Doxxing is a cyber threat without boundaries — anyone can be a victim of doxxing regardless of their age, race, nationality, gender, or religion
The internet is a double-edged sword: It’s a great place for people to interact and share information on the global scale, but it’s also used to troll, offend and bully others. Some of the most serious cybercrimes include hacking, phishing, spamming, email spoofing, session hijacking, man-in-the-middle attacks, and doxxing.
You might have heard of high-profile celebrities getting doxxed. So, what is doxxing and what does such an act entail? Can it happen to you too? And, most importantly, how can you prevent it? In this article, we’ll answer your questions as we explore everything about doxxing — how and why it’s used, as well as some precautionary steps you can take to avoid being doxxed.
What is Doxxing and Why Should I Care?
Doxxing, which stands for “docs” and is also sometimes spelled “doxing” (we’ll alternate spelling throughout the article so people can find it regardless of which spelling they use), is a type of cybercrime that involves a person’s financial and/or personally identifiable information (PII) being released online without their consent. For example, this sensitive information could include:
- your social security number (SSN),
- physical address,
- payment card information,
- phone number,
- mortgage details,
- credit reports, etc.
Sometimes, the doxxer (person who executes doxxing) simply releases the identity of the victim online, eliminating their anonymity. In doxing, personal information is used to identify someone or as a weapon to harm or harass them. Either way, it’s bad news.
How Doxxing Occurs
The doxers get access to your personal and sensitive information from yours and your friends/relatives’ social media profiles, physical stalking, online directories and public databases, etc. They might also pull your data from a leaky database, too. In some cases, the cybercriminals can execute sophisticated phishing and spoofing attacks to manipulate you into sharing your information or hack the system to gain unauthorized access to information/media stored on your PC or mobile device.
However, sometimes the doxxer doesn’t need to hunt for your information online. In cases of personal revenge, the doxer might be someone you personally know, like a friend, colleague, neighbor, etc., who already know your phone number, home address, email address, etc.
Why Malicious Actors Use Doxxing as a Tactic
Unlike other cybercrimes, which are committed to get financial gains, doxxing is typically committed for the express purpose of victim shaming, personal revenge, publicity, demonstrating anger or disagreement with a particular community/cause, or for scaring or intimidating victims. Sometimes people use doxing just for fun or to get sadistic pleasure from harming others!
Doxxing can permanently tarnish the victim’s reputation, cause employment loss or embarrassment in front of friends and family members. The victims will be vulnerable to various cyber-attacks once their financial details or PII are available online, even after the platform used for doxing removes such information. As you’ll read later, the consequences of doxing can not only be harmful to victims, but it can also be lethal.
5 Examples of Doxxing
To further understand and answer your question about “what doxxing?” and the motives behind this type of cybercrime, let’s explore some real-world examples:
1. Celebrity Doxxing
It’s not uncommon for journalists to find out a celebrity’s personal life information and to publish such gossip on their media platforms. However, doxxing isn’t your regular entertainment news. Here, the hacker publishes the celebrity’s sensitive information such as their payment card info, email address, social security number or phone numbers.
Celebrities like Paris Hilton, Kim Kardashian, Joe Biden, Hillary Clinton, and President Donald Trump — as well as many others — have been victims of doxxing.
Example: In 2013, TMZ, reported that a group of Russian hackers doxed 12 high-profile celebrities and politicians by releasing their SSNs, mortgage amounts, credit card info, car loans, banking and other information on a website.
2. Faulty Doxxing
Sometimes, doxxing is done by internet vigilantes who can’t be bothered to properly research or investigate their victims to ensure they have the right person. Instead, they wrongly link people to activities or situations that are unrelated to them. Due to such “faulty” doxing, hence the name, innocent people face:
- reputation loss,
- employment loss,
- physical harm, or
- loss of life.
Let’s better understand faulty doxing with the following real-life examples.
Example 1: In August 2017, a march was held by neo-Nazi white nationalists on the campus of the University of Virginia. Someone on social media incorrectly identified one of the participants as Kyle Quinn, a professor running an engineering laboratory in Arkansas. Throughout the night, thousands of people shared his image — and even his address — on social media. They also sent him hate messages and demanded his resignation from his job at the university. Later, it was discovered that Quinn has nothing to do with the Virginia rally, and that he was just a victim of such faulty doxxing.
