Your life can turn upside down with one wrathful click of a “send” button: perhaps after a heated tussle with someone on Twitter, or leaving an opinionated comment on a shared newspaper article—or inadvertently provoking someone in real life at work or in a store. Whatever the case may be, someone has managed to collect your personal information and post it online, unleashing a cyber-mob of hate and fury, an in-box exploding with venomous messages and lewd phone calls and texts that don’t stop. You’ve been doxxed.
What is doxxing?
Doxxing (also known as “doxing”) is a form of online harassment in which the perpetrator posts someone’s personal identifying information online with malicious intent. Typically, these bits of information (emails, phone numbers, home or business addresses, family photos) are already available on the Internet but a person needs to look for them. With doxxing, they’re bundled together in a way that’s threatening or humiliating and painfully public.
Doxxing is thought to come from the word “documents,” and traces back to the term “dropping docs,” a practice originating in the 1990s, when someone shames another person by exposing sensitive personal information online.
Experts say the threat of doxxing is growing. “People have a lot more information on the Internet, and if people want to engage in doxxing, it’s relatively easy to do,” said Ryan Mehm, an attorney at the Federal Trade Commission’s division of privacy and identity protection. Younger communities—people who are more prone to sharing online—are especially vulnerable to being victims of doxxing, he said.
Many popular social media spots, such as Facebook and Twitter have policies against threatening material, though that hasn’t stopped perpetrators from posting. Doxxing also often gains traction on message boards such as 4Chan, Voat, and Reddit. People engage in doxxing often to wreak revenge or because they feel it’s justified.
Doxxing moves cyber-harassment from the virtual space into the physical world. In 2017, New York University and University of Illinois researchers examined 5,500 doxxed files over the course of 13 weeks, and found that many contained the victim’s physical address (90%), phone number (61%) and email address (53%). Forty percent reveal an IP address or the online user’s real name. But on rare occasions, they also expose the victim’s credit card (4.3%) or social security (2.6%) numbers or other financial information (8.8%).
“Doxxing is one of a few cyberattacks that can cause direct, serious, and lasting harm to its victims,” researchers said.
What is an example of doxxing?
Examples of doxxing abound, and the scenarios are as varied as the high jinks that take place on the Internet.
In 2013, as Gawker reported, hackers published online the personal records of celebrities and political figures, including former First Lady Michelle Obama, whose credit report, social security number, and Banana Republic credit card information were exposed. Another reveal targeted Jay-Z and his American Express bill. The man responsible eventually plead guilty to identity theft, access device fraud, and computer fraud.
In June 2019, a 27-year-old former aide to Senator Maggie Hassan was sentenced to four years in prison after pleading guilty to five felony charges for publishing the home addresses and phone numbers of five Republican senators because he was angry about the Brett Kavanaugh hearings. According to Politico, he had already been fired, but he used the key of an ex-colleague to sneak into Hassan’s office.
In another notorious incident, software engineer Brianna Wu (who is now running for Congress in Massachusetts) had tweeted criticism about Gamergate advocates. As she wrote in the journal Index on Censorship, people then sent her death threats. When her address was published online, she felt she needed to flee for safety.
People have also used doxxing to expose members of white-supremacy groups. While this may seem like a well meaning idea, it’s not necessarily right. Mistaken identities are particularly risky when it comes to doxxing. In 2017, as the San Francisco Chronicle reported, a Twitter account, @yesyourracist, exposed the personal information of a man claiming he was at the march in Charlottesville when in fact he was in Jamaica. He received death threats; people called him “disgusting.”
How can I protect myself from doxxing?
While celebrities and politicians make the news when they’re doxxed, everyone is susceptible. “Everyone should be concerned,” said Mehm. “People need to understand how much information about themselves is out there.”
How to avoid being doxxed
The less information you put out there, the less material potential doxxers can use to harass, shame, and intimidate you. So try to clean up what’s already shared and minimize what you share going forward.
Be smart about logging in. Use 2-step authentication for online banking and any site that has your credit card information. Don’t use the same log-in name for any website where you have an account.
Create strong passwords. Make passwords long and random because hackers can figure out words people commonly use. Your best bet is to use a password manager (such as 1Password and LastPass) which will create a strong password and remember it for you.
Keep a separate email. Use this when you’re asked to sign up for a new account, for example at retail sites, subscriptions, and so on.
Check your privacy settings on social media. Take down your profile picture or keep it super professional. Reveal as little as possible, such as avoiding publishing your email, birthday, and location. Be careful what you post—for instance, the names of your kids, the neighborhood you live in, and other personal information.
Protect your privacy when applying for a domain. When you apply for a domain, you will typically be asked to provide some personal information. Be mindful. For instance, provide a P.O. Box instead of a physical address.
Search for yourself online. If you see information that makes you feel uncomfortable, get in touch with the relevant platform to take it down and be careful going forward. “Especially on social media, there are ways to restrict information, and people should take a closer look,” said Mehm. Do a search on yourself on a public people search tool to see what’s out there.
What to do if you’re doxxed
Don’t panic—that’s exactly what harassers want you to feel. Instead, enhance your privacy settings on social networks (see previous section), try to remain calm, and proceed with the following:
Call the police if you feel threatened. “While there’s no federal statute that specifically prohibits doxxing,” said Mehm, “there are federal, state, and local crimes that are connected, such as harassment and cyber-stalking.”
Ask for help. Being a victim of doxxing is emotionally exhausting, but logging off does not make the problem go away and will not help you track down the perpetrator. So enlist a close friend or family member to monitor the situation, report violations to social platforms, and shut the operation down.
Document the situation. Take a screenshot of the doxx, making sure there a correct time stamp and URL are visible. This will be helpful when you report the incident (see below).
Report the people responsible for doxxing. Doxxing violates the terms of service for most the popular media platforms, so once reported, the account may be suspended or, at the very least, the offending post will be taken down.
Let relevant companies know about the situation. If your financial or social security information is posted, get in touch with the relevant companies or organizations to let them know. If a credit card or bank account is linked to other accounts (such as Amazon or Netflix), change your password and opt for two-step authentication.
Change your IP address. Harassers use this to find your physical address. If this is something that’s been compromised, you can call your internet service provider and get another one.