Doxxing (or doxing) is the practice of uncovering someone’s sensitive personal information and publishing it online. Hackers use doxxing to harass, threaten, or get revenge on someone online. Learn how doxxing works so you can protect yourself and your private data.
This article contains:
Today, the definition of doxxing can refer to publishing anyone's information online, or can apply specifically to uncovering the real person behind an anonymous handle or username and exposing them online. Doxxing attacks usually involve harassment or revenge, and sometimes a sense of vigilante justice, such as doxxing people to reveal the racist or neo-Nazi comments they posted anonymously online.
While the concept is decades old, doxxing is still alive and well — and it can be very dangerous, especially as it becomes more mainstream. Once someone’s private information is out there, they can be targeted based on their physical address, job location, phone number, email, or other information. Doxxing attacks can range from the somewhat benign, such as fake mail sign-ups or pizza deliveries, to the far more dangerous, like harassing a person’s family or employer, swatting, identity theft, threats or other forms of cyberbullying, or even in-person harassment.
Doxxers can choose anyone as their victims, whether it’s someone they got into an argument with online, a journalist, or a celebrity.
One of the first doxxing campaigns began in 1997 when anti-abortion activitists in the US targeted abortion providers. This particularly insidious doxxing example involved a website called the Nuremberg Files, which published abortion providers’ personal information as a hit list, encouraging harm against them. A 2002 court case found that the site constituted a threat to incite violence, and it was shut down.
After the 2013 Boston Marathon bombing, thousands of people gathered on the online community Reddit to play detective. The Redditors ended up incorrectly identifying and doxxing several suspects — none of whom turned out to be involved in the bombing in any way.
A few years later, in 2017, white supremacists marched in Charlottesville, VA, inspiring some counter-protestors to dox participants. Several neo-Nazis lost their jobs after doxxers revealed their participation in the march. But some innocent people were incorrectly suspected of participating in the march and were flooded with hate mail and threats — for something they weren’t even involved in.
While the ethics of doxxing can be murky — after all, most of the information is publicly available online — it can quickly turn nasty, especially when a mob mentality springs up.
Doxxing traditionally started with arguments online and escalated to one person sleuthing out information about an adversary. Recently, doxxing has begun to be used as a tool in culture wars, with hackers doxxing those who support opposing ideologies. Many celebrities and journalists have been doxxed, too, causing them to suffer from online mobs, death threats, and fears for their safety.
To dox someone, private information needs to be tracked down. And while many people think of the internet as anonymous, it’s important to understand that there are many ways you can be identified online.
Doxxers use various methods to collect information about their victims. By following breadcrumbs — small pieces of information about someone — scattered across the internet, a dedicated doxxer can assemble a useful puzzle that leads to uncovering the real person behind an alias, including the person’s name, physical address, email address, phone number, and more. Doxxers may also buy and sell personal info on the dark web.
Small pieces of information can be put together to uncover a real person behind an alias.
Doxxers can use various methods to discover your IP address, which is linked to your physical location. Doxxers can then use social engineering tricks on your internet service provider (ISP) to discover more information about you. There are many ways to accomplish this, but here’s just one example of how an IP dox (or an ISP dox) can work:
Let’s say you post a comment on a forum or a blog. The administrator of the forum or owner of the blog can see your IP address through the comment (that’s how they’re able to block users whose comments they may not want on their site). With your IP, the doxxer can easily discover who your ISP is. They can then use a call spoofing app to make their phone number display the ISP’s own number.
The doxxer calls the ISP, pretending to be a member of the tech support team — they fabricate a convincing story of trying to help a customer, but the service is down or they lost the connection. All they have is an IP address, but they can use that to request the rest of your customer information, which may include:
Your full name
ISP account number
Date of birth
Social security number
Sure, this requires a few steps, some manipulation, and a gullible ISP worker, but it’s just one method out of many that an experienced doxxer can use to uncover all of your personal information.
An easier tactic is social media doxxing. If your social media accounts are public, anyone can discover all kinds of information about you, such as your location, place of work, your friends, your photos, your likes and dislikes, places you’ve visited, the names of your family members, the names of your pets, and more.
A doxxer can find a large body of information about you, and may even discover the answers to your security questions — which would help them break into your other online accounts, such as your online banking account. That’s why you should make all your social media accounts private.
