
What is doxxing?
Doxxing refers to the deliberate public disclosure of a person’s sensitive personal information without their permission. The intention behind doxxing someone need not be malicious, but it most often is. In effect, doxxing involves connecting a person’s online persona to their true identity.
The personal information revealed during a doxxing incident may already be publicly available beforehand, but the damage is done when that information is connected to an otherwise anonymous online identity. It’s contact information that’s most commonly revealed, but any personal information is fair game.
Why is it called doxxing?
The term “doxxing” comes from “docs” (short for documents). It refers to the act of collecting and publishing personal documents or information about someone online, often to harass or cause physical harm.
Is doxxing illegal?
Making threats of physical harm is illegal in most jurisdictions, as are stalking and harassment. Revealing personal details online is more of a mixed bag. Nevertheless, as long as harassing people and causing them distress is illegal, encouraging and enabling others to do the same is likely to be so as well.
Related: Is Doxxing Illegal?
What does a doxxing attack look like?
Each doxxing attack is different, but the overall pattern is the same. The soon-to-be doxxing victim is both in public view and in some sense anonymous. They engage or even just catch the attention of the wrong person or people online. That’s when the doxxing starts.
The person doing the doxxing has one or both of two possible aims: to harm their victim simply by breaking their anonymity and/or to harm them by exposing them to the threats and dangers of having their personal information online. The troll doing the doxxing may even wrangle an angry mob into attacking their victim.
The attacker accomplishes their task by publishing or otherwise sharing their victim’s most private information online, including their social media accounts, home address, phone number, and the details of any other personal accounts that hadn’t been connected to their online persona prior to the attack.
Having this private information and these personal details connected to an otherwise anonymous online account can be harmful in and of itself. Things get really dicey once an angry mob gets involved, with death threats, threats of sexual violence, and identity theft suddenly being on the table.
Types of doxxing
- Personal information doxxing: Publishing private details like full name, home address, phone number, or email.
- Social Security number doxxing: Revealing financial information or Social Security numbers, often leading to identity theft.
- Employment doxxing: Sharing details about someone’s workplace to prompt harassment or professional backlash.
- Location doxxing: Disclosing someone’s real-time or common location, putting them at physical risk.
- Image doxxing: Posting private photos, videos, or screenshots to embarrass the victim.
- Social media and online activity doxxing: Exposing a person’s online aliases or social media history to shame or discredit them.
- Swatting: Using doxxed information to make false emergency calls to someone’s home, resulting in dangerous confrontations with police SWAT teams.
- Family and friends doxxing: Posting information about a victim’s relatives or friends to indirectly intimidate the primary target.
- Celebrity doxxing: Exposing personal information of public figures or celebrities, often to overwhelm them with unwanted attention.
- Targeted doxxing: Focusing on a specific individual, often a journalist, activist, or researcher, to retaliate against their work or opinions.
- Faulty doxxing: Incorrectly identifying someone as a target, leading to harassment of innocent individuals due to mistaken identity.
Doxxing examples
The following examples are based on real people’s experiences of getting doxxed. Doxxing can be the end goal of an attacker, just the beginning of their plan, or something that quickly slips from their control and takes on a life of its own.
Armchair detectives cause havoc by doxxing the wrong person
With the explosion in popularity of true-crime podcasts and documentaries, more and more people are taking on the role of armchair detective, trying to solve the crimes that real detectives haven’t been able to.
So-called crowdsourced detective work has been instrumental in solving some crimes, especially cold cases. But the mob mentality and lack of checks and balances that accompany these amateur efforts leave them open to both abuse and error. When things go wrong, they go very wrong.
One of the more infamous examples of armchair detectives steering a mob in the wrong direction happened in 2013. Redditors speculating on the identities of the Boston Marathon bombers fixated on student Sunil Tripathi, hounding and publicly shaming him.
Sunil ended up committing suicide before the mob could be convinced of his innocence. He had never been named a suspect by law enforcement and had absolutely nothing to do with the Boston Marathon bombing. There was no reasoning with the mob once he’d been doxxed, though.
Anti-abortion activists murder doxxed doctors
Doxxing has even been used to intentionally incite multiple murders. In 1997, anti-abortion activist Neal Horsley published a “hit list” (his words) that included the full names, home addresses, and photos of around 200 doctors who wouldn’t bow to activists’ demands.
