Doxing: When your personal data is published online

Doxing can have devastating consequences to victims, from damaged reputations to financial harm and even threats to personal safety. What is doxing and what can you do to protect yourself?

by Alyssa Schmitt

Today, we answer your questions about the practice of doxing:

What does doxing mean?

“Dox” comes from the phrase “dropping docs,” i.e., “documents.” “Doxing” (also spelled “doxxing”) means publishing private information about a person on the internet without their permission. This information might include the individual’s home address, phone numbers, financial information, criminal record, personal photographs, or other personal details. Doxing is meant to harm the victim by causing them embarrassment and humiliation and exposing them to harassment. Sometimes the attacker is doxing someone they know personally, like an ex-spouse, but often doxing attacks are aimed at people like celebrities, politicians, or corporate executives. Doxing is now unfortunately a common occurrence, with a 2022 study revealing that more than 43 million Americans have personal experience of doxing.

Why dox someone?

At the heart of doxing, you’ll usually find conflict and a desire for revenge. Disputes between strangers on social media, for example, can escalate to the point in which one of the parties will dox the other. Public figures can be targeted when someone strongly disagrees with their words or actions and decides to engage in character assassination through doxing. Or a romantic partner may take revenge through doxing after a messy breakup.

In some cases doxing has its roots in online vigilantism, with the doxer aiming to expose the identities or actions of someone they believe has committed a wrongdoing. It can also take the form of extortion, with the doxer releasing only some information and threatening to go public with the rest unless their demands are met. In addition, doxing is sometimes simply the result of a hacker’s thirst for notoriety – they are trying to attract attention and admirers by doxing a well-known public figure.

How does doxing work?

Armed with a person’s full name and perhaps a few other nuggets of information like the names of family members or places they have lived, collecting information on a potential victim is not all that hard – if the doxer is willing to put in the time and effort. That’s because it’s easy to find lots of seemingly innocuous information online, since people post freely on social media, tag each other in photos, and are active in professional networks. Other information, like property transactions, is a matter of public record.

Gathering publicly available data might be the first step. However, doxers often go beyond legal means to grab data. For example, they might use phishing emails to trick someone into revealing passwords or to install spyware on a device, or hack into their private cloud storage. Cybercriminals also purchase stolen data on the dark net.

What does a doxing attack look like?

The doxer gathers a large amount of private data about their victim with the goal making all these details public – and the vast nature of the internet gives them plenty of options. This can include publishing home addresses, phone numbers, email addresses, financial records, or intimate personal details (including photos) on:

• Social media platforms like Twitter, Facebook, Instagram, and LinkedIn
• Online forums and messaging boards, especially ones related to the victim’s profession or personal interests
• Websites and blogs, including ones created specifically for doxing and exposing information about individuals

What happens next will depend on the nature of the details released. At a minimum, the victim is vulnerable to cyberstalking and bullying. They may receive threatening messages, abusive phone calls, or be harassed at their homes – sometimes even including death threats. In other cases, the publication of private financial details, social security number, or passwords and logins can open the door to hacking, credit fraud, or identity theft.

How can you protect yourself from doxing?

The most effective way to protect yourself from doxing is to limit the amount of personal information you disclose publicly online. This includes your social media use: don’t post information like your home address or phone number, make sure to use your privacy settings to make your personal profile, posts and photos visible only to your trusted connections, and don’t accept friend requests from unknown individuals.
Here are five more steps you can take to avoid getting doxed:

1. Use strong and unique passwords for all your online accounts and enable two-factor authentication. This is one of the most effective ways to keep your emails, photos, financial data, etc. out of the hands of doxers.
2. Create and use separate email accounts for different purposes. This can help you draw a line between private correspondence, sensitive accounts, and other email traffic. For more details, see our explainer: How multiple email addresses boost your security
3. Use separate usernames on different online platforms. If you like to post on sites like Reddit, Discord, YouTube, etc., have a different username (and password!) for each service. Using the same username everywhere makes it easy for doxers to track you across multiple sites and put together a detailed profile.
4. Beware of phishing emails and texts and only enter your personal information on official, trusted sites. Doxers often use phishing scams to trick you into revealing your banking password, social security number, or other sensitive data. For more information on phishing scams, see our explainer: Phishing emails: How to protect yourself
5. Search for yourself regularly and request the removal of sensitive information. Perform an online search for your name and email address on search engines such as Google and Bing to see what information about you is easily and publicly available. If you turn up personal information in the Google search results, for example, there is a simple online form you can use to request its removal.

What to do if you’ve been doxed

It’s natural to feel vulnerable if you’ve been doxed – after all, the purpose of doxing is to cause panic and spread fear to the victims. But you are not completely helpless – here are some steps you can take if you’ve been doxed:

1. Protect your accounts, especially financial accounts. If your banking details or credit card information has been published, contact the financial institution(s) immediately. Change your passwords on your other online accounts and activate multi-factor authentication.
2. Document the attack by taking screenshots or downloading the pages where the information is posted. (Make sure to record the URL and the date!)
3. If your personal data has been posted to an online platform (e.g., Facebook), report it to the company. Check the platforms community guidelines or terms of service to find out the reporting and removal process.
4. Consider contacting law enforcement. This especially applies if you have experienced significant harassment or credible personal threats as a result of the doxing incident.

mail.com cares about your safety online! That’s why we regularly post explainers on different aspects of cybersecurity and ways you can reduce your risks. Tune in next month for our post on catfishing.

And if you still don’t have a free mail.com email address, why not sign up now?