If you’re using online forums like Reddit, 4Chan, Discord, Youtube, or others, make sure you use different usernames and passwords for each service. If you use the same ones, a dedicated doxxer could search through your comments on all different platforms and use that information to compile a detailed picture of you. Also make sure not to reveal too much personal information, such as the name of the company you work for.
Data brokers exist to collect information about people and sell that information for profit. Data brokers gather their info from publicly available records (marriage licenses, DMV records, voter registration logs), loyalty cards (your online and offline buying behavior), online search histories (everything you search, read, or download), and from other data brokers. Many data brokers sell their information to advertisers, but there are also several people-search sites that offer comprehensive records about individuals for around $20 a pop. All a doxxer has to do is pay this small fee to get more than enough info to dox someone.
Swatting, the demented cousin of doxxing, is when someone calls to report a “hostage situation” at their victim’s address. Then, when a SWAT team rushes in, people at the address are caught completely off-guard and are often hurt or even killed in the confusion. This happens often in gaming circles, when perpetrators want to interrupt other streamers as they play.
One tragic example of this involved a teenager who was upset about a $1.50 bet he made over Call of Duty. To get revenge on his opponent, he reported a hostage situation at his opponent’s home — but he had an old address where his opponent no longer lived. Then, when heavily armed police showed up at what was essentially a random person’s home, they ended up shooting and killing a 28-year-old man who was not even involved in the game.
Swatting is a recent phenomenon, but it’s becoming increasingly dangerous. Many cities don’t know how to protect against swatting — but Seattle, WA has developed a good tactic. They’ve started an anti-swatting registry to allow people who are worried about getting swatted to list their address in a database. Then, if a call comes in, police check the registry before showing up at the address. That means they can be much more cautious and avoid causing an unnecessarily dangerous situation.
Doxxing is multifaceted, and its legality is determined on a case-by-case basis. While there are no laws against finding publicly available information and compiling or publishing it — or even any specific anti-doxxing laws — there are other crimes (and cybercrimes) that doxxers can be charged for, depending on the nature of the case. These include stalking, harassment, identity theft, or incitement to violence.
In the US, the Interstate Communications Statute and the Interstate Stalking Statute may be applied to doxxing, depending on the details of a particular case. There are also no laws explicitly prohibiting swatting, although perpetrators can be charged under other laws.
Yes, you can go to jail for doxxing or swatting someone. The teenager mentioned above who reacted to losing a Call of Duty bet by falsely reporting a hostage situation was caught, charged with 52 criminal counts related to fake calls and threats (including an earlier fake bomb threat at the FBI), and is currently serving 20 years in prison.
If you’ve been doxxed, you’ll know it soon enough. Unfortunately, doxxers usually don’t publish someone’s personal information and then stay quiet about it. If you start receiving threatening messages, it’s time to lock down all of your accounts. Make sure to check if your Facebook account has been hacked and verify that your Gmail account is secure.
You should also check to see if your personal information is now for sale on the dark web — the restricted part of the internet that you need special means, like Tor, to access. It’s not easy to monitor the dark web yourself, so you may want to consider enlisting the help of a service. Avast BreachGuard scans the dark web 24/7, alerting you the moment the exposure of your personal information has been detected and helping you work quickly to secure your privacy.
Avast BreachGuard will assess the risk of exposure of your personal information.
If you’ve been doxxed, or if you think someone may be doxxing you, it’s time to act fast to stop the spread of your personal information. Here are a few simple steps you can take right away:
Document the evidence. Make sure to take screenshots of everything in case you need to report it to the police.
Report the harassment to whatever platform your info appears on. Sites like Facebook and Twitter have terms of service agreements that prevent doxxing, and they should respond to your request and suspend the account of the doxxer(s).
Report the cybercrime to the appropriate authorities.
Lock down your accounts. Change your passwords, use a password manager, enable multi-factor authentication where possible, and strengthen your privacy settings on every account you use.
Enlist a friend or family member for support. Doxxing can be emotionally taxing. Ask someone to help you navigate the issue so you’re not dealing with it on your own.
Consider changing your number. Depending on what information was exposed, you may want to consider changing your phone number, usernames, or other personally identifying info where possible.
