Doxxing is when an attacker leaks a collection of your personal information online, usually with the might of internet hate mobs behind them. For the victim, the impact can range from public embarrassment, to fatal swatting incidents.
What is Doxxing?
Doxxing (sometimes spelled doxing) is the gathering of personal information about individuals and releasing it on the internet. The intention is to cause the doxxed individual some sort of problem or embarrassment or to open them up to abuse and trolling from others. It’s a simple but powerful online threat to your privacy and, in some cases, to your safety.
Doxxing is not new. The name comes from the term dumping documents. Documents became shortened to docs, which rhymes with dox, and so doxxing was coined. It has existed in different guises since the 1990s when it was a tool reserved for hackers. It was mainly used to cause trouble to rival hackers. It has morphed into a weapon that even casual web users can use against anyone else.
The threat actors research the target, gather information, then make that information public. If the target is an individual, the information being released is available on the internet somewhere already—if you know where to look for it—and is in the public domain. There’s no hacking involved, just some sleuthing.
Hacktivists and Doxxing
The term hacktivist was first coined by a member of the Cult of the Dead Cow, a hacking group that used to meet in an abandoned slaughterhouse in Lubbock, Texas in the mid-1990s. It is a portmanteau word joining hacking and activist.
Hacktivists see themselves as cyber-guerrillas fighting on the side of justice and society. They carry out attacks against organizations that—as far as they are concerned—are deserving of punishment or, at the least, deserve to have private information regarding their business conduct made public. Hacktivists will also target individuals within an organization.
For example, the Anonymous collective and its supporters on the 4Chan website can launch massive campaigns against doxed victims. 4Chan has millions of members. They can deliver a tsunami of online trolling, prank phone calls, and threatening or abusive email. They will also petition that a victim be fired from his job, or removed from public office.
Hacktivists might use traditional hacking techniques to obtain sensitive corporate documents.
Ransomware and Doxxing
Ransomware is a cybercrime in which the victim’s entire network is encrypted and a ransom in cryptocurrency is demanded in return for the decryption key. Some companies do not pay the ransom, they wipe their systems and restore their data from backups instead.
Victims of ransomware who refuse to pay the ransom are sometimes blackmailed by the threat actors with the release of sensitive corporate documents unless they pay a cryptocurrency ransom. This combines corporate doxxing with ransomware.
The Potential Impact
It’s no overstatement to say that people’s lives have been ruined by doxxing. Doxxing attacks have caused victims to undergo mass campaigns of public shame and humiliation, they have lost jobs, split from partners, had to close down their online presence, and even to go into hiding.
And of course, sometimes the victim is a misidentified, innocent, individual. In a headline grabbing-case a University of Arkansas professor was incorrectly named as a participant in a Charlottesville, Texas white supremacy rally.
To try to identify those who had attended the march, opposers of the rally reviewed footage and photographs. One of the marchers wore an Arkansas Engineering t-shirt. It was an easy step to check out the faculty staff from the University website.
Associate professor Kyle Quinn bore a passing resemblance to the man at the rally, so he was publicly declared to be the man in the photograph. His colleagues, friends, and family were doxxed and bombarded with angry and abusive messages, and demands were sent to the University to fire Quinn.
For Quinn, it was easy to prove he wasn’t the man in the photograph. Luckily, he’d been attending a University function over 1000 miles away at the time of the rally and his innocence was unquestionable.
A mistake by police led to an innocent man being misidentified as a cyclist who hurt a child on a bike trail in Bethesda, Maryland. They posted the incorrect date on an appeal for information. Peter Weinburg—the innocent man—had used the bike trail on the date the police used in their appeal, but not on the actual date of the assault.
Weinburg was quickly the victim of a doxxing, with a backlash of such ferocity that the police had to patrol the area around his home to keep him safe. Doxxing can all too easily bring online bullying and trolling into the real world.
Doxxing and Swatting
Swatting is making hoax communications to the police to convince them to send an armed response team to a victim’s residence.
Swatting attacks require someone to impersonate the victim. They describe a crime they are either going to commit or that they already started. A Special Weapons and Tactics (SWAT) team or other armed law enforcement team attend the scene. That’s a flashpoint situation with keyed-up law enforcement officers and a completely confused victim.
In 2017, angry about a USD 1.50 bet over a game of Call of Duty, Casey Viner asked known swatter and hoaxer Tyler Barriss to swat another online gamer. They doxxed the victim but retrieved an expired address. Barriss made a hoax call and sent an armed response team to the wrong address. Andrew Finch, unconnected in any way to the dispute over the bet, was shot to death. Barriss is serving a 20-year sentence.
How Doxxers get Your Information
There are many places doxxers can search to try to find out about a victim.
Open Source Intelligence
Open source intelligence is any information that can legally be obtained about an individual from the internet. Because no crime has been conducted in gathering the information, and because the information is factual—assuming the victim has been correctly identified—many forms of doxxing are not illegal.
Looking up information on the electoral rolls or registers is perfectly legal, for example. It is public domain information. That’s what the open source means. It is an open source of information, as opposed to a closed-source. It doesn’t have any connection to open source software. That being said, there are several free and open source software packages that can be used to gather open source intelligence on individuals.
