online.
A doxing case might carry more weight in the courts if the leaked information resulted in a major crime such as targeted harassment, stalking, violence, theft, kidnapping, or even murder.
How to Protect Yourself from Doxing
So what can you do to prevent from becoming a victim of doxing?
Unfortunately, it is not 100% possible to prevent doxing from happening as our lives are intertwined with our online activity making it difficult to eliminate all traces of our presence on the internet. Furthermore, public records, such as those available through government databases, are at the discretion of anyone with time and curiosity.
But all is not lost, as the tips below can reduce the chances of doxing attacks and put you in control over how much of your data is available online.
- Adjusting the privacy settings on social media apps and websites to reduce the personal information you reveal.
- Diligently scrutinizing friend requests on social media and professional connections on platforms such as LinkedIn.
- Not revealing sensitive details such as real-time location on social media when posting status updates and sharing photos.
- Use a VPN when browsing the internet to protect your IP Address.
- Using the OMNIA Protocol when transacting on the blockchain to hide your personal data, such as IP addresses.
- Strong passwords are harder to hack, and constantly changing them decreases the chances of your online accounts being compromised.
- Having different passwords for different online accounts is also highly recommended.
- Having different usernames on different online platforms to decrease the probability of a doxer connecting the dots on your online activities.
- Reading the fine print on the terms and agreements for newly installed apps and online marketplaces to determine what happens to personal data.
- Protecting your online financial records diligently.
- Enabling two-factor authentication (2FA) on financial apps and crucial logins connected to your digital asset wallets, online banking, work email, and government services.
- Constantly using Google search to find out if your name or phone number pops up on random websites.
- You can legally request your information be removed from the databases of data brokers. Opt-out services can be found on Acxiom, Oracle America, and Experian, just to name a few.
- Being extremely cautious when providing personal emails, phone numbers, and addresses to acquaintances, strangers, and new connections on social media.
- Checking if websites have ‘https’ before their domain name to guarantee a secure connection.
- Constantly being aware of phishing scams and how to avoid them.
- Exploring and changing your phone and computer settings so personal information is not embedded in files.
- Have multiple email addresses for signing up for online accounts you do not wish to be connected to your real name and identity.
- Adjusting the privacy settings for your website at the domain registrar’s website to hide personal information from the WHOIS database.
What to Do if You Get Doxed
In the event you get doxed, it is vital that you act fast and calmly to minimize the damage and expose those responsible for the attack. Getting doxed is stressful, and the following steps can provide an avenue to fight back.
- Immediately report the incident to law enforcement, financial institutions, social media platforms, and other internet companies connected to your online activities.
- Gather evidence to document the doxing through screenshots, printouts, and even audio recordings in the case of continuous phone calls.
- Instantly secure all your online accounts by changing passwords and adding more security measures such as 2FA and biometric authentication.
- Getting support from family and friends to avoid going through the traumatizing experience alone.
- Moving to a secure location if you believe the doxing could result in a more dangerous situation.