To date, eight of these doctors have been murdered by like-minded activists, and Horsley’s collection of abortion providers’ personal information lives on, even though the original website has long since been taken down. Horsley’s hit list also triggered some important discussions about doxxing and freedom of speech.
Gamers dox each other for the LOLs
“Swatting” is a particularly dangerous and uniquely American form of doxxing that plays on the increasing militarization of US law-enforcement agencies. Once an attacker has their victim’s physical location, they manipulate local law enforcement into raiding them with guns drawn.
Named after the specialist SWAT units that most spectacularly perform such raids, swatting is a dangerous “prank” that can easily end in tragedy. For example, online gamers tried to swat one of their friends in 2017, leading to an innocent man being fatally shot by responding officers. The perpetrator is serving a 20 to 25-year prison term as a result.
Online disagreements escalate into doxxing attacks
Perhaps the most common way to fall victim to a doxxing attack is to upset or “trigger” the wrong people online. It’s a minefield out there—having a political discussion get out of hand or simply sharing an unpopular opinion on social media can lead to someone doxxing you.
Social media sites are particularly focused on both creating separate echo chambers for and encouraging disagreement between social media users. This makes them the perfect places to end up on the wrong person’s radar. Mob aggression can then go viral incredibly quickly.
How do you know if you’ve been doxxed?
Unsolicited contact or harassment
This could manifest as sudden messages, calls, emails, or direct contact, often from strangers who’ve accessed your personal details through a doxxing incident. Harassment can sometimes extend to family and friends as well, depending on the extent of the information shared.
Information or images circulating online
Your private data, such as your address, phone number, and even photos, may appear on social media, forums, and websites. Monitoring search engines or setting up Google Alerts for your name can help you stay aware if your data surfaces unexpectedly.
Such information can include your:
- Full name
- Date of birth
- Social Security number
- Home address
- Financial data
- Photos and videos
- Social media accounts
- Family members
- Embarrassing personal details
- Criminal history
- Employment information.
How to avoid getting doxxed
There’s no sure-fire way to protect yourself against all doxxing attacks unless you’re willing to go completely off-grid or adopt some sort of radical transparency online—you can’t get doxxed if you don’t have any secrets. The first option is definitely overkill, the second is outright dangerous.
There is, though, a lot you can do to drastically reduce your chances of getting doxxed.
See things from a doxxer’s point of view
The best way to protect yourself against doxxing attacks is to go through the motions of doxxing yourself. This will put you in an attacker’s shoes and allow you to see which of your private information is available online.
- Public social media profiles: Many people share private information on social media, including birthdays, locations, family members, workplaces, and routines. Doxxers can piece together this information from profiles, tagged photos, check-ins, and connections to build a profile on their target.
- Data brokers and people search sites: Websites like Whitepages, Spokeo, and BeenVerified collect and sell personal information, often including addresses, phone numbers, and family relations. Many of these sites gather data from public records and third-party databases, making it easy for doxxers to access.
- Hacking and social engineering: Doxxers may use phishing emails or impersonate trusted sources to trick individuals into revealing sensitive information. Social engineering techniques can include impersonating customer support or using deceptive messages to get personal data.
- Public records and databases: Many records are legally accessible, including property records, voter registration details, court records, and business registrations. These databases are often available online through government or legal websites, making it simple for someone to look up details about a target.
- WHOIS lookup for domain owners: If someone owns a website, their contact information (such as an email or mailing address) may be available through a WHOIS lookup unless they’ve opted for domain privacy protection.
- Reverse image searches: Doxxers can use reverse image searches on photos to find linked profiles, locations, or identifying features. For instance, a profile picture used on multiple accounts could lead to other platforms where more personal information is available.
- Leaked databases and the dark web: Breaches can expose personal data (emails, passwords, and addresses) to the dark web, where doxxers can access it. These leaks often reveal sensitive information that people may not realize is compromised.
Stop doxxing yourself
The searches you performed above show how much of your personally identifying information is out there. They also show how much of that personal information you’re putting out there yourself, by having it visible on your social media pages and other profiles and posts.
This is the lowest-hanging fruit. Go through your social media accounts, online forum accounts, and any other information you’ve posted online. Remove or hide any and all personal information you come across.