Businesses that collect, store, and profit from cross-referencing and selling your data are called data brokers. Everything you do is of interest to someone, especially the big-data marketing companies. If you search for something online, research a purchase, or buy something online the details of those actions are saleable content for the data brokers.
Registering a domain requires you to fill out a form. The data on that form is accessible to anyone. Some registrars offer to hide or restrict the data for a fee, but not all of them provide this service.
You can use any of the many whois services on the internet to search the entries in the whois database. Some operating systems offer direct access to the whois database, allowing requests to performed programmatically.
The average person posts a tremendous amount of information that can be used to identify them, their family, the locality they live in, their address, phone number, people they associate with, where they work, what they do in your spare time, and so on. All of this can be used to piece together your identity and provides clues for the threat actors to find more information about you.
You might be giving away other information without realizing it. Images that you post online can have embedded data in them, with the time, date, and location of where the image was taken held in the metadata of the image file.
Data breaches seem to be a daily fact of life. These leaked databases can carry a wealth of information including your name, password, social security number, home address, bank details, credit card details, email addresses, landline, and cell phone numbers—and on and on. All of this finds its way to the Dark Web and hacker forums.
If someone knows your name and the general vicinity you live in they can search the leaked databases and find likely candidates that could be you. Cross-referencing the information in the data breaches with the information they already have about you allows them to quickly verify whether they have identified you or not.
Social engineering is a way fraudsters build up trust and familiarity with their victim, while slowly extracting information from them without the victim realizing it is happening. This can happen in the digital world on social media platforms, or in the physical world.
Doxxing-as-a-Service is available on the Dark Web. They will carry out a doxxing attack on the victim and charge them a fee to have their personal information taken down.
How to Protect Yourself Against Doxxing
Behave with caution. Everything you say or post on the internet can be dredged up and waved around in public by those seeking to undermine or attack you.
Don’t Use Your Real Name
When you join a social media site, forum, or any other online platform, pick a username that doesn’t reflect your real identity. If you get into an argument or someone takes umbrage at views you’ve expressed and they’re the type of person who’ll consider doxxing you, you’ll be better protected with a completely unrelated user name.
Use a VPN
A VPN will help to maintain your anonymity. Your IP address is not exposed to the platforms, services, and websites you connect to. This makes back-tracing much more difficult. It also encrypts your traffic which will make using public Wi-Fi much more secure.
Be Cautious With Social Media
Almost everything you post on social media can be used as clues to your real identity. Photographs of the front of your house for example allow the doxxers to verify they’ve found the correct address by comparing that photograph with the image on Google Street View for the address they suspect may be yours.
Use the privacy controls on the social media platform to restrict access to your posts as much as possible, and only allow trusted friends and family to connect and see your updates. Don’t accept connection requests from strangers. Ask yourself, why would they want to connect to you?
Request Deletion of Your Data
Anyone can request that data brokers delete your personal information from their databases.
Google, Bing, Yahoo, and other search engines allow you to request that you be removed from search results. But be aware that they do not always comply. If they maintain that the information serves a legitimate interest for the public they will not remove your data.
If you are a European citizen you can request data deletion from any organization you believe holds your personally identifiable information. The General Data Protection Regulations give you rights to see what data a business holds on you and, if you choose, to have that data deleted. And this doesn’t just cover European organizations. GDPR covers any organization—regardless of geography—that processes, stores, or transmits data of European citizens.
Even with GDPR, you don’t have a carte blanche right to data deletion, but you do have the right to request it. An organization must have a compelling and valid reason to continue to hold your data if you’ve asked them to delete it. For example, you can’t try to get your data deleted from someone you have an ongoing lease with or a hire-purchase plan. The fact that you are in the middle of a financial contract would be an acceptable reason for them to deny data deletion.
If the prospect of contacting many websites and asking to be removed makes your heart sink, you can consider using data deletion services such as DeleteMe or Privacy Duck. For a fee, these companies will remove you from all of the common data broker, web search, and other data trading companies, and greatly reduce your online footprint. The Privacy Duck website even tells you how they do it and shows you how you can do it for yourself, for free.
Use Sacrificial Email Addresses
Use free email providers such as ProtonMail and create throw-away email addresses. Use them as your registration email for social media and other platforms you join. ProtonMail provides another degree of separation because you can create an email address without providing an existing email address during the process.
If You Do Get Doxxed
- Report it. Report it to the customer support of the platform on which the information has been released and ask that it be taken down. The platform may have a policy about doxxing, and the poster may be banned.
- Contact the police. If you’re receiving threats or abuse as a result of a doxxing report it to the police. If the information that has been posted is not publically available a crime may have been committed by procuring and posting it.
- Record the doxxing. Taking screenshots of the online information, keeping abusive emails, and screenshotting Tweets before they can be deleted will provide information that the police may use in their investigation.
- Warn your employer, colleagues, friends, and family. They may be subjected to hate mail and abuse just for knowing you or for employing you.