While “doxxing” has been around since the 1990s, in recent years, doxxing attacks have become increasingly common, with celebrities and lay people alike falling victim.
In this article, I go into detail about what doxxing is and its real-life consequences. In addition, I’ll explain how you can protect yourself from doxxing attacks.
What Exactly Is Doxxing?
“Doxxing” is when someone finds personal information about someone else, usually an internet user, and publishes it online for the world to see. That’s why it’s called “doxxing” – referring to “documents,” shortened to “doc” and then changed to “dox.”
The information that’s published can include the real name, home address, email address, telephone number, photos and other personal information of the victim, leading to attacks that can move from the online world to the physical one.
Why Does Doxxing Occur?
The motivations behind doxxing can vary, but there are two main reasons: “vigilante justice” and revenge.
When it comes to vigilante justice, there are multiple examples of suspected Neo-Nazis being outed on the internet and losing their jobs. However, unfortunately, doxxing is not an exact science, and many innocent people have become victims of hate mail and in-person and online harassment.
When it comes to revenge, sometimes someone does something in the online world that, rightfully or wrongfully, angers someone else. In these cases, doxxing can occur in order to hurt the real person who did the “offending” act, hurting their reputation, sanity, security or worse.
Examples of both of these reasons for doxxing are presented in the next section.
Kyle Quinn was a victim of doxxing for the sake of “vigilante justice.”
Although the University of Arkansas professor had spent the night with a colleague and his wife at an art exhibit, doxxers online misidentified him as having participated in a white supremacist rally in Charlottesville, VA, which happened on the same night.
Despite his alibi, Mr. Quinn soon found himself with hundreds of hateful messages on Twitter and Instagram. His home address was even posted online, causing him to seek refuge in a colleague’s house.
One case of revenge doxxing occurred In 2015, when Former Major League Baseball player Curt Schilling’s daughter was the subject of sexually offensive comments on Twitter. In an act of revenge, Schilling posted the true identities of the offenders online.
Consequently, one bully lost his job, while another was suspended from his community college. This caused fear in other bullies, leading them to apologize online in order to avoid retribution.
While these consequences of doxxing are extreme, they’re not the most extreme consequences out there. Sometimes doxxing doesn’t end with the loss of one’s security or one’s job, but the loss of one’s life.
The Dangers of SWATTING
One particularly nasty and dangerous form of a doxxing attack is SWATTING.
SWATTING is when, instead of being satisfied with hate mail directed at the victim, the doxxer goes a step further, sending an actual SWAT team to the victim’s house.
Sometimes this occurs by the attacker posing as the victim online, posting threatening messages on a fake online account, directed at schools and other places. These threats can include bombing or shooting scares, prompting authorities to try to find the person responsible and sending a SWAT team to their home.
Other times, if the attacker knows the physical address of the victim, they will call the authorities and claim that the victim is plotting a terrorist attack or that they’re holding hostages. A SWAT team will then be deployed to “investigate.”
A sad example of this kind of attack occurred in the U.S. in 2017. Tyler Barriss, located in Los Angeles, called Wichita, Kansas authorities, posing as Andrew Finch and claiming to have shot someone and to be holding hostages. A SWAT team arrived at the home of Finch’s mother, where Finch was staying, and shot him on sight, killing the man.
The reason for the SWATTING attack? A dispute over a bet between two Call of Duty gamers, worth $1.50. Barriss launched the attack on behalf of the loser. The saddest fact is that Andrew Finch had been misidentified as the other party, and actually had nothing to do with this Call of Duty dispute.
How Do Doxxers Find Your Information?
A data broker is a business that collects the personal information of people.
They get this information from other businesses, such as an online marketplace. That online marketplace may, after selling you their product, sell your personal information to a data broker for extra profit.
How do they get away with this? Usually in the fine print of Terms and Conditions documents, which they know you don’t read.
If you give your information to, say, a contest for a free car, the online survey may say in the fine print that they have the right to store and/or sell your information to data brokers. The money they make from this may offset the cost of the free car they eventually give out.
Usually, this information is not individualized, keeping your personal identity private. But hackers and doxxers can still work out who you are by looking at large volumes of data from multiple brokers. Combined, this information can give a more precise picture of who an individual is, and what their private information is.
While this is one of the easier methods for doxxers to find your identity, it’s also more expensive than other methods, meaning this may not be the most popular method for finding out who you are.
It’s possible to demand that a data broker remove your information, but this is a lengthy process, which I explain in another section.
An IP address is an identifier for your device.
Every internet-connected device has one. It lets the internet know where a request came from and where a response needs to go, much like a home address lets your postal carrier know where mail came from and needs to go.