Enlist a service to monitor for leaks of personal information. A service like Avast BreachGuard will monitor the dark web and alert you if any of your personal information has been exposed. It will also help you remove your info from data brokers’ databases, reducing the amount of information doxxers can find about you online. Get Avast BreachGuard today and find out if any of your personal information is at risk.
Getting doxxed can be traumatizing. Luckily, there are steps you can take to avoid leaking your personal information online, protect your private data, and prevent doxxing.
Your IP address identifies you online. It can also show your physical address. While it won’t show your exact street address, it can identify your location inside a general area. You can easily hide your IP address by using either a VPN or a proxy. With either one of those tools, you connect to a server before connecting to the public internet. That means anyone trying to discover your IP address will see only the IP of the server, while your address remains hidden and protected.
A web proxy tool can provide this service for free, but a VPN like Avast SecureLine VPN provides additional privacy benefits: it encrypts your entire internet connection. That blocks anyone from snooping on what you’re doing online, which is especially important if you’re using unsecured public Wi-Fi networks. Our VPN also allows you to change your virtual location regularly, giving you increased anonymity and robust protection. Give Avast SecureLine VPN a spin today and enjoy a safe and secure online experience.
You see it all around the web these days, on everything from games to news sites to health apps and more: “sign in with Facebook” or “sign in with Google.” The temptation to do so is understandable — who wants to create another unique login and password? But signing into a third-party site using Facebook or Google lets that website request more info about you. And the more sites you connect to with the same login credentials, the more of your personal information can be gathered and compiled in one place.
Signing into many different sites using just your Facebook or Google account can make you particularly vulnerable to a breach. If your account password is leaked, a hacker could then gain access to all the sites you’ve linked up. That makes it very easy for a hacker to get all your personal info, and much harder for you to lock down your accounts.
Our social media profiles include a wealth of information about us: our general location if not our full address, our work history, birthdate, friends, family members, photos, interests, and on and on. Having that much information publicly available would make doxxing you a breeze. Even if you don’t think you have any enemies out there, it’s still best to lock down your social media accounts. See our instructions to make your Facebook profile private and make sure to de-index your profile from search engines (#8 on our list). You should also tighten up your privacy settings on Instagram and any other social media services you use.
If you use Reddit or other online forums, make sure you aren’t using your real name as your username. It’s best to avoid your name, birthdate, city, or any other identifying information in your handle. Reddit loves funny usernames anyway, so why not embrace your inner creativity and go with something like TheEarthIsATriangle or some other randomly adorable handle?
Using a pseudonym is just one way you can stay more anonymous while browsing. You should also choose a unique username for every service you use. If you reuse the same one, a doxxer could connect these separate accounts and mine them all for clues to your identity.
As mentioned, data brokers compile and sell huge amounts of personal data on nearly everyone these days. Most people aren’t even aware that there are many different data broker companies that possess extensive files on them, including everything from their browsing history, online and offline buying habits, medical histories, financial histories, criminal histories, and much more.
And when data breaches inevitably happen, like the Equifax breach, your information can be leaked for all the world to see. If your details ever find their way to the dark web, they’ll likely remain there forever.
So what can be done? Well, if you’re able to identify each and every one of the data brokers that have your information, you can contact them individually to request they remove you from their database. But though they’re legally obligated to comply, they can make it a very time-consuming process.
That’s why you should be proactive and enlist a privacy service such as Avast BreachGuard. Avast BreachGuard will contact data brokers directly on your behalf and take care of the information removal process for you, before your personal info can be exposed. It’ll also monitor the dark web for leaks and alert you right away should one occur.
Avast BreachGuard protects your information in three distinct ways:
24/7 risk monitoring: Avast BreachGuard monitors the dark web and scans for data breaches. If your information gets leaked, we’ll alert you immediately so you can take steps to protect your information.
Personal info removal: Avast BreachGuard identifies the data brokers that have profiles on you and sends requests on your behalf to get your information removed.
Password protection: Avast BreachGuard scans your browser for weak or reused passwords to make sure you’re not using any that may have already leaked.
Doxxers won’t stand a chance if you have Avast on your side. Download Avast BreachGuard today to bolster your defenses, protect your privacy, and ensure your personal information isn’t exposed or weaponized against you.