The word “doxing” (sometimes spelled “doxxing”) comes from the term “dropping dox” or “documents. Doxing is a type of cyberbullying that uses confidential or secret information, statements, or records to harass, expose, financially harm or otherwise exploit targeted individuals.
The meaning of doxxing is that specific information about someone is taken. Then it is spread over the Internet or some other way and made public. This practice has been widespread for many years because documents contain a permanent record of the facts about people and what they did and said. This can be a powerful weapon against them. However, doxing first gained popularity in the 1990s, when hackers began publishing documents of people hiding behind fictitious names. In this way, hackers exposed other attackers with whom they were competing. In addition, removing their anonymity made them vulnerable to authorities and others trying to track them down.
Doxing has taken the place of honor in modern culture wars, in which people attack those who hold beliefs contrary to those they are trying to promote. Dockers try to move the conflict with the victim from online to the real world by revealing information, which may include:
- Home addresses
- Personal phone numbers
- Workplace details
- Personal photos
- Social Security numbers
- Bank account or credit card information
- Private correspondence
- Embarrassing personal details
- Criminal history
How Does it Work?
Almost everyone has data about them on the Internet. Protected by different levels of security, or not protected at all. Once this data is found, it becomes a weapon and is used against the target. This is what Doxing is based on.
Ways to get information
There are many ways to get information about a person on the Internet. These can be open sources, data leaks, or hacking. We will now look at the main ones:
Because people often use the same usernames on different websites and web applications, it is relatively easy for cybercriminals to use this information to identify accounts of the person of interest. Hackers can use data from these accounts to build a more detailed portfolio of documents revealing information about the victim.
WHOIS Search on a Domain Name
The information of any domain name owner is stored in a registry. This registry is often available for viewing with a simple WHOIS search. You can usually hide this information when you register a domain. However, suppose the person who bought the domain name did not hide their personal information at the time of purchase. In that case, their personal information (such as name, address, phone number, place of work, and e-mail address) is available on the Internet for anyone to see.
In a phishing scam, the victim is asked to follow a link to a fake site and enter sensitive information. Suppose a person becomes a victim of a phishing scam. In that case, the hacker can access confidential emails and publish them online. The hacker can also use the email to access other accounts where the email is used.
Stalking Social Media
Sometimes hackers do not need to hack anyone. It’s enough to log into a social media account to get all the information they need about a person. For example, suppose you have made your social media accounts public. In that case, all the information you post about yourself can be seen by others. This could be information about friends, family members, places you’ve been, where you work, favorite activities, photos, pets, and more. A doxer may even use such information to find your answers to a secret question. These questions might be: “First job location?” or “What is your pet’s name?”
Sifting through government records
Although most personal information is not available online, hackers can find a fair amount of data on government websites. These can be databases of business licenses, marriage licenses, county records, DMV records, and voter registration logs, all of which contain personal information.
Dockers can use various ways to discover your IP address related to your physical location. If they find it out, they can use social engineering to learn more about you from your Internet Service Provider (ISP). For example, they can complain about the owner of the IP address or try to hack into the network using packet sniffing. When transmitted over the Internet, data is combined into packets. When intercepted, an attacker can determine what information is contained in it. This way, hackers can get passwords, credit card numbers, bank account information, and more.
Data brokers collect data by visiting several websites that may hold public records. They collect information about potential targets and then sell it to others for profit. These can be loyalty card sites. They usually track your online habits or search history to get the data they want about you. In some cases, a data broker buys data from another data broker and then sells it to a buyer on the dark web.
What information dockers are interested
Listed below are examples of information that dockers typically look for:
- Phone numbers: Attackers can contact the victim directly, posing as another person and asking questions to get more information. The attacker can also use phone numbers to access secure user accounts.
- Social Security numbers: Usually required to verify a person’s identity on various websites and a wide range of companies that store private data.
- Home Address: A home address can be used to verify a person’s identity when trying to access a private account. Also, impersonating the victim, the scammer can use the address to apply for a new account.
- Credit card information: Credit card information may be used by an attacker for personal gain or to damage the victim’s credit rating. An attacker can also use them to gain access to other sensitive information.
- Bank account information: Bank account information is usually only available after security measures have been followed. This means they can be used to “verify” your identity by someone claiming to be you. Doxers can also use them to transfer money from your account to someone else’s or publish in a doxing attack to make the victim more vulnerable.
Is Doxing Illegal?
In many cases, doxing is not illegal. That’s because the disclosed information is in the public domain and was obtained legally. This means that the subject has been granted the legal right to publish it at some point. However, how the information is used can make the entire act illegal. For example, if it involves stalking, threatening, or harassing the subject. Doxing can also be unlawful if certain information is disclosed. For instance, in the U.S., it is a federal crime to dock a government employee. Although revealing a person’s real name is not as serious as revealing their phone number or home address, doxing is considered at least unethical because the information is disclosed without the victim’s permission.
How To Protect Yourself from Doxing
As more and more people place vast amounts of personal information on the Internet without thinking twice, it is almost impossible to avoid doxing. However, with a few actions, you can keep the risk of being doxed to a minimum. After all, the most sensitive information – the one that can cause the most damage – will not fall into the hands of a doxer.