Example 2: In 2013, some vigilantes on Reddit misidentified an innocent student, Sunil Tripathi, as a suspect of the Boston Marathon bombing. Tripathi went missing and, according to his family’s social media page, his body was found in the water near a park in Rhode Island. His cause of death was ruled a suicide, which was believed to be the result of public shaming caused by faulty doxxing.
3. Revenge Doxxing
Sometimes, people use doxing as a means of taking revenge. They publish their enemy’s some publicly identifying information online to cause them shame.
Example: In March 2015, Curt Schilling, a former Major League Baseball player, took revenge against the people who posted sexually offensive comments about his daughter on Twitter. Schilling investigated the real faces behind the troll Twitter profiles and doxxed them by posting their real identities online. As a result, one bully got fired from his job, and another was suspended from his community college. Other bullies, whose identities were not published, got scared from this doxing, and posted apologizing messages. In this case, Schilling used doxing for online vigilante justice.
4. Swatting Doxxing
Another method of doxing is known as “swatting.” This occurs when a person wrongly accuses someone of a crime and sends police (or a SWAT team, hence “swatting”) to the victim’s address to cause them harassment. However, often such doxxing can prove fatal for the victim.
Example: In December 2017, while playing an online video game, Tyler Barriss was involved in a conflict between two other gamers, Casey Viner and Shane Gaskill. According to NBC News, Viner asked Barriss to swat Gaskill, and Gaskill challenged him to do it, providing his previous home address — one that was now occupied by the family of a man named Andrew Finch.
Barriss doxxed Gaskill by making a prank call to police. Pretending to be him, Barriss told the police he’d killed his father and was holding the rest of his family hostage. Finch was killed by one of the responding police officers after being called outside. Barriss has since been sentenced to 20 years in prison for the phony call.
5. Crime Doxxing
While the swatting is done for fun, there are some people that use doxxing to execute serious crimes like murder. They reveal their enemies’ personal information online and provoke others to harm them. The motive can be personal revenge or showing disagreement or hatred towards any specific cause, religion, activity or race.
Example: In the late 90s and early 2000s, anti-abortion activist Neal Horsley collected names, pictures, and home addresses of abortion providers and published them on a website called the Nuremberg Files. He labeled that list as a “hit list.” Eight doctors from the Nuremberg’s listings have been killed so far. The website celebrated the death of such murders and encouraged pro-life activists to continue killing other doctors from the hit list.
How to Prevent Doxxing
As you can see, no one is immune to a doxxing attack. Whether it’s an ordinary person like you and me or a big celebrity, we’re all at risk. This is why we have to take steps to protect ourselves.
Most of the time, attackers research on the internet to gain sensitive information about their victim. So, the best way to prevent doxxing is to limit what you share online.
How to Prevent Doxxing: A User’s Guide
Here are a few tips to help individuals protect their personal information while using the internet:
- Social media: Don’t overshare details about yourself on social media and online forums like Reddit, Quora, etc.
- Microsoft Office: If you are sharing Microsoft word files, excel spreadsheets, PowerPoint slides, etc. online, restrict the files’ metadata, which contains information such as author’s name, contributor’s name, date of starting the document, revisions, etc.
- Passwords: Don’t use easily guessable passwords, which contain your names or date of birth of your pet, spouse, parents, partner, children, etc. Such details can be readily available online, and anyone can guess them. Once the doxxer gets into your email account or social media profile, your other PII, personal conversations, or even financial details are accessible to them.
- Registration: When you want to access a new app or website, don’t take the option of “Register using Gmail” or “Register using Facebook.” It will give app/website access to your contact information, phone number, location, friends list, etc.
- Online directories: You might not be aware of it, but websites like peoplefinder.com, whitepages.com, etc. will be containing a lot of sensitive information about you. Anyone on the internet can access that information for free or just by paying a small fee. You can request such sites remove your information from their platform, and they are legally obliged to follow your request for privacy.
- Search engines: Frequently delete your activity history from google and other browsers. Also, remove your data from the Google Maps Timeline.
