What Is Doxxing, Is Doxxing Illegal, and How Do You Prevent or Report It?

Listen to the audio version

What is doxxing?

Doxxing (also spelled  “doxing”) is the act of revealing someone’s personal information online. Doxxing is a form of online harassment that means publicly exposing someone’s real name, address, job, or other identifying info without a victim’s consent. The aim of doxxing is to humiliate, bully, harass, or otherwise harm a victim.

This Article Contains:

This Article Contains:

See all Privacy articles

This Article Contains:

Why is it called doxxing?

The term “doxxing” comes from the word “documents.” 1990s hacker culture shortened the term to “docs” then “dox,” with “dropping dox” referring to finding personal documents or information (like someone’s physical address) and publishing them online. The hacker collective Anonymous helped popularize the term.

What does doxxing mean?

Doxxing means publishing someone’s information online without their permission. Doxxing can also refer to uncovering the real person behind an anonymous username and exposing that person’s real identity online.

Some doxxing attacks are rooted in harassment or revenge, while others target people who anonymously post bigoted comments online or who are caught on camera promoting such beliefs.

While the concept of doxxing is decades old, doxxing still happens today — and it can be very dangerous. Once someone’s physical address, job location, phone number, email, or other personal information is out there, they become an easy target.

Doxxing attacks range from the relatively benign, such as fake mail sign-ups or pizza deliveries, to the far more dangerous, like harassing a person’s family or employer, physical harassment, swatting, identity theft, and other forms of cyberbullying.

How does doxxing work?

Doxxers collect breadcrumbs about people scattered across the internet, then assemble those small pieces of information to reveal the real person behind an alias. Breadcrumb data can include the target’s name, physical address, email address, phone number, and more. Doxxers may also buy and sell personal info on the dark web.

Small pieces of information can be put together to uncover the real person behind an alias.

Traditionally, doxxing started with an online argument, before escalating to one person digging up information about an adversary. More recently, doxxing has become a popular tool in the culture wars, with activists doxxing those with opposing viewpoints. Many politicians, celebrities, and journalists have been doxxed, causing them to suffer from online mobs and even death threats.

Tracking down private information is a big part of what doxxing someone is. And while many people think of the internet as anonymous, it’s very much not. There are many ways you can be identified online.

Is doxxing illegal?

Doxxing itself is not illegal, because there are no specific anti-doxxing laws in most jurisdictions. Instead, the legality of doxxing is determined on a case-by-case basis. While compiling or publishing publicly available information is rarely illegal, there are other crimes that doxxers can be charged for — such as stalking, harassment, identity theft, or incitement to violence.

Recently, governments around the world have begun to pass or propose anti-doxxing laws. The US state of Kentucky passed an anti-doxxing law in 2021, and Hong Kong passed an anti-doxxing law the same year.

In the US, the Interstate Communications Statute and the Interstate Stalking Statute may be applied to doxxing, depending on the details of a particular case. Doxxing could also violate the terms of service for certain websites. For instance, Twitter prohibits posting the private information of another person without their permission.

Can you go to jail for doxxing someone?

Yes, you can go to jail for doxxing someone. Although doxxing itself is not illegal, it could contribute to another criminal offense like harassment, stalking, intimidation, identity theft, or incitement to violence. For those sentenced to jail time, doxxing is usually part of a larger scheme involving multiple criminal offenses.

What to do if you’ve been doxxed

If you’ve been doxxed, or if you think someone may be doxxing you, act quickly to stop the spread of your personal information. Here’s what to do if you think you’ve been doxxed:

• Document the evidence.
  Take screenshots of everything in case you need to report it to the police.

• Lock down your accounts.
  Create strong and unique passwords for your accounts and store them securely in one of the best password managers. Enable multi-factor authentication to strengthen the privacy settings on all your online accounts.

• Ask a friend or family member for support.
  Doxxing can be emotionally taxing. Ask someone to help you navigate the issue so you’re not dealing with it on your own.

• Change your phone number.
  Depending on what information was exposed, you may want to change your phone number, usernames, or other personally identifying info.

• Protect your data against leaks.
  Avast BreachGuard will help alert you if any of your personal information gets exposed in a data breach or lands on the dark web. It also helps you remove your info from data brokers’ databases, reducing the amount of information doxxers can find about you online.

