What is doxxing?

Doxxing refers to the deliberate public disclosure of a person’s sensitive personal information without their permission. The intention behind doxxing someone need not be malicious, but it most often is. In effect, doxxing involves connecting a person’s online persona to their true identity.

The personal information revealed during a doxxing incident may already be publicly available beforehand, but the damage is done when that information is connected to an otherwise anonymous online identity. It’s contact information that’s most commonly revealed, but any personal information is fair game.

What does “doxxed” mean?

To be “doxxed” means to have proof of your personal information—documents—posted for all to see. On online forums, this kind of action was typically referred to as “dropping docs,” which may have morphed into “dropping dox” and, from there, to “doxxing.” The exact origins are unknown.

“Doxxing” now refers not only to the act of disseminating such documents but also to the fallout that the victim experiences as a result. Doxxing, almost regardless of the context, can, in effect, steer an angry mob of anonymous internet users in the direction of the victim.

The victim can then experience everything from constant online harassment, through hacking and identity theft attempts, to threats of violence, including sexual violence. Needless to say, doxxing someone is an incredibly cruel and destructive act, the consequences of which the perpetrator has no control over once it’s done.

Is doxxing illegal?

Yes, in many parts of the world, doxxing is directly or indirectly illegal. It’s not often referred to as doxxing, but the kinds of behaviors that go into and result from doxxing someone are often prohibited by law, making doxxing de facto illegal in many places even if they don’t mention it by name. 

Making threats of physical harm is illegal in most jurisdictions, as are stalking and harassment. Revealing personal details online is more of a mixed bag. Jurisdictions with data protection laws in place will generally have penalties in place for revealing personal information online without consent.

When it comes to acts like deanonymizing online accounts, especially social media accounts, there are fewer avenues of legal recourse available in most jurisdictions. Nevertheless, as long as harassing people and causing them distress is illegal, encouraging and enabling others to do the same is likely to be so as well.

What does a doxxing attack look like?

Each doxxing attack is different, but the overall pattern is the same. The soon-to-be doxxing victim is both in public view and in some sense anonymous. They engage or even just catch the attention of the wrong person or people online. That’s when the doxxing starts.

The person doing the doxxing has one or both of two possible aims: to harm their victim simply by breaking their anonymity and/or to harm them by exposing them to the threats and dangers of having their personal information online. The troll doing the doxxing may even wrangle an angry mob into attacking their victim.

The attacker accomplishes their task by publishing or otherwise sharing their victim’s most private information online, including their social media accounts, home address, phone number, and the details of any other personal accounts that hadn’t been connected to their online persona prior to the attack.

Having this private information and these personal details connected to an otherwise anonymous online account can be harmful in and of itself. Things get really dicey once an angry mob gets involved, with death threats, threats of sexual violence, and identity theft suddenly being on the table.

Doxxing examples

The following examples are based on real people’s experiences of getting doxxed. Doxxing can be the end goal of an attacker, just the beginning of their plan, or something that quickly slips from their control and takes on a life of its own.

Armchair detectives cause havoc by doxxing the wrong person

With the explosion in popularity of true-crime podcasts and documentaries, more and more people are taking on the role of armchair detective, trying to solve the crimes that real detectives haven’t been able to.

So-called crowdsourced detective work has been instrumental in solving some crimes, especially cold cases. But the mob mentality and lack of checks and balances that accompany these amateur efforts leave them open to both abuse and error. When things go wrong, they go very wrong.

One of the more infamous examples of armchair detectives steering a mob in the wrong direction happened in 2013. Redditors speculating on the identities of the Boston Marathon bombers fixated on student Sunil Tripathi, hounding and publicly shaming him.

Sunil ended up committing suicide before the mob could be convinced of his innocence. He had never been named a suspect by law enforcement and had absolutely nothing to do with the Boston Marathon bombing. There was no reasoning with the mob once he’d been doxxed, though.

Anti-abortion activists murder doxxed doctors

Doxxing has even been used to intentionally incite multiple murders. In 1997, anti-abortion activist Neal Horsley published a “hit list” (his words) that included the full names, home addresses, and photos of around 200 doctors who wouldn’t bow to activists’ demands.

To date, eight of these doctors have been murdered by like-minded activists, and Horsley’s collection of abortion providers’ personal information lives on, even though the original website has long since been taken down. Horsley’s hit list also triggered some important discussions about doxxing and freedom of speech.

Gamers dox each other for the LOLs

“Swatting” is a particularly dangerous and uniquely American form of doxxing that plays on the increasing militarization of US law-enforcement agencies. Once an attacker has their victim’s physical location, they manipulate local law enforcement into raiding them with guns drawn.

Named after the specialist SWAT units that most spectacularly perform such raids, swatting is a dangerous “prank” that can easily end in tragedy. For example, online gamers tried to swat one of their friends in 2017, leading to an innocent man being fatally shot by responding officers. The perpetrator is serving a 20 to 25-year prison term as a result.