Follow these guides:
- How to make your TikTok account private
- How to make your Pinterest account private
- How to make your Twitter (X) account private
- How to make Instagram private
- How to make Facebook private
Set up Google alerts for your name, past and present home addresses, and phone number. This way you’ll get a notification as soon as your most sensitive information reappears in Google’s search results.
Take away doxxers’ favorite tools
Doxxers love data brokers, especially so-called people search sites. Data brokers gather personal information on everyday Americans, package it into detailed, searchable profiles, and sell access to these profiles to anyone and everyone who’s willing to pay.
Many data brokers claim to only deal in private data obtained legally through publicly available records, like government records, voter registration logs, and credit reports. Other data brokers sell private data obtained from data breaches and leaks, including those posted on the dark web. Read this post to find out what to do if your phone number is on the dark web.
Even the best-case scenario—data broker sites that rely solely on public records—involves a lot more personal information being made available online than you might think. You probably came across several people search sites when searching for your name, number, and address.
Saying that these sites “sell personal info” fails to capture just how much and what kinds of personal information they’re happy to put into the hands of your worst enemies:
- Your full name
- Physical address
- Email address
- Phone number
- Credit reports
- Financial details
- Social media profiles
- Court and criminal records
- Bank account information
- Online search histories
- Offline buying behavior
- And much, much more.
These data brokers also have no qualms about linking your records to those of your family members and other known associates, including business associates. By getting your personal information out of these companies’ hands you can protect both yourself and your loved ones from spammers, scammers, and doxxers.
Thanks to data privacy protection laws like California’s CCPA and the EU’s GDPR, you may be able to force these companies to stop sharing and even delete your private information. Because of these laws, each data broker has an opt-out procedure you can follow to submit a data removal request.
Incogni has an extensive collection of tailored opt-out guides to help you navigate each data broker’s data removal process. The problem with this approach is that each opt-out procedure is different, and they’re not very straightforward, quick, or easy to follow by design. It would take you an average of 300+ hours to do this for all the data brokers that have your information.
If you only found a few people search sites when you typed your personal details into those search engines, and if your only goal is to stop all but the most determined doxxers, then manually opting out of those sites might be doable. But why not go the whole nine yards?
Incogni’s automated personal information removal service will get your data out of the hands of 170 data brokers, including 60+ people search sites. This will not only throw a spanner into the works of any trolls or stalkers trying to dox you, but also drastically cut back the numbers of robocalls, spam emails, scam attempts, and cold calls you receive.
Stop Google from doxxing you
Maybe you saw some other websites sharing your personally identifying information in the search results. Google is the most commonly used search engine—getting your personal details off Google would go a long way towards making it significantly more difficult to dox you.
Getting people search sites to stop posting your personal details will already thin out the Google search results. You might have some other kinds of websites in your search engine result pages, though. These sites might list your information or even include some of your private documents.
The good news is that there are circumstances under which Google (Alphabet Inc.) will remove websites from its search results pages. We have a detailed guide on how to do this on our blog, but the short of it is this: the site in question has to have your personal documents, private information, private correspondence, or other sensitive information and it usually has to be posted with malicious intent.
Practice good digital hygiene
There are some things you can do to prevent your personal data from finding its way into circulation in the first place. This will not only help protect you from doxxing attacks but also keep you significantly safer online overall.
Practicing good digital hygiene means not leaving contact details like email addresses and phone numbers sitting around on public-facing websites, like social media platforms. It means keeping your financial accounts locked down with two-factor authentication (using something like Aegis).
It also means never reusing passwords between accounts and using unique usernames wherever possible. Reusing passwords means that when (not if) the login credentials to one of your accounts are leaked, hackers can use those credentials to log into one or more of your other accounts.
Check your email addresses with the Have I Been Pwned? website. It’ll show you which of your accounts have been breached and the data leaked on the dark web or elsewhere. There may be other breaches that the HIBP site hasn’t detected yet. Using the same password for multiple accounts is like storing your valuables in a house of cards.
The solution? Use a trusted password manager like NordPass or Bitwarden to generate a strong new password for every new account you create. Consider also using randomly generated usernames to prevent hackers from brute-forcing your accounts: they can’t attack what they can’t find.
Keep your IP address private
Your IP address can be used to identify you and even pinpoint your location. Having it broadcast and registered all over the internet can only increase the risk to which you’re exposed. Use a trusted VPN (Virtual Private Network) to hide your IP from prying eyes.