Use a VPN
VPNs (virtual private networks) offer strong protection against IP address disclosure. A VPN encrypts a user’s Internet traffic by sending it through one of its servers before sending it to the public Internet. This makes your Internet surfing anonymous. The VPN also protects you on public Wi-Fi networks and ensures the privacy of your communications.
Use Strong Passwords
A weak password is a pressing problem that causes most break-ins. For example, passwords that are a predictable series of numbers or words and a derivation of your name are easy to guess. However, you can take steps to make life harder for doxers. As trite as it sounds, these include:
- Using different passwords for each account
- Using complex combinations involving letters, numbers, and symbols
- Using a third-party password manager that generates and stores passwords that are very difficult to guess
Change your privacy settings periodically
Suppose you post potentially sensitive or private information on social networking sites. In that case, you should review your privacy settings and modify them as needed. For example, if you use social networking sites for professional purposes, it is sometimes necessary to keep some information public. However, in this case, avoid including sensitive personal information and images.
Avoid phishing emails
Be vigilant when you receive an email that seems to come from a bank or credit card financial institution, especially if they ask for confidential information. It’s important to know that bank employees never ask you to tell them your password or any login information.
Don’t click on any links that may contain in the email. If you are asked to enter your information after you click on the site, you are most likely trying to get hacked.
Create Separate Email for Separate Purposes
Create a separate email account for different purposes. Do not use the same email account for personal and work purposes. Your personal email address can only be used for personal correspondence with close friends, family, and other trusted contacts; you should not publish or list this address anywhere. You can use a separate email for all subscriptions, services, or promotions. Finally, your professional email address, whether you are affiliated with a particular organization or are a freelancer, can be listed publicly. As with public social media accounts, avoid including too much-identifying information in your email address (for example, don’t use addresses like first name.last email@example.com).
Watch what you post on social media
When you post content on social media, it automatically becomes public. The Internet remembers everything; sometimes, information can be saved before you delete it. Even if you use an alias, doxers can easily find your real identity by checking one social media account against another. They can also use your list of friends and how they mention you. Friends may accidentally call you by your real name instead of an alias, thus revealing your identity. Also, if one social media account has your real name and others have a fake name, a doxer can quickly figure out who you are.
Hide domain registration information from WHOIS
WHOIS is a public registry that can be used to identify the person or organization that owns a given domain. Sometimes it allows you to find their physical address and other contact information. If you plan to moderate a website anonymously, ensure your personal information is hidden from the WHOIS database. Domain registrars control these privacy settings, so you should check with your domain registration company about how to do this.
Be careful with application permissions
At first glance, online quizzes may seem harmless. However, they are often collectors of personal information, which you are happy to provide without even thinking about it. Some parts of the quiz may even be secret questions to your passwords. Likewise, many quizzes ask permission to read your social media information or email address before showing you the quiz results. This way, they can easily link this information to your real identity.
Mobile apps can also be collectors of personal data. Many apps ask permission to access data or a device that is not for their work. For example, an image-editing app doesn’t need access to your contacts. If it’s requesting access to your photos, that makes sense. But suppose a text editor wants to view your GPS location, contacts, and social media profiles. In that case, there’s every reason to believe this app could be potentially dangerous.
Protect Your Financial Accounts
Make sure your financial information is secure because a doxer could release it. If this has already happened, contact your bank or credit card provider immediately and ensure your accounts are closed or protected against unauthorized transactions.
Use two-factor authentication
This helps protect you from unauthorized access to your accounts. That way, anyone who tries to access your account will need two steps to log in to the site. Usually, your password and a confirmation code are sent to your phone number. However, since knowing the password alone is not enough, hackers will not be able to gain access to a person’s devices or accounts without access to the PIN code.
Check out how easy to make a dox yourself
The best defense is to prevent the spread of unwanted information. You can find out how easy it is to doxx yourself. To do this, type in some information you can find about yourself. For example:
- Do a reverse image search on your photo.
- Check your privacy settings of social media profiles.
- Check any data from your email accounts for leaks.
- Check your resume, bio, and personal websites to see what personal information your professional presence conveys. If you have a resume online, exclude details such as your home address, personal email, and cell phone number. Replace them with publicly available versions of this information if possible.
Set up Google alerts
You can set Google to notify you when your full name, phone number, home address, or other personal information that bothers you appears online. That way, you’ll know that if they suddenly appear online, you may have been hacked.
What To Do if You Are Doxed
If you discover you have been doxed, take the following steps:
- Report it: Immediately report the incident to all relevant organizations, such as financial institutions.
- Involve law enforcement: If the attack involved threats or if the information was not obtained from public sources, you should contact the police and inform them.
- Document what happened: Use screenshots and upload web pages. This information will help you track what information has been shared. It will also help the authorities and others deal with the attack.
- Protect financial accounts: Contact your bank immediately to prevent financial information from being used for theft.
- Secure your accounts: Change passwords for all your accounts, especially those containing information that the doxer could use.
- Enlist the support of family or friends: Doxing can be emotionally challenging. You can seek help and emotional support from someone you trust so you don’t have to deal with it alone.