Online disagreements escalate into doxxing attacks

Perhaps the most common way to fall victim to a doxxing attack is to upset or “trigger” the wrong people online. It’s a minefield out there—having a political discussion get out of hand or simply sharing an unpopular opinion on social media can lead to someone doxxing you.

Social media sites are particularly focused on both creating separate echo chambers for and encouraging disagreement between social media users. This makes them the perfect places to end up on the wrong person’s radar. Mob aggression can then go viral incredibly quickly.

How to avoid getting doxxed

There’s no sure-fire way to protect yourself against all doxxing attacks unless you’re willing to go completely off-grid or adopt some sort of radical transparency online—you can’t get doxxed if you don’t have any secrets. The first option is definitely overkill, the second is outright dangerous.

There is, though, a lot you can do to drastically reduce your chances of getting doxxed.

See things from a doxxer’s point of view

The best way to protect yourself against doxxing attacks is to go through the motions of doxxing yourself. This will put you in an attacker’s shoes and allow you to see which of your private information is available online.

Type your full name into a search engine and see what shows up. Repeat the process with your home address (and past addresses) and current and past phone numbers. Use Google Search (just because it’s what most people would use) and DuckDuckGo (it’ll give you some different results).

You’ll likely find your social media pages, maybe some of your old posts on online forums, and some other online accounts. You’ll probably also find a lot of people search sites offering detailed reports packed with your personal information. More on how to stop these information leaks below.

Stop doxxing yourself

The searches you performed above show how much of your personally identifying information is out there. They also show how much of that personal information you’re putting out there yourself, by having it visible on your social media pages and other profiles and posts.

This is the lowest-hanging fruit. Go through your social media accounts, online forum accounts, and any other information you’ve posted online. Remove or hide any and all personal information you come across.

Follow these guides:

• How to make your TikTok account private
• How to make your Pinterest account private
• How to make your Twitter (X) account private
• How to make Instagram private
• How to make Facebook private

Set up Google alerts for your name, past and present home addresses, and phone number. This way you’ll get a notification as soon as your most sensitive information reappears in Google’s search results.

Take away doxxers’ favorite tools

Doxxers love data brokers, especially so-called people search sites. Data brokers gather personal information on everyday Americans, package it into detailed, searchable profiles, and sell access to these profiles to anyone and everyone who’s willing to pay.

Many data brokers claim to only deal in private data obtained legally through publicly available records, like government records, voter registration logs, and credit reports. Other data brokers sell private data obtained from data breaches and leaks, including those posted on the dark web. Read this post to find out what to do if your phone number is on the dark web.

Even the best-case scenario—data broker sites that rely solely on public records—involves a lot more personal information being made available online than you might think. You probably came across several people search sites when searching for your name, number, and address.

Saying that these sites “sell personal info” fails to capture just how much and what kinds of personal information they’re happy to put into the hands of your worst enemies:

• Your full name
• Physical address
• Email address
• Phone number
• Credit reports
• Financial details
• Social media profiles
• Court and criminal records
• Bank account information
• Online search histories
• Offline buying behavior
• And much, much more.

These data brokers also have no qualms about linking your records to those of your family members and other known associates, including business associates. By getting your personal information out of these companies’ hands you can protect both yourself and your loved ones from spammers, scammers, and doxxers.

Thanks to data privacy protection laws like California’s CCPA and the EU’s GDPR, you may be able to force these companies to stop sharing and even delete your private information. Because of these laws, each data broker has an opt-out procedure you can follow to submit a data removal request.

Incogni has an extensive collection of tailored opt-out guides to help you navigate each data broker’s data removal process. The problem with this approach is that each opt-out procedure is different, and they’re not very straightforward, quick, or easy to follow by design. It would take you an average of 300+ hours to do this for all the data brokers that have your information.

If you only found a few people search sites when you typed your personal details into those search engines, and if your only goal is to stop all but the most determined doxxers, then manually opting out of those sites might be doable. But why not go the whole nine yards?

Incogni’s automated personal information removal service will get your data out of the hands of 170 data brokers, including 60+ people search sites. This will not only throw a spanner into the works of any trolls or stalkers trying to dox you, but also drastically cut back the numbers of robocalls, spam emails, scam attempts, and cold calls you receive.

Stop Google from doxxing you

Maybe you saw some other websites sharing your personally identifying information in the search results. Google is the most commonly used search engine—getting your personal details off Google would go a long way towards making it significantly more difficult to dox you.

Getting people search sites to stop posting your personal details will already thin out the Google search results. You might have some other kinds of websites in your search engine result pages, though. These sites might list your information or even include some of your private documents.

The good news is that there are circumstances under which Google (Alphabet Inc.) will remove websites from its search results pages. We have a detailed guide on how to do this on our blog, but the short of it is this: the site in question has to have your personal documents, private information, private correspondence, or other sensitive information and it usually has to be posted with malicious intent.

Practice good digital hygiene

There are some things you can do to prevent your personal data from finding its way into circulation in the first place. This will not only help protect you from doxxing attacks but also keep you significantly safer online overall.