The emphasis is on trusted here because going with an untrustworthy VPN provider is much worse than having no VPN at all. Your VPN provider could potentially monitor and log your online activity, just as your ISP (Internet Service Provider) can. In most countries, a solid ISP is safer than a free, fly-by-night VPN provider.
A trustworthy VPN provider, on the other hand, leaves your traffic encrypted as it passes through its servers and doesn’t keep any logs of your online activity. Free VPNs have to generate revenue somehow, and too often it’s by monetizing user data and online activity.
Use a reputable VPN like Surfshark to hide your IP from other users on online platforms and in torrent swarms. A good VPN is also indispensable when connecting to public WiFi, like in a café, hotel, or airport. Public hotspots are easily spoofed by hackers who would perform man-in-the-middle attacks on unsuspecting users.
Split your personalities
What is doxxing if not the act of making public that which was intended to be kept private. One way to limit or even avoid the damage that comes from this is to split up and isolate your different online personas. Keeping them separate will make it so that someone trying to dox you on one platform won’t find your other accounts.
Having multiple accounts under the same username makes connecting the dots all too easy for an attacker looking for digital breadcrumbs. The greater your threat model, the greater the lengths you’ll have to go to in order to containerize your different online identities.
Pick your battles when voicing controversial opinions
Self-censorship can be a bad thing when it shuts down critical thinking and self-expression, but a complete lack of self-censorship is also not a good thing. Think twice before sharing a controversial opinion or verbally attacking or challenging other users on whatever third-party service you’re on.
Check the community guidelines when joining a new forum or social media platform or when leaving a comment on a website. Following these guidelines isn’t a guarantee that someone won’t take offense and try to dox you, but it will certainly help you manage the risk of that happening.
What to do if you do get doxxed?
Doxxing is one of those things against which, unfortunately, there’s no guaranteed protection. If you’re a high-profile target or just plain unlucky, the sad fact is that it could happen to you. Here’s how you can get into damage-control mode as quickly as possible when it does:
Lock down your online accounts
If you’ve been doxxed, it means that someone has likely done quite a bit of homework on you. You’re prepared enough not to waste time wondering what is doxxing, you’re ready to act. Start by locking down your accounts—the doxxer may have learned enough about you to compromise them.
Change your banking passwords first and foremost. Then move on to securing your email (especially the account that receives password-reset emails), social media platforms, and anything else your attacker or some random troll might try to break into. Because once you’re doxxed, it’s not just the initial attacker you have to worry about.
Turn on two-factor authentication wherever it’s offered. Use a trusted authentication app like Aegis to generate your 2FA codes and OTPs. Hackers might be able to clone your SIM card and gain access to SMS 2FA codes.
Gather evidence
Take screenshots, note down relevant URLs, and document anything that could be used to prove malicious intent. Malicious intent—the fact that someone meant to do you harm—is often needed to have websites delisted from Google’s search results and, in some cases, for a successful prosecution.
Consider changing your phone number
Changing your phone number is a hassle, but it might be the way to go if you’re receiving harassing phone calls and texts as a result of getting doxxed.
Report the incident
Most social media platforms will have a way for you to report inappropriate content, including doxxing and other forms of harassment. If someone is posting your information on personal websites, you can report them to their hosting providers.
Local Law Enforcement
- Local police: If you’re facing harassment, stalking, or threats due to doxxing, contact your local police department. Provide documentation of the doxxing, including screenshots, URLs, and any direct threats.
- Cybercrime units: In some regions, cybercrime divisions handle digital harassment cases and may offer specialized support.
Federal Law Enforcement (US)
- The FBI’s Internet Crime Complaint Center (IC3): For severe cases involving interstate threats, harassment, or fraud, you can report the incident to the FBI’s IC3 online.
- The Cyber Civil Rights Initiative (CCRI): The CCRI provides resources and advice for reporting cyber harassment cases, including doxxing, and can guide victims on navigating the legal process.
Social Media Platforms and Websites
- Social media platforms: Social media platforms like X (Twitter), Facebook, Instagram, and TikTok have policies against doxxing. Use the “report” function to flag posts or messages that contain your personal information, and request the content’s removal. Most platforms have privacy policies protecting against the nonconsensual release of personal information.
- Website hosts: If your information appears on forums or websites, you can reach out to the hosting provider or website admin. Services like Whois can help identify the host if it’s not immediately clear.