Published by Jacob Larsen, Security Testing and Assurance on 9 August 2024
Nine years ago I was a victim of doxing.
I had an online account with a rare username that a cyber criminal wanted so that they could resell it for profit. When they couldn’t extort me, they chose to violate my privacy.
My personal information was released on a doxing website, including my full name, residential address, email, mobile numbers, previous passwords for online accounts, and a list of my family members’ names.
Thankfully nothing happened to me. But the experience made me fear for my safety. I now take a range of steps to protect myself against doxing (more on that later…).
Fundamentally this incident taught me that no matter how hard you try, you can never completely remove the link between who you are online, and who you are in real life. But you can take steps to mitigate further compromise of your privacy and personal safety.
Ever since I was doxed, I have had a fascination with the weird online subculture surrounding doxing, including the perpetrators of doxing and the platforms that publish victims’ doxes, like Doxbin.
I recently presented my research on the privacy intrusion methods used by hackers to extort doxing victims at Black Hat USA in Las Vegas.
For my presentation, I spoke to several infamous doxers to understand their tactics, techniques, motivations and, most importantly, how internet users can better protect themselves against doxing.
Here are some insights I learned that could help you protect yourself from doxing.
What is doxing?
Australia’s eSafety Commissioner defines doxing as “the intentional online exposure of an individual’s identity, private information or personal details without their consent.”
The term “doxing” is essentially slang for “dropping documents”, or publicly releasing information links someone’s online username or persona with their private identity.
Doxing is not a new concept. But the explosion of internet use and rise of social media over the past 15 years has meant there are more potential victims and more techniques and tactics for doxers to uncover someone’s identity than ever before.
While there are some notable examples of media outlets or politicians seeking to identify the individuals behind notorious TikTok or X (formerly Twitter) accounts, the reality is that most of the time doxing is a tool used by malicious actors to intimidate victims and make them fearful for their physical safety.
Doxers do this by exposing people’s personal information online. This might be their home address, their phone number, or even where their kids go to school. This can lead to intimidation, harassment and physical harm.
There’s also a thriving online black market for extortion, where doxers reveal personal information and only remove it if their victims pay.
Think of it this way – if the anonymity of the internet affords people a veil of personal secrecy, doxing threatens to strip this away and confronts victims with potentially real-life harm and consequences.
How can you protect yourself?
The Australian eSafety Commissioner provides a helpful resource for how individuals can protect themselves against doxing, including:
- Check privacy setting on social media accounts. In my view, it’s best to restrict access to your social media profiles as much as possible.
- Use a range of strong passwords for accounts. All too often it’s tempting to use the same or similar passwords for your various accounts – that’s easy. But the ever-increasing number of data breaches should come as a warning. Your details are more likely than not already out there, and if you use the same password for multiple accounts, then it only takes one breach to expose a lot of your information to savvy criminals. This includes using variations of the same passwords. Consider using a password manager tool to generate and keep track of unique passwords.
- Set unique usernames for each online account you use. Importantly, this can help distinguish and separate your online identities, making it harder for potential doxers to identify you across multiple platforms or accounts.
- Use two-factor authentication on all accounts. Always, always activate multi-factor authentication (MFA) where available. Prioritise Authenticator apps, like Google or Microsoft, over SMS-based MFA, as hackers can intercept One-Time-Passwords (OTPs) through sim swapping attacks.
- Limit the amount of personal information shared online. Simply put – the more identifiable information you post online, the easier it is for doxers to identify you.
- Make a habit of searching yourself online to see how much of your information is accessible to others. If you turn on Incognito mode or use a new device and Google yourself, you might be shocked at just how much of your information is already out there. Try it.
What do doxers say?
As part of my research presented at Black Hat, I spoke to “ego”, a member of the wanted doxing gang “ViLE”, an experienced social engineer and hacker who claimed to make a six-figure income from doxing and extortion activities.
I asked ego what common mistakes they see that leads to people getting doxed. Here’s what ego said:
- Identical email address across all online accounts, with password re-use.
- Using consistent or similar usernames across various platforms.
- Choosing not to use VPNs.
- Sharing complete names and location on social media platforms.
- Posting personal pictures of family members, compromising privacy and security.
What about physical security?
While strengthening your online safety in line with the advice outlined above from the eSafety Commissioner could help shut down the common vectors doxers have to uncover someone’s identity, the reality is that there’s no silver bullet.
For those most at risk – like high-net worth individuals (HNIs) or victims of abuse and domestic violence – there are a range physical security measures that can also be taken.
These include:
- Blur your home and vehicle on Google Street View – you can do this by requesting your home or vehicle is blurred via Google’s Report Inappropriate Street View
- Use a P.O. box and mail forwarding service to avoid mail noting your physical address.
- Install physical deterrents like CCTV, intrusion alarms, and floodlights.
Most importantly, if you have immediate concerns about your safety, contact the police by calling Triple Zero (000) or your countries’ equivalent.
My research into doxing
You can read blog posts that go into more detail on my research here, and interviews with the threat actors involved here.
I also spoke to WIRED about my research here: Inside the Dark World of Doxing for Profit.
If you have questions about how to protect yourself from doxing or concerns about your safety, please get in touch with CyberCX’s Security Testing and Assurance (STA) team here.