Practicing good digital hygiene means not leaving contact details like email addresses and phone numbers sitting around on public-facing websites, like social media platforms. It means keeping your financial accounts locked down with two-factor authentication (using something like Aegis).

It also means never reusing passwords between accounts and using unique usernames wherever possible. Reusing passwords means that when (not if) the login credentials to one of your accounts are leaked, hackers can use those credentials to log into one or more of your other accounts.

Check your email addresses with the Have I Been Pwned? website. It’ll show you which of your accounts have been breached and the data leaked on the dark web or elsewhere. There may be other breaches that the HIBP site hasn’t detected yet. Using the same password for multiple accounts is like storing your valuables in a house of cards.

The solution? Use a trusted password manager like NordPass or Bitwarden to generate a strong new password for every new account you create. Consider also using randomly generated usernames to prevent hackers from brute-forcing your accounts: they can’t attack what they can’t find.

Keep your IP address private

Your IP address can be used to identify you and even pinpoint your location. Having it broadcast and registered all over the internet can only increase the risk to which you’re exposed. Use a trusted VPN (Virtual Private Network) to hide your IP from prying eyes.

The emphasis is on trusted here because going with an untrustworthy VPN provider is much worse than having no VPN at all. Your VPN provider could potentially monitor and log your online activity, just as your ISP (Internet Service Provider) can. In most countries, a solid ISP is safer than a free, fly-by-night VPN provider.

A trustworthy VPN provider, on the other hand, leaves your traffic encrypted as it passes through its servers and doesn’t keep any logs of your online activity. Free VPNs have to generate revenue somehow, and too often it’s by monetizing user data and online activity.

Use a reputable VPN like Surfshark to hide your IP from other users on online platforms and in torrent swarms. A good VPN is also indispensable when connecting to public WiFi, like in a café, hotel, or airport. Public hotspots are easily spoofed by hackers who would perform man-in-the-middle attacks on unsuspecting users.

Split your personalities

What is doxxing if not the act of making public that which was intended to be kept private. One way to limit or even avoid the damage that comes from this is to split up and isolate your different online personas. Keeping them separate will make it so that someone trying to dox you on one platform won’t find your other accounts.

Having multiple accounts under the same username makes connecting the dots all too easy for an attacker looking for digital breadcrumbs. The greater your threat model, the greater the lengths you’ll have to go to in order to containerize your different online identities.

Pick your battles when voicing controversial opinions

Self-censorship can be a bad thing when it shuts down critical thinking and self-expression, but a complete lack of self-censorship is also not a good thing. Think twice before sharing a controversial opinion or verbally attacking or challenging other users on whatever third-party service you’re on.

Check the community guidelines when joining a new forum or social media platform or when leaving a comment on a website. Following these guidelines isn’t a guarantee that someone won’t take offense and try to dox you, but it will certainly help you manage the risk of that happening.

What to do if you do get doxxed?

Doxxing is one of those things against which, unfortunately, there’s no guaranteed protection. If you’re a high-profile target or just plain unlucky, the sad fact is that it could happen to you. Here’s how you can get into damage-control mode as quickly as possible when it does:

Lock down your online accounts

If you’ve been doxxed, it means that someone has likely done quite a bit of homework on you. You’re prepared enough not to waste time wondering what is doxxing, you’re ready to act. Start by locking down your accounts—the doxxer may have learned enough about you to compromise them.

Change your banking passwords first and foremost. Then move on to securing your email (especially the account that receives password-reset emails), social media platforms, and anything else your attacker or some random troll might try to break into. Because once you’re doxxed, it’s not just the initial attacker you have to worry about.

Turn on two-factor authentication wherever it’s offered. Use a trusted authentication app like Aegis to generate your 2FA codes and OTPs. Hackers might be able to clone your SIM card and gain access to SMS 2FA codes.

Gather evidence

Take screenshots, note down relevant URLs, and document anything that could be used to prove malicious intent. Malicious intent—the fact that someone meant to do you harm—is often needed to have websites delisted from Google’s search results and, in some cases, for a successful prosecution.

Report the incident

Most social media platforms will have a way for you to report inappropriate content, including doxxing and other forms of harassment. If someone is posting your information on personal websites, you can report them to their hosting providers.

Inform local law enforcement

Even if doxxing is not considered a crime in your area, it can facilitate other forms of criminal behavior like stalking, harassment, threat-making, and inciting violence. Inform your local police or sheriff’s department of the situation. At the very least you’ll be documenting what might be an escalating situation.

Consider changing your phone number

Changing your phone number is a hassle, but it might be the way to go if you’re receiving harassing phone calls and texts as a result of getting doxxed.

Prevent identity theft

Identity theft is a real concern once you’ve been doxxed. An attack like this is likely to put enough of your private information and internet data out there to paint a very detailed picture of your identity. Visit the FTC’s identity theft portal to start work on a recovery plan.

Related online privacy terms

• What is cyber extortion?
• What is cyberbullying? 
• What is cyberstalking?
• What is online harassment?

Updated on: May 26, 2023