However, IP addresses are similar to home addresses in more than one way: IP addresses also reveal your physical location.
An “IP logger” is usually a link that, when you click it, logs your IP address. The IP Logger website lets you shorten these links so that they’re less suspicious.
While businesses can use these kinds of links to collect statistical data for their websites, doxxers can also use them to trick you into revealing your IP address. Your IP address will give them a rough idea of where you’re located. To see how specific an IP address gets when it reveals your location, check out the What Is My IP Address website.
When you create your own website, whether for business or personal reasons, the information you used during registration is public. Websites such as the WHOIS website, or domain sales broker websites such as GoDaddy, make this information accessible.
Some domain brokers allow you to obscure your information when you’re doing the registration. However, to be completely anonymous (for free), you can use a disposable email address, use a fake phone number and make up a company name in order to keep your information supremely private.
What You Can Do to Protect Yourself From a Doxxing Attack
Protecting yourself largely has to do with making sure that you’re careful with what information you post online. Here are some ways to make sure that you can’t be identified.
Social media sites such as Facebook are easy ways to connect with friends, but unfortunately, most people have a habit of posting too much private information there.
When it comes to friend requests, only accept requests from people you actually know. This will keep the number of people who have your personal information to a minimum.
To improve your privacy settings on Facebook, follow the steps below.
- On your Facebook home page, click the downward arrow button at the very top right of the screen and then go to the section item “Settings and Privacy.”
2. Then, in the menu that appears, click “Settings.”
3. On the page that it takes you to, click “Privacy.”
4. Then you’ll see on the page, under “Your Activity,” a list item that says, “Who can see your future posts?” Click that, and you’ll see a drop-down menu that lets you choose who can see your future posts. Make sure it is set to “Friends.”
Although it’s tempting to write personal details on Facebook, avoid it. Don’t mention where you work and don’t post photos of your children. Be sure to tell others, if they take pictures of your children at an event, not to post them online.
Also, don’t sign into other websites using your Facebook, Google Plus, Gmail or other account. When you do this, those other sites will have access to all of your personal information from your social media accounts.
Check out our article, “The Visual Guide To Making Your Facebook Profile Private Again,” for more information about making your Facebook profile completely private.
Encrypt Your Online Communications
Even if the content that you’re viewing or using is encrypted, a hacker can see all of this if your internet connection isn’t encrypted. Your personal, business and financial information will all be at the hands of any hacker who knows how to look for it.
So, use a Virtual Private Network (VPN) to encrypt your internet connection.
A VPN uses government-grade encryption to protect your internet connection. In addition, it offers many security and personal privacy protections, including kill switch and DNS leak protection, as well as having strict no-logs policies so no one can request your information from a VPN.
For more information about VPNs and which VPN is the best, check out our “What Is A Virtual Private Network (VPN) And What Does It Do?” article. I would suggest using NordVPN.
You should definitely use a VPN if you plan on using a public WiFi hotspot. Public WiFi hotspots are typically unencrypted and are havens for hackers looking to steal your private information. Because a VPN encrypts your internet connection, hackers are powerless to glean any info.
Use AntiVirus to Protect Your Computer’s Data
There is such a thing as “doxware,” a type of malware (which is another name for spyware).
It’s similar to ransomware, which infects your computer via phishing emails or other means. Hackers using ransomware encrypt the files on your computer and demand that you pay a (usually sizable) ransom if you want to get them back.
In the case of doxware, if you refuse to pay the ransom, there is a consequence: the hacker will post your private information online.
In order to avoid this, install AntiVirus and/or malware detection software onto your device. This will prevent any malware/spyware from infecting your device and protect you from hackers attempting to steal, ransom and publish your private information.
Be sure to set your AntiVirus and malware app to update automatically, and even if it slows your computer down (which they sometimes do), don’t ever turn it off.
Delete Your Private Information From Apps
Many apps will have your identity in their settings.
For example, Microsoft Office may have your real name in a properties field in their settings, meaning that every document you create and send will have your true name associated with it.
Go through your apps, check out the settings, and if you see your real name or other private information recorded, delete it. If a name or other information is required, consider creating an anonymous email address with a fake name to use in your apps.
Some devices to check include
- Your smartphone
- Your camera
- Your webcam
- Your game console(s)
- Your set-top box(es)
Use a Secure Email Address
You may be tempted to sign up for accounts on many websites, but using your personal email address to do this is a mistake.
Some websites aren’t what they seem, and are actually doxxing harvesting sites that will steal your private information. You need a way to be able to delete your account without leaving any sensitive information behind.
Instead of using your personal email address at one of the popular, free email service websites (which, while they usually encrypt your emails while being sent to the recipient, won’t encrypt them while they’re stored on an intermediate server), use a second, secure email address for sites and online services you don’t necessarily trust yet.
