What Is Doxxing—and How Does It Set You up to Be Hacked?

Doxxing—a digital attack that involves publishing personal information about someone on the Web—used to target high-profile figures like celebrities and politicians. But now, with sensitive data more widely shared and available online, the risk to ordinary Americans has soared. One in five Americans reports having been targets of doxxing (also spelled doxing), according to a new study by SafeHome.org.

“Doxxing has impacted over 40 million Americans at some point in their life, and [the consequences] can range from harmless insults to repercussions at work, with your family, in your community, and elsewhere, depending on the degree of information revealed,” says Ryan McGonagill, director of industry research at SafeHome.org.

Unfortunately, the nature of doxxing attacks means they are tough to predict. As with common online scams—including Amazon scams, online shopping scams, area code phone scams, and four-word phone scams—most doxxing victims don’t know their attackers. In fact, according to the SafeHome.org study, more than half of all attacks were linked to disputes with strangers on social media.

So, what is doxxing, exactly, and how can you avoid becoming a target? We asked cybersecurity experts to explain how doxxing works, why it increases your risk of getting hacked, and how to protect yourself. To keep your personal information safe online, you should also watch out for these red flags that someone is tracking your cell phone, signs an Amazon seller can’t be trusted, and TikTok security dangers that leave your data vulnerable.

What is doxxing?

When someone is doxxed, their personal information is released online by bad actors hoping to embarrass or threaten them. Experts call this type of attack a “dox,” meaning “documents,” because the published information is usually found in private documents such as emails, tax records, phone numbers, home addresses, or Social Security numbers. No matter what form of information is shared, doxxing can cause serious harm.

“Doxxing is usually done to get revenge,” says Jason Glassberg, cofounder of Casaba Security. “Someone is angry at you, and they decide to get even by exposing your personal information on the World Wide Web in order to embarrass you or scare you.” Revealing someone’s home address, email, or phone number can lead to harassment and abuse, while sharing someone’s Social Security number can expose them to hacking and identity theft, according to Chris Pierson, PhD, CEO of the cybersecurity company BlackCloak.

How does doxxing work?

A doxxing attack is typically sparked by a conflict between individuals online. “Let’s say you post something on social media or an online forum using an anonymous account,” McGonagill says. “If someone takes offense or just disagrees with you, they might sleuth around and find personally identifiable information and publish it online, making you the target of subsequent harassment.”

Their methods can range from searching on Google or data broker sites to requesting public records, hacking your email account, or buying your information from criminals on the Dark Web. An attacker could also send you a spam email, like these eBay email scams, that convinces you to click a link, allowing them to access and scour your computer for sensitive data that they can release online. With all of these tools at their disposal, “it is now easier than ever for someone to access private or semiprivate information about you,” Pierson says. “People need to be vigilant about their personal information and do all they can to protect it.”

Is doxxing illegal?

Finding someone’s personal information by searching through public records is not illegal, but “if you use that information to threaten, bully, harass, or intimidate them, then it may be considered a crime,” according to Glassberg. Buying stolen data on the Dark Web or hacking into a person’s email and other personal accounts are also illegal, he says. Pierson notes that several states have created laws that criminalize doxxing attacks that intentionally harass, torment, or make someone fear for their safety, giving residents some legal protection if they get doxxed.

What to do if you’ve been doxxed

First and foremost, victims of doxxing should never face their attackers alone. “It’s very important that doxxing victims do not try to confront the bad actor directly, as this can lead to other aggravations and heighten the tension,” Pierson says. He recommends keeping a record of the information released online and any communication with the offender. From there, victims should contact law enforcement to file a formal complaint against the person, as well as ask the sites that are hosting the information to take it down.

Pierson also advises enabling two-factor authentication and changing the passwords on your Wi-Fi modem, router, and any online accounts, such as email, social media, and the cloud. As you reset your passwords, avoid these password mistakes that hackers hope you’ll make.

How to avoid getting doxxed

The best way to avoid becoming a doxxing victim is to limit the amount of personal information you share on the Web. “Just adding a city to your Twitter profile makes it easy for someone to locate your home address without even subscribing to a data broker service,” Glassberg explains. He suggests setting your social media accounts to private, using strong and unique passwords, and enabling two-factor authentication when you can. If you want to take extra precautions, you can use a third-party service to remove your public information from data broker sites and sign up for a fake phone number through Google Voice that sends calls to your real number, Pierson says. You should also delete these apps that security experts would never have on their phone.

Sources:

SafeHome.org: “Doxxing in 2021: An Unexpectedly Widespread Cybersecurity Threat”
Ryan McGonagill, director of industry research at SafeHome.org
Jason Glassberg, cofounder of Casaba Security
Chris Pierson, PhD, CEO of BlackCloak