What is doxxing and how can you protect yourself?

The word “doxxing” comes from the term “dropping dox” – a technique old-school hackers used as a revenge tactic back when IRC was popular. This was done to strip away one’s anonymity and intimidate or harass them, or even draw the attention of law enforcement agencies. For hackers, who strive to stay anonymous, doxxing was and still is a serious cyber threat.

Nowadays, doxxing is mostly employed by cyberbullies and online gamers. Someone might end up revealing personal information about you or your family members because they didn’t like the content you posted on social media or forums, or because they disliked you after you beat them at an online game. You don’t need to be a public figure — anyone can become a victim if information about them is available.

A doxxing attack might not seem harmful. What could someone do with your data if it already exists somewhere on the internet? Your details, like your home address, phone numbers, email addresses, and social security numbers, could be scattered across many platforms. But what if someone adds network data, financial documents, bank account information, private correspondence, embarrassing photos, signed petitions, and publicly shared opinions to the mix? Small, cherry-picked pieces of information can form a negative portrait of anyone. This is more than just a violation of your privacy. It can also:

• Harm your personal or professional reputation;
• Humiliate and embarrass you;
• Cause a potentially nightmarish social backlash;
• Lead to identity theft;
• Lead to future cyber attacks;
• Can put a victim at risk of physical harm;
• Invite ongoing harassment and death threats;
• Lead to prank calls and swatting (false reporting of incidents such as hostage situations at your home address).

Information collection methods range from easy-as-pie info harvesting to advanced hacking. Combine a high level of self-disclosure with a low level of security – and voilà! An attacker can learn a surprising amount about you.

Most common techniques include:

• Wi-Fi (packet) sniffing. Public Wi-Fi networks are extremely vulnerable to hacking. A doxxer can intercept your internet connection without too much effort and see real-time data, like the websites you are visiting. This means that your sensitive data, such as login details and passwords, are at high risk of being compromised.
• Analyzing file metadata. By simply looking at your file metadata, an attacker can learn a great deal about you. For example, if you go to the ‘Details’ section of a Word file, you will see who created, who edited it, when and possibly even from what company. Similarly, photos have EXIF data. This shows the model of the smartphone or camera used to take the photo, its resolution, and the time when the photo was taken. Moreover, it can also reveal your location if GPS was enabled when the photo was taken.
• IP logging. Hackers can also slip an IP logger – an invisible piece of code – into your device through an email or a message so they can sniff out your IP address. IP addresses can be used to find your approximate geographical location.

Doxxing legality (or illegality) depends on the country internet users live in. However, if you reside in the US, there are federal and state laws that consider doxxing to be illegal, especially when it intentionally damages someone’s reputation or puts them in danger. Many EU countries also consider doxxing illegal, especially if the information was private or difficult to obtain and it violated the target’s privacy and security.

You can, and you should. Doxxing yourself is the best way to find out how much of your personal information is on the internet. This way, you can try to remove everything you don’t want available online.

• The best way to start is by googling your name. Your social media accounts will probably pop up first. While there’s not much you can do about most of them (apart from changing your name to a nickname), some will allow you to hide your profile from search engines. For example, you can do so on Facebook by unchecking the box which says “Do you want search engines outside of Facebook to link to your profile?”.
• Next, do a targeted search. Google your name together with other keywords, like “phone number” or “address.”
• Make sure to search only for your actual address, phone number, email, and any nicknames you remember using to see whether your name is associated with any of them. You’re likely to find data brokers’ websites where your name, address, location history, phone number, and other personal information online is compiled into one file (you can use a service like Incogni to opt out of data brokers automatically).
• Check the image results as well. If you don’t have a lot of photos online, you can do a reverse image search to see if it was posted where it shouldn’t have been.

What should you do with the information you find about yourself online? If you live in the European Union, you can demand that your personal data be erased from the website, thanks to the GDPR rules.

Unfortunately, it’s not as straightforward elsewhere in the world. You can still ask the website to delete information about you, and many will likely agree to do so. As for everything else, you will at least know what information about you is available online. And from this point onwards, you can be more careful. Make sure your new email, phone number, or home address do not end up online. Control what you and others post about you on social media, and be more careful with your data in general.

PRO TIP: Keep your social media profiles private. This is a good rule to follow for all-round privacy and security, but it’s particularly important for preventing doxxing.

The good thing is, there are steps you can take to avoid doxxing or at least minimize the risks.

#1: Limit information you share online

Have you ever tried entering your name into a search engine? Give it a try because it’s the first place cyberbullies will go to collect information about you. Try using a privacy-oriented search engine. Why? Because Google provides search results based on your ‘user profile’ and your preferences, meaning you may not see the same information a hacker would.

Once you know what info about you is out there, try stripping as much of that content as possible. This can be challenging! A good chunk of it will most likely reside on Google’s platforms and your social media profiles. Use these guides to make your social media more private and to de-Googlify your life.

#2: Think before you comment

Forums or news websites that allow you to post anonymous or pseudo-anonymous comments still collect data about you like your IP address, which can reveal your location and your identity. If you feel the need to leave comments on websites, never enter your personal details that could result in identity theft, don’t log in with your social media accounts, and use a VPN to change your IP address.

#3: Remove yourself from data broker websites

Data brokers scrape the internet, gather your data in one place, and sell it to businesses. You can opt out, but because they make money from your data, they can make the process lengthy and frustrating. If you are not sure whether your data is on any such websites, you can check www.peoplefinder.com or www.whitepages.com.

#4: Protect your passwords

Breaking into your online accounts is holy grail for hackers; it allows them to steal your data, commit identity theft, sell your private information on the dark web and launch other attacks against your contacts. Passwords are essential for protecting our financial accounts, social media profiles, and more. Make sure that you protect your accounts with strong and unique passwords. You can also use the NordPass random password generator. Don’t reuse your passwords and keep them safe. Password managers like NordPass can protect your data by storing it in an encrypted vault and remember them for you.

In addition, enable two-factor authentication wherever you can. Even if an attacker gets his hands on your password, they will bump into a wall at the next authentication step. Although any kind of 2FA is better than nothing, we recommend avoiding SMS as a method of verification, as they are vulnerable to sim swapping attacks.

#5: Use a virtual private network (VPN)

Connecting to VPN encrypts your online data and hides your real IP address; it’s one of the most effective security measures that you can take. This way, snoopers won’t sniff your private information and you can enjoy safe online gaming. With VPN, you can even make public Wi-Fi secure.

When choosing a VPN service, pick one like NordVPN. With Threat Protection included, you’re protected against suspicious websites that host malware while our ad blocker can also prevent doxxers from accessing your private data.

Check out our video on preventing doxxing below.