If you can, don’t use your real name while signing up. Secure email services will keep your mail encrypted, ensuring that no one can steal your private information.
That way, you can easily back out of these questionable sites without worrying that your private information was stolen.
Use a Different Username and Password for Each Site
Most people will use the same password over and over again on every site that they sign up for. But this is dangerous: if a hacker is able to find your password to an account on one site, then they have access to your accounts on every site.
You may worry that you won’t be able to remember all of these passwords if you change them up for every site you visit, but don’t worry! Password managers are your friend.
A password manager stores your passwords (and usernames) for every site and service you use, automatically filling in the information when you visit the login page. That way, the only password you really need to remember is the secure password you use for the password manager itself, so you can access all of your passwords.
Password managers are available on computers, smartphones and other devices, making it easy to log into many services without having to scratch your head, trying to remember your password.
I personally use LastPass’s extension, which has a free version. I’ve added their extension to my Chrome browser, and I love the way it automatically fills in my passwords on every site that I save to it.
Check out our article on how to create a secure password for every site.
Those in the EU: Get Your Info Removed
If you’re lucky enough to be located in the EU, you’re able to get your information removed from search engine results.
And thanks to the General Data Protection Regulation (GDPR), it’s harder for companies to keep information on you in their databases.
The GDPR allows you to launch a class action lawsuit against companies that don’t protect your information well enough, such as if they don’t let you know what information they have on file about you or if they transfer your data outside of the EU.
You can get your information removed from search engines by filling out a form. Websites that allow you to do this include
Those in the USA: Self-Doxxing
To protect yourself from doxxing, try “self-doxxing.”
Self-doxxing is when you look into what information about you is available on the web, as opposed to researching what information companies have about you on file, in secret. It’s not a doxxing issue to trace information that’s held about you, unless the information is leaked. Self-doxxing allows you to protect yourself from any information leakage.
Here are some resources:
- We Leak Info – this site informs you about where hackers can find your info.
- The School of Privacy – this site tells you how to self-dox.
- Google – this form allows you to get your info removed from search engine results.
Then, visit websites that will help you get your data removed from websites. Here’s a short list, but there are many more sites out there:
- USA People Search
In the USA, there are websites, such as Privacy Duck and DeleteMe, which will help you get your information removed without having to go to every site yourself.
Doxxing can occur for a myriad of reasons, such as vigilante justice and revenge. Be sure to do the following to protect yourself from doxxing.
- Make sure your information is private on social media platforms, and only friend people you know.
- Use a Virtual Private Network to encrypt your internet communications.
- Install AntiVirus and anti-malware apps onto your computer to protect against doxware.
- Delete your private information from apps that may leak your data.
- Use a secure email address when signing up to sites and services.
- Always use a unique password on every site or service you sign up to.
- Get your information taken off of websites when possible.
It’s also always a good idea to play nice online. This is not at all victim blaming – it’s never anyone’s fault if they get doxxed; the blame is squarely on the doxxer. However, just like when you’re driving and you have to be careful of other drivers on the road, be careful how you treat other users on the web.
By following the steps above and playing it safe on the web, you can protect yourself from doxxing.
Will Switching on Two-Factor Authentication Stop Doxxing?
Two-factor authentication protects your online accounts by requiring not only a password to access your account, but for you to confirm your identity by inserting a code sent to a device you own.
Two-factor authentication can help prevent doxxing by making it harder for doxxers to access your online accounts and thereby steal your private information, such as your home address or phone number.
Are There Any Famous Doxxing Cases?
The case of Kyle Quinn being misidentified as having taken part in a white supremacist rally made it all the way to the New York Times. Wired reported about Daryle Lamont Jenkins, an “insatiable doxxer of fascists and Nazis.” There are numerous cases of doxxing littering the internet.
What Is the Difference Between Doxxing and Swatting?
Doxxing involves gathering your personal information and releasing it to the public. Swatting involves gathering your personal information and making a serious (but false) police report about you, causing a SWAT team to be sent to your home. Swatters don’t necessarily publish your private information, while doxxers do, and doxxers don’t necessarily send a SWAT team to your house, while swatters do.
- What Exactly Is Doxxing?
- Why Does Doxxing Occur?
- Doxxing Attacks
- The Dangers of SWATTING
- How Do Doxxers Find Your Information?
- What You Can Do to Protect Yourself From a Doxxing Attack
- Doxxing FAQs
- Will Switching on Two-Factor Authentication Stop Doxxing?
- Are There Any Famous Doxxing Cases?
- What Is the Difference Between Doxxing and Swatting?