Doxxing as an attack tool has evolved since its inception in the 1990s. Getting doxxed used to mean a rival hacker or gamer would “drop docs” on others to reveal the real identity of a rival using an alias. “Docs” became “dox” (or “doxx”) over time, and now doxxing people is not just for hackers using dark web scans to dig up dirt on their competition.
The exact definition of doxxing is still up for interpretation. From livestream gamers outing the pseudo identities of rivals, to journalists revealing the true identity of controversial TikTok handles, shady business, and politics, what used to be a specific set of actions — almost always with malicious intent — is now more nuanced.
These days, anyone can claim to have been doxxed. Holding powerful people accountable might now be negatively pegged as doxxing — stretching the true meaning. Gen Zers might even colloquially say they doxxed themselves: “Oops, I revealed too much personal information online or posted an unflattering selfie. I totally doxxed myself.”
The internet has extended publishing access to anyone who wants it, including angry employees, jealous rivals, and sketchy hackers. Whether you define doxxing as a form of cyberbullying or novel accountability tool, doxxing has the potential to stretch far beyond its intended purpose.
Doxxing is scary, because it reveals the vulnerability of our private identities. Using a few simple online tracking tools or secretly learning a person's IP address, doxxers can expose information that even private browsing and online privacy best practices can't always protect.
Doxxing can be used as an accountability tool or a means to enact revenge. It can also refer to an accidental overshare on social media.
Why would someone doxx you?
Someone might doxx you to seek revenge, hold you accountable, or because they’re offended by something you did. Doxxing may be fueled by social justice or aggression, depending on one’s perspective. Traditionally, you might get doxxed if someone is seeking retribution against you.
Anyone can be doxxed if information is available about them online. Celebrities, public figures, and politicians are common doxxing targets. Doxx websites may also falsely accuse people of controversial opinions or beliefs, and sometimes reveal inconvenient truths. The hacker group Anonymous has been doxxing people since 2011, often with a vigilante vein in their attacks.
No matter the accuracy or integrity of the docs dropped in a doxxing attack, the act can put the target in danger, particularly when their digital identity reveals physical locations and details. Revealing personal information like someone's phone number, home address, and other information high on a data broker's wishlist may also unintentionally lead to identity theft.
Is doxxing illegal?
The legality of doxxing depends on the means of obtaining the information and the result of the doxxing attack. Doxxing laws in the US may define doxxing as a crime if the data was illegally obtained or if the doxxing attack is linked to cyberbullying or harassment.
The US has seen its share of doxxing gone wrong — such as a man dying of a heart attack after his home address was revealed online and the swat team was falsely dispatched to his home. The person responsible for doxxing his address was sentenced to 5-years in prison, even though he was not the one to call the police.
Is it illegal to reveal someone's personal information? Not exactly. If the information is available in public records, legally acquired, and is not part of a larger harassment or stalking technique, it's not necessarily illegal to doxx someone.
Types of doxxing
Doxxing takes on many forms. You can doxx someone with their phone number by using it as a gateway to other sensitive information. There’s also a type of doxxing that reveals an IP address — a huge clue in revealing where you live. But, all doxxing techniques share the same end goal: get as much information about a target as possible.
Here are a few ways that doxxing attacks start:
You can cyberstalk someone on Facebook, Twitter, TikTok, or any social media platform to gain information about them. Weak privacy settings can reveal your full name, where you live, your phone number, place of work, family member names, even your dog's name.
Combined with social engineering, IP doxxing is when a doxxer figures out a target's IP address and uses it to trick their internet service provider into revealing additional private information.
By connecting usernames across multiple websites, doxxers can paint a detailed picture of the person they aim to doxx. This is a particularly effective technique if a doxxer is trying to expose the true identity behind a pseudonym.
Phishing is tricking someone into visiting a malicious website or clicking on an infected link. Because spear phishing attacks target specific individuals, they can be a particularly dangerous gateway to doxxing. Phishing often occurs via email, but look out for smishing (SMS phishing) and vishing (voice phishing).
A rich source of shockingly personal data, data brokers will sell anything to just about anyone. While it may seem like data brokers use spyware or a nasty keylogger to gain access to your data, they actually piece a person's identity together based on public records and online activity.
Reverse phone lookups
If doxxers can get a phone number, they can get much, much more. Apps and websites that offer reverse phone lookups promise to reveal home addresses or at least the city where a phone number is registered.
Whois is a freely-available tool that identifies the person or people behind any website domain. Most of the information, such as full names, phone numbers, and addresses can be set to private. But domain owners may not remember to set up those protections when they register a website.
