What Is Doxing? What Does It Mean to Dox Someone? | Fortinet (2024)

The word “doxing” (also spelled "doxxing") is derived from the term “dropping dox,” or “documents.” Doxing is a form of cyberbullying that uses sensitive or secret information, statements, or records for the harassment, exposure, financial harm, or other exploitation of targeted individuals.

This doxing meaning involves taking specific information about someone and then spreading it around the internet or via some other means of getting it out to the public. This practice has been fervent for many years, simply because documents contain permanent records of facts about people and things they have done and said, which can be powerful weapons against them. However, the term “doxing” first gained popularity in the 1990s when hackers began dropping docs on people who had been hiding behind fake names. In this way, hackers could expose other attackers with whom they had been in competition. Removing their anonymity left them exposed to authorities and others trying to track them down.

Doxing has taken a prominent role in modern culture wars, which involve people targeting those who support a cause or hold a belief that is in opposition to one they are trying to push forward.

If you make your social media accounts available to the public, any information you post about yourself or have in your profile can be seen by others. This may include where you work, your friends, photos, family members, things you like to do, places you have been, pets, and more.

A doxer may even be able to use this kind of information to deduce your answers to common security questions, such as “What is the name of my best man?” or “What is the name of your favorite pet?”

When doxing someone, attackers can use packet sniffing to their advantage. Data is organized in packets as it travels across the internet. When a packet is sniffed, the attacker is able to tell what kind of information is within it. In this way, they can grab passwords, bank account information, credit card numbers, and more.

To do this, doxers will connect to a network, get past its security, and then capture the data being transmitted through the network.

As the name suggests, data brokers collect information and then sell it to others for a profit. A data broker will gather information about potential targets by going to several websites that house public records. This may include loyalty card websites, which keep track of your online habits or your search history, to obtain the data they need about you.

In some cases, a data broker will purchase data from another data broker and then sell it to a buyer on the dark web.

Examples of information doxers typically search for include:

1. Phone numbers: These can be used to contact the victim directly while pretending to be someone else and then asking questions to get more information. They can also be used to gain access to secure user accounts.
2. Social security numbers: A social security number is required to validate the identity of a person on a variety of websites and with a wide array of companies that hold private data.
3. Home address: Not only can a home address be used to verify someone’s identity while trying to gain access to a private account, but it can also be used by an attacker to apply for new accounts while pretending to be the victim.
4. Credit card details: Credit card information can be weaponized for profit or to harm a victim’s credit rating, as well as gain access to other sensitive information.
5. Bank account details: Because bank account details are typically only available after someone has satisfied security measures, they can be used to “verify” your identity for someone pretending to be you. They can also be levied to transfer money from your account to someone else’s or published in a doxing attack to make the target more vulnerable.

In many cases, doxing is not illegal, particularly because the information that is being exposed is already publicly available online. This means that, at some point, the target granted an entity the legal right to publish it. However, the way the information is used may make the overall act illegal, particularly if it involves stalking, threatening, or harassing the target.

Doxing may also be illegal if certain information is revealed. It is illegal to dox a government employee in the United States, for example. This is a federal offense. And while it is not “illegal,” doxing is considered unethical because information is revealed without the permission of the victim.

If you use social media and post potentially sensitive or private information, you should, from time to time, review your privacy settings and change them. When you use social media for professional purposes, it can sometimes be useful to keep some of your account information public.

Changing privacy settings every now and then can help keep information you do not want abused from being accessed by anyone who can see your profile information, pictures, posts, or likes and dislikes.

You may want to consider using different email addresses for social interactions, work, and spam. Your work email, particularly if you are self-employed, would be used for professional interchanges. However, whenever you sign up for an offer or subscribe to something, you can use your spam email address. Personal, casual interactions can be handled on your social email address. Using different logins and passwords for each one makes it harder for a doxer to crack your email address, and if they do, they may not be able to gain access to everything they need.

Keep in mind that a spam email can often be used to go straight to a user account with details in the account profile. It is important, therefore, to make your spam email particularly difficult to hack into.

When you post something on social media, it is put out there for the public to see, and in some cases, it could be grabbed before you have the chance to take it down.

Even if you use a pseudonym, it is easy for doxers to figure out your real identity by cross-checking one social media account with another, particularly using your friends and how they mention you. They may refer to you by your real name instead of your pseudonym, thereby exposing your identity. Also, when one social media account has your real name but others have fake ones, a doxer can easily deduce who you are.

If it is easy for you to dox yourself, it is just as easy—or easier—for an experienced doxer. You can try doing a Google search, reverse image searching using your picture, going through your social media profiles, or checking to make sure your email account information has not been compromised in a published data breach.

You can also check your professional profile information, including resumes and curriculum vitae (CV), to see if you're comfortable with that information being available to the public.

If you discover you have been doxed, you should take the following steps:

1. Report it: Inform any pertinent parties, such as financial institutions, about what has happened right away.
2. Involve law enforcement: If the attack involves threats or if the information was gleaned in a potentially illegal manner, you should contact the police and let them know.
3. Document what happened: Use screenshots, download web pages, and take the time to write out what happened. This information can help you keep track of what information was shared as well as help the authorities and others address the attack.
4. Protect financial accounts: Immediately contact your credit card company or bank to prevent financial information from being used to steal from you.
5. Secure your accounts: Bolster your privacy settings and change passwords for all your accounts, especially those containing information that could be used by a doxer.
6. Get support from family or friends: You can reach out to someone you trust for assistance and emotional support so you do not have to deal with it on your own.