How and where can you report doxxing?

To further limit the impact of the doxxing incident, report it to the relevant authorities. The perpetrator may be suspended, banned, or even prosecuted for doxxing, meaning they won’t be able to leak any more of your information, or target other victims.

Here’s where to report a doxxing incident:

1. First, report the doxxing attack to the platforms hosting your info. Sites like Facebook and Twitter have terms of service agreements that prohibit doxxing, and they should respond to your request and suspend the account of the doxxer(s).

2. Then, report potential cybercrimes. In many cases, doxxing can constitute a criminal offense. If you’ve been threatened or subject to other criminal harassment, file a complaint with your local law enforcement department. Collecting documentary evidence through screenshots or webpage downloads will also help police take timely and appropriate action.

How to prevent doxxing

Getting doxxed can be traumatizing. The key to preventing doxxing is to minimize the information available about you online. Learn how to hide your IP address, secure your social media accounts, and stay anonymous online.

Protect your IP address

You can easily hide your IP address by using either a VPN or a proxy to access the web. These tools let you connect to a protected server before you connect to the public internet. That means anyone trying to discover your IP address will see only the IP address of the VPN or proxy server, while your IP remains hidden.

Browser-based web proxies are often free, but only protect your browser traffic. A VPN like Avast SecureLine VPN encrypts your entire internet connection. That blocks anyone from seeing your online activity, which is especially important if you’re using unsecured public Wi-Fi.

Avast SecureLine VPN also allows you to change your virtual location at any time, giving you increased anonymity and robust online privacy.

Avoid third-party login options

Many sites and apps encourage you to sign in with Facebook, Google, LinkedIn, or another third-party service. If you do, those websites can request more info about you. And the more sites you connect with other online accounts, the easier it is for someone to compile your personal info.

Signing into many different sites using just your Facebook or Google account can make you vulnerable to a data breach. If your account password is leaked, a hacker could then gain access to all the sites you’ve linked together. That makes it very easy for a hacker to get all your personal info, and much harder for you to lock down your accounts.

Keep social media profiles private

Our social media profiles include a wealth of information about us: where we live (sometimes even our full address), our work history, birthday, friends, family members, photos, interests, and so on. Having that much information publicly available can make doxxing a breeze.

Even if you don’t think you have any enemies, you should lock down your social media accounts. Learn how to make your Facebook profile private and think about de-indexing your profile from search engines. You should also tighten up your privacy settings on Instagram and any other social media services you use.

Use pseudonyms on online forums

If you use Reddit or other online forums, use a pseudonym to stay anonymous while browsing. Never use your real name as your username, and don’t use any personally identifying information in your handle.

When creating new accounts, choose a unique username for every service you use. If you reuse handles between sites, a doxxer could connect your accounts and mine them for clues to your identity. You can mask your digital identity further with Avast's private browser.

Request removal of your information online

Data brokers compile and sell huge amounts of personal data. Data broker companies hold extensive files that can include your browsing history, online and offline buying habits, medical histories, financial histories, criminal histories, and more.

And when data breaches inevitably happen, like the Equifax breach, your information can be leaked for anyone to see. If your details ever find their way to the dark web, they’ll likely remain there forever.

You can contact data brokers individually to request they remove you from their database — but though they’re legally obligated to comply, they can make it a very time-consuming process. And it’s nearly impossible to identify every data broker who has your data.

Avast BreachGuard contacts data brokers directly on your behalf and handles the information removal process for you, before your personal info can be exposed. It also monitors the dark web for leaks and alerts you right away should one occur.

Set Up Multi-Factor Authentication

If you’re only using passwords to secure your social media profiles and websites, you’re putting yourself at risk of doxxing and other cyberattacks. Multi-factor authentication (MFA) boosts security by requiring other factors to verify your identity, like an SMS confirmation or a code created in an authentication app.

Even if your accounts have never been hacked, a single password won’t cut it anymore. Hackers are getting increasingly better at cracking passwords using methods like keylogging and password spraying. Without MFA, your profiles and private data are more vulnerable to identity theft, doxxing, and other threats.

Dox yourself

To better defend against doxxers, put yourself in their shoes. By doxxing yourself, you’ll get an idea of all your personal data that’s available online — and how easily it can be obtained. From there, you can develop strategies to minimize or eliminate your exposure.

