Doxing — also spelled doxxing — is the act of publicly revealing or publishing someone’s private or personal information online without their consent, almost always with malicious intent.
In this article, we look at what doxing is, who does it (and why), and how to protect yourself, as well as how Proton VPN(new window), Proton Mail(new window), Proton Pass(new window), and Proton Drive(new window) can help.
- What is doxing?
- Motivations for doxing
- Is doxing illegal?
- How to protect yourself from doxing
- Examples of famous doxing incidents
- Famous people who have been doxed
- Doxing is harassment
What is doxing?
The word doxing originated in 1990s hacker slang, meaning to “drop dox (documents)” to identify rivals in the fiercely competitive hacking scene. Since much of the hacking activity was illegal, this often left the victims exposed to criminal prosecution.
The goal of doxing is usually to harass, intimidate, embarrass, or harm the targeted person, and can lead to real-world consequences — like unwanted attention, stalking, threats, or worse.
These days, disclosing personal information about people with views that differ from the views of the doxer has become a signature feature of the increasingly ugly culture wars.
Doxing attacks can be used to:
- De-anonymize individuals: The most common form of doxing, this approach involves publishing personally identifiable information(new window), usually on the internet. Details published typically include things like the target’s real name, home address, phone number, email address, and social security number(new window).
- Link individuals to certain internet activity: Doxing can involve linking individuals to posts on private forums, historical social media, photos, and other evidence that wasn’t made anonymously, as such, but that the targets would rather not be made known to the general public. Early examples of this form of doxing are publishing the names of suspected neo-nazis(new window) on Usenet forums, and exposing the names of addresses of abortion providers(new window) on a website encouraging violence against them.
Motivations for doxing
Motivations for doxing might include:
- Revenge or retaliation: Some people dox as an act of personal revenge, possibly after an online disagreement, breakup, or perceived insult.
- Intimidation or harassment: Doxing can be used to scare or harass someone by exposing their private information to a large audience, leading to threats or physical harm.
- Shaming or public exposure: People sometimes dox others to publicly shame them, often in the context of behavior or statements that the doxer disagrees with.
- Financial gain: Some doxers may be motivated by financial reasons, such as blackmail or extortion, threatening to release certain information unless a payment is made
- Activism or hacktivism: Sometimes doxing is used as a tool by activists who believe that exposing someone’s personal details is justified, especially when they see the person as having engaged in harmful or unethical activities
Most cases of doxing are highly malicious, but in some cases it’s clear the doxer feels moral justification for their actions. Regardless of the motivation, however, doxing is a serious violation of privacy and can lead to real-world consequences for the victim, including emotional distress, physical danger, or harm.
Is doxing illegal?
Because doxing often involves publishing information that is publicly available (if you look hard enough), it often doesn’t break the law. However, doxing is almost always illegal if the means of obtaining the information is illegal (such as performing computer fraud or hacking into a server’s database).
Depending on the country where it occurs, doxing can also often break privacy laws, harassment and stalking laws, and defamation laws.
In the US, for example, there are no federal laws that specifically mention doxing, but there are many state laws related to online harassment, cyberstalking, and threatening behavior that can be used to prosecute those who carry out doxing attacks. Releasing personally identifiable information with malicious intent may also be deemed illegal under federal laws such as the Computer Fraud and Abuse Act (new window)(CFAA).
In the UK, the Malicious Communications Act(new window) can be used to prosecute doxing if it involves the release of private information or leads to harm or distress. As a general rule (although this varies considerably by jurisdiction), if doxing results in harm, threats, or privacy violations, it will break a criminal law.
How to protect yourself from doxing
The key to protecting yourself from doxing is to limit the amount of personal information about yourself online. Naturally, this includes limiting the personal information you make publicly available, but it also includes limiting the information you give to online services and other third parties that are supposed to keep your information confidential.
Unfortunately, data gleaned from hacked servers and databases is a major source of information exploited for the purpose of doxing.
Important strategies for limiting the information that can be abused for doxing include:
1. Don’t overshare
Limit the amount of personal information you share online that can be accessed by the public. Don’t overshare, and where possible, use a pseudonym. If you must share personal details, limit the number of people who can see it. For example, be sure to lock down your Facebook profile so that only trusted friends and family can access it.
2. Hide your IP address
Every server you connect to logs your IP address(new window) and a timestamp of when you connected to it. If the server is hacked, it’s easy to match your activity on that server to your real IP address. When you use a VPN service such as Proton VPN(new window), all the server can log is the IP address of the VPN server — not your real one.
3. Use a disposable email address
Most online services these days require you to verify your email address (which is then kept on file, where it can potentially be hacked and used for doxing). You can protect your privacy by using a disposable email address. With Proton Mail, you can create a hide-my-email alias(new window) every time you sign up for a new service, and then disable the alias at any time.
4. Secure your documents and photos
No matter where you store your sensitive documents and embarrassing photos online, they can be hacked. This includes most online storage services — if the cloud provider can access your files (and most can), then so can hackers. The solution is to store your documents and photos using end-to-end encryption, so only you can decrypt them. This means that if your cloud service provider is ever compromised, the hacker won’t be able to access your data. Proton Drive(new window) is an end-to-end encrypted cloud storage solution with automatic photo backup from your mobile device.
