What’s Doxing?

Depending on the source, the term doxing (doxxing) either comes from an abbreviation of the word documents, or docs, that has been turned into a verb; or it’s derived from the term “document tracing”; or it comes from the slang “dropping dox.”

What does the term doxing mean?

Doxing is the act of gathering and publishing information about someone that was previously private and sometimes hard to obtain. When sensitive private documents are exposed publicly, they can damage the reputation of any person or business. Understanding what constitutes reputational harm is an important first step in recognizing why doxing is so damaging.

What do hackers look for when doxing?

Hackers look for full names, email addresses, phone numbers, addresses, photos, social security numbers, account numbers, and more. Doxing carries a negative connotation, as it is typically used as a means of coercion, revenge, or stalking.

What are some common doxing techniques?

With so many people placing their personal information online, hackers have more opportunities than ever to access it. Several techniques are commonly used to achieve this.

• Email hacking is perhaps the most common method for obtaining private information. Once an email address is obtained, a hacker can attempt to access the owner’s account and retrieve more sensitive data.
• Google indexing makes finding information straightforward. When Google indexes a web page, it stores a copy of all content on that page. A targeted search using the right keywords can surface personal details quickly.
• Social networking sites are a treasure trove of personal information. Facebook, X (formerly Twitter), LinkedIn, TikTok, Pinterest, Instagram, and others hold details on hundreds of millions of people. Users who have not reviewed their privacy settings may be exposing far more than they realize.
• Reverse phone lookup gives hackers easy access to personal records. A Google search of a phone number often surfaces investigative services such as PeopleFinders.com and WhitePages.com, which scrape the internet for addresses, relatives, email addresses, and more.
• Website domain information can be queried through a Whois search, which can reveal domain ownership, registration dates, and contact details. Since GDPR took effect in 2018, much of this data is redacted for individual registrants in many jurisdictions. However, older registrations or those without privacy protection can still expose names, addresses, and phone numbers.
• Social engineering is among the most insidious methods. It involves a hacker contacting someone — usually through social networking sites — with the express purpose of extracting sensitive information through manipulation or deception.

How to protect yourself from doxing

Taking proactive steps can significantly reduce your exposure to hackers and online predators. The time invested in these precautions is well worth the peace of mind they provide.

1. Configure privacy settings to hide personal details and photos from search engines. If a site does not offer adequate privacy controls, consider not sharing information there at all.

2. Use different email accounts for different activities. For example, use one email for gaming, another for banking, and a third for forums. This limits the damage if any single account is compromised.

One approach used by some security-conscious individuals is to create a unique email address for every site they register on using a catch-all address. This makes it easy to identify when personal data has been sold to a third party.

3. Avoid uploading photo albums to social media sites or blogs. If you must share photos, configure your privacy settings so that only trusted contacts can view them and search engines cannot index them.

4. Remove your information from data broker sites like Intelius. You can submit a request through their removal form. The legal landscape around data privacy has expanded considerably in recent years. California’s Privacy Rights Act (effective January 1, 2023), along with laws in Virginia, Colorado, Connecticut, Texas, and other states, may give you more control over your personal data than you realize. You can also learn more about how to remove personal information from search results as part of a broader cleanup strategy.

5. Be thoughtful about what you share online. The more selective you are, the less likely you are to find yourself in a compromised position. Some information simply does not need to exist anywhere on the internet.

6. Keep your important accounts secure. Use a different password for every important account to prevent a single breach from cascading. A password manager like 1Password can help. Current cybersecurity guidance from NIST strongly recommends pairing a password manager with multi-factor authentication (MFA) or passkeys for an additional layer of protection.

7. Change passwords when it matters. NIST no longer recommends routine password changes on a fixed schedule. Rotating passwords every 60 to 90 days often leads people to choose weaker, more predictable credentials. Instead, use strong, unique passwords for every account, enable multi-factor authentication, and change a password only when there is evidence it may have been compromised.

Are professional hackers after you?

Politicians, journalists, high-net-worth individuals, and other high-priority targets may need to take additional precautions. The TOR browser encrypts traffic and routes data across multiple servers for added anonymity. Google Advanced Protection locks down your Google account and now supports passkeys in addition to physical security keys, making enrollment more accessible than it once was. For iPhone users, Apple’s Lockdown Mode (available since iOS 16) offers a hardened security posture designed specifically for high-risk individuals.

None of these tools are a complete solution on their own, but for those operating in sensitive industries, they can make a meaningful difference. High-profile individuals should also consider proactively protecting their online reputation as part of a broader personal security strategy — controlling what appears in search results is just as important as securing your accounts.

Happy scrubbing!