Here are some ways to dox yourself:

• Google yourself.

• Perform a reverse image search.

• Audit your social media profiles.

• Search data brokers.

• Check your resumes, website bios, and your personal websites.

Browsing online for any information you’ve revealed about yourself can give you an idea of what information someone could use to dox you.

Set up Google Alerts

If your data suddenly appears online, it could mean you’ve been doxxed. Google Alerts helps notify you if Google finds new results with your data. Set up Google Alerts with your full name, address, phone number, and other data. Though Google Alerts is not totally comprehensive, it’s still quite effective.

How do you know if you’ve been doxxed?

If you’ve been doxxed, you’ll find out as soon as your information is made public. If you don’t see the data dump yourself, people you know will likely inform you of the doxxing. In the meantime, you may be harassed via social media, email, phone calls, or even in person, depending on the information that was released.

If you start receiving threatening messages, lock down all of your accounts. Check if your Facebook account has been hacked and verify that your Gmail account is secure. And though it’s also good to know if your personal information is for sale on the dark web, it’s not easy to get there without special software, like Tor Browser. And even then, where do you look?

That’s where dark web monitoring software comes in. Avast BreachGuard can do a dark web scan and alert you if your personal information has been exposed. Then, it will help you work quickly to secure your privacy.

Avast BreachGuard will scan the web to see if your personal info has been exposed.

How doxxers find personal information

Doxxers use a range of methods to collect information about their targets. They can find your IP address, comb through your social media profiles, buy data from data brokers, use phishing campaigns, and even intercept internet traffic.

Here are the most common techniques used by doxxers to uncover your details:

• IP/ISP doxxing (or ISP doxxing) happens when doxxers obtain your IP address, which is linked to your physical location. Then, the doxxer uses call spoofing apps and social engineering techniques to perform a tech support scam and trick your internet service provider (ISP) into divulging information such as your phone number, email address, date of birth, and social security number.

• Social media doxxing involves collecting the personal information you share on your social media accounts. This can include answers to trivia questions, which doxxers can use as potential answers to security questions that can help them break into your other online accounts. That’s why you should make all your social media accounts private, and create different usernames and passwords for online social platforms like Facebook, Twitter, TikTok, Reddit, 4Chan, Discord, YouTube, etc.

• Data broker doxxing is when doxxers purchase victims’ personal information from data brokers, which gather info from publicly available records, customer loyalty cards, online search histories, and other sources. Many data brokers sell their information to advertisers, but there are also several people-search sites that sell comprehensive personal info to anyone.

  There's a lot of publicly available data that a doxxer can use against you.

• Phishing is the use of fraudulent communications to trick victims into disclosing sensitive personal information. Learning how to recognize and prevent Apple ID phishing scams and other spear phishing attacks can prevent doxxers from fooling you. But for stronger protection, use top-rated antivirus software such as Avast Free Antivirus to block phishing attacks, spyware, and other threats that can expose your identity.

• Sniffing is when someone intercepts internet traffic on its way from the sender to the receiver. A doxxer can use sniffing tools to collect someone’s internet traffic and comb through it for personal details. The easiest way to protect against sniffing is to download a VPN, which encrypts your online connection.

• WHOIS lookups allow doxxers to leverage the WHOIS service that anyone can use to learn information about the person who owns a domain on the internet. You can set your WHOIS information to be private; but if you forget, your name, address, phone number, and email address will be available to anyone who looks up your domain name.

• Hacking is always an option that doxxers can use to get your personal information, if efforts to obtain data from public sources are thwarted. Common hacking techniques associated with doxxing include using intrusive code to execute zero-day exploits, spreading viruses and malware, and launching brute-force attacks or carrying out other forms of password cracking.

Types of doxxing

All types of doxxing involve leaking an individual’s private information, but the specific purpose and nature differs from case to case. Here are the main categories of doxxing:

Celebrity harassment

Celebrities and other high-profile public figures are often targeted by doxxing campaigns, due to real or perceived grievances against them or just straightforward harassment. They make particularly tempting targets given the level of public interest in celebrity lives. And, the consequences of revealing celebrity home addresses or leaking their compromising or sensitive personal information can be catastrophic.

