In this article, we look at what doxxing is, some examples of doxxing, and what can be done to protect ourselves and our businesses from being ‘Doxxed’.
What Is Doxxing?
Doxing is a 90s hacker term meaning for dropping (personal) dox where ‘dox’ is a slang term for documents. Doxxing is a malicious act where a person/persons use a variety of methods to find previously private personal information about an individual or organisation, and then publicly reveal/expose that information to all, usually over the Internet. The type of information released could be anything from simple personal details (real name, home address, workplace), to much more personal, embarrassing, and damaging information.
Doxxing is used as a method of attack, primarily for punishment or revenge and can lead to acts of extortion.
The kind of personal details and information that doxxers may collect about a person, business, or organisation may include name, telephone number, address, personal photographs, videos, comments and quotes, email content, account numbers, and more.
Doxxers can collect different snippets of information about their targets from a number of sources including hacks, social engineering, social media accounts, getting access to a target’s email account, WHOIS lookups, using an IP logger to trace online activities, reverse mobile phone lookup, tracking usernames, using GDPR subject access requests, collecting information that has been sold across the Web by data brokers, accessing details from hacks/sold hacked details, and more.
Is It Illegal?
Although doxxing is malicious and can be very harmful, it is generally not illegal because much of the information is gathered from what is considered as the public domain. However, the legality also depends upon whether details were obtained using legal methods, and doxxing treads a fine line between what is legal and not, sometimes entering into the illegal worlds of stalking, harassment, and more. If the threat of doxxing is used to extort money then this is, of course, blackmail. In many cases, at the very least, doxxing often violates many websites’ terms of service.
Some Examples of Doxing
Just some of the many examples of doxing that have made the news include:
– December 2011 – the hacking group Anonymous exposed detailed information online about 7,000 law enforcement agents as revenge for investigations into hacking activities.
– In 2013, hackers posted Kim Kardashian’s Social Security number, credit report, address (+ six previous addresses) online.
– In 2016, while Donald Trump was campaigning for the US presidency, Anonymous posted his Social Security number and phone number, as well as the contact information for his agent and lawyer online.
– In 2017, the Russian (Moscow) hacker group Turla hacked the Instagram account of Britney Spears, and used it to post secret, cryptic comments.
How To Protect Yourself and Your Business From Being Doxxed
Some of the measures you can take to help protect yourself/your business from falling victim to doxxing include:
– Using a VPN to protect your IP address.
– Using strong passwords, avoiding password sharing, and using 2FA or multi-factor authentication where possible.
Keeping anti-virus software and patches up to date and installing antimalware to combat doxware.
Removing personal data from apps, and from gadget/device settings.
– Setting up different email addresses for different uses e.g., professional, personal, and spam.
– Maximising your social media privacy settings and being careful what is shared i.e., bearing in mind GDPR, consent, personal details and privacy matters when sharing anything relating to staff.
– Hiding domain registration information from WHOIS.
Avoiding logging into a website through Facebook or Google.
– Asking Google to remove any personal information that you are concerned about.
– Keeping up with good general online security practices and be careful what information you share via social media.
– Deleting old online accounts.
– Using the legislation available to tackle doxxers. For example, Hong Kong introduced a new anti-doxing law in October 2021 (The Personal Data (Privacy) (Amendment) Ordinance 2021), mainly to prevent details of members of the authorities from being posted online and, perhaps, to crack down on criticism. The law could, however, be used by citizens and businesses to combat malicious doxxing acts. The law amendment gives Hong Kong’s Privacy Commissioner for Personal Data the right to conduct criminal investigations and institute prosecution related to doxxing. Also, under UK GDPR, persons have the ‘right to be forgotten’ i.e., requesting that a business/organisation removes/deletes all data collected about them.
– For businesses – keeping an up-to-date record of processing activities, showing what data is being collected, where it’s stored, for how long, and who is being/has been shared with.
– Keeping levels of awareness and training about data protection, privacy, and threats like doxxing up to date among staff.
– Checking/monitoring compliance relating to contracts with third parties processing personal data on your/the company’s behalf.
– Using websites to help erase data about you stored around the Web / opting out of people searches. Examples (including U.S.), include https://www.beenverified.com/app/optout/search, https://www.instantcheckmate.com/opt-out/, https://www.gov.uk/government/publications/register-to-vote-anonymously, opting out of the top 10 data brokers – https://databrokerswatch.org/top-ten, https://joindeleteme.com/.
What Does This Mean For Your Business?
The main motives for doxxing appears to be revenge, control, or even as a way to blackmail someone. Following good general online security practices and policies is the best way to avoid giving people (e.g., disgruntled former employees/customers, hackers and others) the fuel and the openings they need to build their campaigns. Sadly, much of our data ends up being shared around the Web, perhaps to places we wouldn’t expect to go and determined doxxers may be able to find some things, despite our best efforts to maintain our privacy. That said, as highlighted in the list above there are still many proactive measures that can be taken to reduce the risk of being doxed.