Doxxers use available online information about you to decipher who you are — any bits of personal data online can be used in a doxxing attack.
Examples: famous doxxing cases
The most well known doxxing examples involve celebrities and politicians, while lesser-known cases involve average people. Sometimes the target of doxxing is a victim of online abuse. Other times, the tables can be turned and doxxers themselves can find themselves doxxed.
Celebrities who have been doxxed include Kim Kardashian, Jay Z, Cardi B, JK Rowling, and Donald Trump, among others. In a sweeping celebrity doxxing incident, celebrities had their social security numbers, mortgage amounts, credit card details, banking information, and even their auto-loan details posted online.
A tragic example of doxxing is when Sunil Tripathi committed suicide after he was mistakenly doxxed as the Boston bomber. And it wasn't just individual vigilantes publishing Sunil's photo and claiming he was behind the attacks. Well-known journalists also jumped to this tragic conclusion.
In a failed attempt to out racists involved in an on-campus neo-Nazi march, internet slueths incorrectly doxxed University of Virginia professor Kyle Quinn. Once his photograph was paired next to that of a torch-wielding protestor wearing an Arkansas Engineering shirt, a tweet frenzy ensued calling for the professor's expulsion.
An extreme form of doxxing that turns online revelations into dangerous real-life experiences is swatting. Swatting is a form of doxxing where aggressors hunt down a target's home address in order to report a fake crime. Police — or sometimes the SWAT team — then show up at the unsuspecting person's doorstep ready for a confrontation.
Another doxxing example flipped on its head is when baseball player Curt Schilling doxxed two anonymous Twitter users who were sending abusive messages to his daughter. The messages were so explicit and inappropriate that it led to one of the men losing their job.
What to do if you become a doxxing victim
So, what to do if you get doxxed? There are a series of steps you can take to protect yourself from further harassment, including requesting the removal of private information from sites that host it.
If you become a victim of doxxing, here’s what to do:
Report doxxing to the police.
Doxxing may be considered a cybercrime in your location and should be taken seriously. Report doxxing before it escalates to a more serious crime, especially if you need to report identity theft as a result of leaked information.
Report doxxing on social media.
Facebook, Twitter, or any other social media where doxxing occurs should have an easy way to report and remove the information. Use the “Report Abuse” or “Report Bullying or Harassment” options to report doxxing. This step may prevent further harassment and more doxxing attacks in the future.
Change usernames and passwords.
A doxxer thrives on drips of information that may lead them to even more data. By changing your usernames, you cut them off from further access to your digital presence. In the event that a doxxer has also gained deeper access to your accounts, it's critical to change your passwords as well.
Look at the info the doxxer has on you.
Did they doxx publicly available information from social media? You might be able to tell where the doxxed information came from. Check your privacy settings and your public exposure by changing your social media permissions. You may even consider starting new accounts.
Inform your bank.
It may seem unnecessary, but reporting doxxing to your bank can help them monitor for suspicious transactions and unusual activity. Several doxxing attacks have revealed private financial information, such as credit card and banking details.
How to prevent doxxing
Doxxing is all about exposure. How you share information online, set up passwords, and manage old accounts affects how vulnerable you are to doxxing. The anti-doxxing tactics outlined below will not only help you avoid unwanted exposure, they may also help you avoid cyberstalkers and phone spoofing.
Here are some of the best ways to prevent doxxing:
Use strong passwords.
Enhance your personal security by using strong passwords you won't forget on all your accounts. If a would-be doxxer gains access to one account, they can often gain access to others, so always use unique passwords and two-factor authentication to log in.
Set up breach alerts.
Use a trusted data-monitoring tool that will alert you if your personal information is ever leaked in a data breach.
Connect through a Virtual Private Network.
There are many reasons to use a VPN, one of which is to protect your browsing activity from third-party snoops and potential doxxers. Plus, the benefits of a VPN go far beyond doxxer prevention.
Think before you post online.
Oversharing on social media is a significant doxxing risk. Consider who can see your content, and check to see if your Facebook data has been leaked.
Close old accounts.
Good digital hygiene — including deleting old email accounts for email security, removing old social media accounts, and leaving any online or ecommerce communities you no longer engage with — can help prevent doxxing.
Protect your personal information with AVG BreachGuard
Doxxers cling to the smallest pieces of information they can find about you online. Don't let your personal data slip into the wrong hands or onto the dark web where hackers can find it or use it against you.
AVG BreachGuard keeps track of new data leaks, alerting you of any breaches involving your personal data. Then, it will help you secure your personal info before it ends up in the wrong hands. Prevent doxxers and other shady characters from getting your personal info with AVG BreachGuard.