Targeted doxxing

Targeted doxxing is when a specific individual is singled out as a victim — either for who they are, or things they’ve (supposedly) done. Targeted doxxing may be part of a coordinated cyberbullying campaign, the result of personal vendettas, or as retribution for apparent transgressions. Sometimes doxxers are themselves doxxed in acts of tit-for-tat revenge.

Faulty doxxing

Doxxing is often used by online vigilantes to unmask wrongdoers or by political activists to target their opponents. But this puts victims’ reputations, jobs, and even lives at risk — and, all too often, mistakes are made that end up linking innocent people with situations they had nothing to do with. The tragic consequences of “faulty doxxing” are evidenced by the suicide of Sunil Tripathi after he was wrongly doxxed as the Boston Bomber.

Swatting

Swatting is a particularly extreme form of doxxing where the doxxer uses knowledge of the victim’s location to make a hoax call to emergency services, with the aim of causing armed police to swoop in on their address. Not only is swatting illegal, it’s potentially fatal — as was the case for an unarmed 28-year-old shot dead by police responding to false reports of a hostage situation at his home.

Real-world doxxing examples

Anyone can end up a victim of doxxing — all it takes is someone who dislikes or disagrees with you enough to go through the trouble of compiling and releasing your info. Doxxing victims have included abortion providers, innocent people wrongly accused of crimes, members of racist groups, and law enforcement officials.

1997: anti-abortion doxxing

One of the first doxxing campaigns began in 1997 when anti-abortion activists in the US targeted abortion providers. This insidious doxxing example involved a website called the Nuremberg Files, which published abortion providers’ personal information as a hit list. A 2002 court case found that the site constituted a threat to incite violence, and it was shut down.

2013: Boston Marathon bombing dox

After the 2013 Boston Marathon bombing, thousands of people gathered on the social media site Reddit and attempted to identify the perpetrator. The Redditors ended up incorrectly identifying and doxxing several suspects — none of whom turned out to be involved in the bombing.

2017: Antifascist doxxing

In 2017, white supremacists marched in Charlottesville, VA, inspiring some counter-protestors to dox participants. Several neo-Nazis lost their jobs after doxxers revealed their participation in the march. But some innocent people were incorrectly suspected of participating in the march and were flooded with hate mail and threats.

2019: Hong Kong anti-police doxxing

During Hong Kong’s prolonged protests throughout 2019 and 2020, protestors doxxed thousands of Hong Kong police officers as well as supporters of the city’s law enforcement agencies. Journalists and protesters themselves were also doxxed as the city’s unrest continued.

2022: Keffals’ doxxing

Recently, Keffals, a Canadian Trans activist and content creator, fell victim to a high-profile, months-long doxxing and swatting campaign. After an initial swatting ploy falsely accused Keffals of plotting to kill her mother and members of the London, Ontario city council, she was arrested. Once released, the harassment by her detractors continued.

Keffals relocated to a series of residences — all of which were doxxed. Trolls regularly swatted her exposed addresses, bombarding her with prank food delivery orders made under her deadname. Even after moving from Canada to Northern Ireland, the doxxing and swatting continued.

While the ethics of doxxing can be murky — after all, most of the information is publicly available online — it can quickly turn nasty when innocent people are caught in the crossfire.

Can doxxing lead to identity theft?

Doxxing can easily lead to identity theft — particularly if the leaked data finds its way onto the dark web. Although fraud is not the primary aim of doxxers, by publicizing victims’ private information, doxxers make life easy for cybercriminals who use personal details and stolen credentials for bogus loan applications, credit card fraud, and other scams.

Threats to your identity can come from all kinds of unexpected directions. That’s why it’s so important to protect your online banking and other accounts by preventing your data from falling into the wrong hands in the first place.

Protect your personal data with Avast BreachGuard

Avast BreachGuard protects your information in three distinct ways:

1. 24/7 risk monitoring
   BreachGuard monitors the dark web and scans for data breaches. If your information gets leaked, we’ll alert you immediately so you can take steps to protect your information.

2. Personal info removal
   BreachGuard identifies the data brokers that have profiles on you and sends requests on your behalf to get your information removed.

3. Password protection
   BreachGuard scans your browser for weak or reused passwords to make sure you’re not using any that may have already leaked.

Get Avast BreachGuard today to help strengthen your defenses, protect your privacy and identity, and ensure your personal information isn’t weaponized against you.