- IP address: Use a virtual private network (VPN) to hide your IP address. Just by knowing an IP address, a person can find out a device’s geographical location, internet provider’s name, local time, and even the users’ web browsing behaviors.
- WebRTC: If you use WebRTC, it’s important to note that it does have a vulnerability that can reveal your true IP address. To mitigate this vulnerability, you can install an add-on or extension for your browser. Of course, the steps involved are different from one browser to the next. So, we’ll cover how to install these components in the two leading browsers, Mozilla Firefox and Google Chrome:
How to Install a WebRTC Extension or Add-on in Mozilla Firefox
- Type about:addons in the Firefox address bar.
- Type WebRTC into the search bar at the top and hit Enter.
- A new tab will pop up with a variety of results. Select one of the suitable add-ons to bring up its individual page, then add it to your Firefox browser by clicking on + Add to Firefox.
- Enable the add-on after it has successfully installed.
How to Install a WebRTC Extension or Add-on in Google Chrome
- In the Chrome browser, visit the Chrome Web Store.
- Search for WebRTC.
- Choose the extension you wish to install on your browser. After that, simply press the Add to Chrome button and activate it.
How to Prevent Doxxing: Website Owner’s Guide
Here are a few tips for individuals who own websites and want to protect their and their users’ personal information:
- Hide your WHOIS records: WHOIS records store the domain owner’s PII which is publicly available to all. If you buy the “domain privacy” service by paying a small fee, your domain provider will hide that information from WHOIS records.
- Use encryption. Always use SSL/TLS certificates and email signing certificates to protect your organization from the eavesdropping and data breach incidents via your website or email accounts. If your users’ or employees’ financial information, PII or sensitive internal communications get leaked, they become vulnerable for doxxing attacks.
- Train your employees. Provide cyber awareness training to your employee so that they don’t fall for social engineering and phishing scams, etc.
Vulnerability in Doxxing
Even though there are a handful of steps you can take to hide your private information online, you’re still vulnerable to doxxing attacks through one major source: data breaches.
Your information is stored on the third-party platforms like government agencies, universities, health-care organizations, or ecommerce site where you engage in transactions. Unfortunately, not all of these platforms are serious about protecting your personal data.
There are numerous examples, such as the Capital One breach, Honda breach, First American Financial Corporation breach and many other incidents where customers’ sensitive information got leaked by organizations. Even the government organizations play carelessly while protecting their citizen’s information. Notable examples of such data breaches disclosed the personal information of
- 20 million Russian citizens
- 275 Indian citizens
- 14 million Chilean citizens
- 20 million Ecuador citizens
So, at the end of the day, if a doxer is tech-savvy, they can get your information from such data leaks or even by buying it on the dark web.
Legal Protections Against Doxxing
Do you have the right to protect yourself against doxxing? Absolutely, depending on where you live! The European Union’s General Data Protection Regulation (GDPR) can help you limit what personal information companies have about you, and the U.S. federal laws against stalking (18 U.S. Code § 2261A) and protections against making restricted personal information public (18 U.S. Code § 119) are useful in helping you fight back against doxxers.
Each state has its own laws for citizens’ security, in which doxxing might be categorized under cyber stalking, harassment or threats. You can also file complaint for extortion if doxxer is threating you to leak your sensitive information if money is not paid. You can also file a civil suit against doxxer.
Still, it will take a lengthy legal battle, probably long enough to spread your information to a large population and cause the damage.
A Final Word
As we have learned that even though there are many things you can try to hide your personal information online, you’re still vulnerable to doxxing. For doxxing, sometimes, prevention is better than cure.
Don’t use the internet and anonymity as a means to bully, offend, or spread hate. You have all the right to hold your beliefs and opinions on different subjects. But if possible, don’t indulge yourself in unnecessary arguments on sensitive topics such as religion, gender, politics, or race.
When you post something controversial online, it can spread on the internet like a wildfire. You might think it’s just a tweet or “funny comment,” and the just minutes later, you may see thousands of people getting offended by the same message. Such incidents motivate people to execute doxxing against you to take revenge or “win the argument.” Thus, one of the best ways to protect yourself from doxxing is to not to provoke someone and to protect your information as much as possible.