5. Use strong unique passwords and 2FA
The single best thing you can do to secure any account is use a strong password(new window) that is unique to that account. Recalling every password, however, can be difficult, but password managers do the heavy lifting for you – creating strong unique passwords for all your accounts, remembering them, and auto filling them for you when needed.
One-factor authentication allows you to verify your identity when signing in to your Proton account using something you know — your login details. Two-factor authentication(new window) (2FA) greatly improves the security of your account by requiring something you have (your phone or security key) or something you are (your faceprint or fingerprint). Unless an adversary knows your login details and also has physical access to this second factor, they cannot access your account.
Proton Pass(new window) is an end-to-end encrypted password manager that can conveniently generate 2FA codes (like a 2FA authenticator app) to secure your accounts. It also scans the dark web to alert you if your details have been exposed (doxed) on the dark web.
6. Use more privacy-friendly platforms
Most commercial platforms — including social media platforms, messenger apps, and forums — require you to verify your identity and will log your activity to prevent abuse. If these platforms are hacked, however, data stored on them about you can be stolen and doxed.
Using a VPN and an email alias can help protect against this, but so can using open-source, community-based and peer-to-peer (P2P) platforms or distributed services that don’t ask for your email address or log your IP address in the first place (at least in any centralized way — if using a P2P-based service, always remember that peers can see your real IP address unless you hide it with a VPN).
For example Mastodon(new window) is a decentralized, open-source social network that allows you to create or join independent servers. Mastodon makes a great alternative to the likes of Facebook, Instagram, and X (Twitter). We have a guide to privacy-friendly WhatsApp alternatives(new window).
Examples of famous doxing incidents
Below are some of the most notorious (and damaging) doxing incidents in recent memory:
1. Project Chanology(new window)
In 2008, the Church of Scientology attempted to remove an online video of Tom Cruise promoting the church. The hacktivist group Anonymous responded by launching Project Chanology(new window) (a combination of 4Chan and Scientology), in which it doxed high-ranking members of Scientology, revealing private information with the aim of intimidating and disrupting the organization. This campaign was one of the earliest large-scale doxing incidents and set a precedent for internet-based activism and doxing.
2. Gamergate (new window)
Infamous for its sheer nastiness, Gamergate(new window) (2014) was a highly misogynistic online harassment campaign against a number of women prominent in the gaming industry, including game developer Zoe Quinn, media critic Anita Sarkeesian, and game developer Brianna Wu. These women were doxed, leading to threats of violence and harassment. Gamergate brought widespread attention to the issue of online harassment and doxing in the digital age.
3. Ashley Madison hack(new window)
Ashley Madison is a popular dating website that caters to people seeking extramarital affairs. In 2015, the otherwise unknown hacking group (possibly just an individual) known as “Impact Team” leaked the personal information of around 32 million Ashley Madison customers(new window).
The leak exposed names, email addresses, and even credit card transactions, leading to public embarrassment and, in some cases, serious personal and legal consequences for users.
4. CIA Director John Brennan(new window)
In 2015, teen hackers gained access to CIA Director John Brennan(new window)‘s personal email account and leaked sensitive information, including contact lists and personal documents. This breach showcased the vulnerabilities even high-ranking government officials face online and raised questions about cybersecurity measures for public figures.
Famous people who have been doxed
The following famous people have been victims of doxing:
1. Elon Musk(new window)
In 2022, some Twitter (as it was known then) users shared the real-time location of Elon Musk’s private jet on the social media platform. This raised concerns about his safety, especially after Musk publicly stated that his family had been followed by a “crazy stalker” following the incident. He responded by suspending several accounts from Twitter that were involved in sharing his location.
2. Taylor Swift(new window)
The pop superstar has had to endure a torrent of abuse, including death threats and doxing by both overzealous fans and critics. In one instance, her private home address was leaked online. Taylor Swift has been a vocal advocate for stronger privacy protections for public figures.
3. J.K. Rowling(new window)
Harry Potter author J.K. Rowling has become a highly controversial figure thanks to her outspoken views on trans rights. In 2019, some pro-trans activists tweeted a photo of themselves outside Rowlings’ house in Edinburgh that showed her address. The photo was removed following an angry backlash from Rowlings’ supporters (and later re-posted with the address removed).
4. Kyle Giersdorf (Bugha)(new window)
Teenage Fortnite champion Kyle Giersdorf, better known as Bugha, experienced a serious doxing incident in 2019 that led to him being “swatted(new window)” by a heavily-armed police SWAT team at his home. This highlights the dangerous consequences of doxing for public figures.
5. Kim Kardashian, Scarlett Johansson, Jay-Z, Beyoncé, Donald Trump, Lady Gaga, and more(new window)
In 2013, sensitive information relating to at least 17 celebrities and politicians was posted online, including social security numbers, credit card records and mortgage payments. In addition to those listed above, victims included Mel Gibson, Joe Biden (then vice president), Hillary Clinton, Britney Spears, Sarah Palin, and Arnold Schwarzenegger. The perpetrator(s) was never identified.
Doxing is harassment
The bottom line is that doxing is a form of harassment that can have very serious consequences, including online abuse, stalking (online and real life), death threats, physical, assault, and swatting attacks against the victim (which have the potential to be deadly(new window)).
Celebrities and politicians are particularly vulnerable to doxing attacks, simply because they are in the public eye. However, anyone can become a victim of this kind of attack, so it pays to take sensible precautions against it. Proton can help with this, as all our products are specifically designed to protect your privacy online.
