What is Doxing? Definition and Explanation

Doxing Explained?

Doxing, or doxxing, as it’s sometimes spelled, is the act of revealing identifying information about someone online. That information is then circulated to the public, all without the victim's permission.

Once typically reserved for hackers, doxing is now a widespread cybersecurity threat. It’s become insidious with the rise of social media and the information users share on these platforms. If you’ve ever wondered how doxing started, whether it’s legal, and how to protect yourself from doxing, you’ll find the answers here.

The concept of doxing as we currently know it first emerged in the online world in the 1990s, when anonymity was considered sacred. Feuds between rival hackers would sometimes lead to one deciding to "drop docs" on another, who had previously only been known as a username or alias. "Docs" became "dox" and eventually became a verb by itself.

The motivations behind doxing vary. Intentionally revealing personal information online usually comes with the intention to punish, intimidate, or humiliate the victim in question. Sometimes, doxers also see their actions to right perceived wrongs, bring someone to justice in the public eye, or reveal an agenda that has previously not been publicly disclosed.

What does it mean to dox someone?

While doxing is often wielded as a tool in online culture wars, the definition of the term has expanded. However, the application of the term to hackers has become somewhat less relevant today, with many users using their real names on social media and other online spaces. Now, doxing refers to someone’s personal information being exposed online, usually to escalate attacks on targets by moving their conflict offline and into the real world. This is done by revealing some of the target’s personal information, such as:

• Home addresses
• Workplace details
• Personal phone numbers
• Social Security numbers
• Bank account or credit card information
• Private correspondence
• Criminal history
• Personal photos
• Embarrassing personal details

Doxing attacks can range from the trivial, such as fake email sign-ups, to the far more dangerous ones, like harassing a person's family or employer, identity theft, threats, or other forms of cyberbullying, and even in-person harassment.

Social media doxing

With the widespread use of platforms like Instagram, Facebook, and TikTok, social media doxing – where personal information is shared on social media platforms - is a particular concern. Many users accidentally share sensitive data on these sites that can be later used against them. Social media doxing is especially relevant in instances of revenge porn, where someone shares embarrassing intimate photos of their current or former partner without their consent.

Numerous celebrities, politicians, journalists, and other public figures have been subject to different forms of social media doxing, resulting in their being harassed by online mobs, fearing for their safety, and – in extreme cases – receiving death threats. In particular, numerous public figures have been harassed on social media for their political opinions, relationships, and even weight.

There are even doxing examples that have targeted prominent company executives. For example, when Proctor & Gamble's Gillette released its “We Believe” ad, which claimed to target toxic masculinity, Chief Brand Officer Marc Pritchard's LinkedIn profile was shared on 4chan — with the poster calling others to send angry messages to him.

Anonymity and doxing

Doxing has been made even easier because of how easy it is for users to be anonymous online. Anyone can disguise identifying information such as name, age, location, and data use. There are many ways to do this, from setting up fake profiles and burner email addresses, using VPNs, or even using encrypted software, browsers, and platforms.

This anonymity can make attackers feel uninhibited by the usual social mores, giving them the confidence to launch doxing attacks without fear of discovery or reprisal. For the target, anonymity may prohibit reporting and cause real fear. Doxers can also impersonate other individuals or companies in their doxing attacks, giving the situation an additional layer of complexity.

How does doxing work?

In the age of big data, there’s a vast ocean of personal information available on the internet, and users often have less control over it than they believe. This means that anyone with the time, motivation, and interest to do so can turn that data into a weapon.

By following breadcrumbs — small pieces of information about someone — scattered across the internet, doxers can build up a picture that leads to uncovering the real person behind an alias. Doxers may also buy and sell personal information on the dark web.

Some of the most common methods used to dox people are outlined below:

Tracking usernames

Many people use the same username across a wide variety of digital services. This allows potential doxers to build a picture of the target's interests and how they spend their time on the internet. While many hackers use this for social engineering scams, it can also be used for doxing and swatting.

Running domain searches

All domain name owners have their information stored in a registry that’s publicly available through a WHOIS search. If the domain name owner didn’t choose to obscure their private information, their personally identifying information would be available online for anyone to find.

Phishing

If someone uses an insecure email account or falls victim to a phishing scam, a hacker can uncover sensitive emails and post them online.

Stalking social media

Social media doxing has become a growing concern as more users engage with these platforms. Users who leave their social media accounts public – or fail to secure them with the numerous privacy options available – leave their personal information vulnerable.

Accessing government records

A surprising amount of information can be uncovered from government websites. With some sleuthing, doxers and hackers can steal information from government databases of business licenses, county records, marriage licenses, DMV records, and voter registration logs.

Tracking IP addresses

Doxers can use various methods to discover IP addresses, which are linked to users’ physical location. Once they uncover an IP address, they can use social engineering tricks on the target’s internet service provider (ISP) to discover more information about them.

Reverse mobile phone lookup

Once hackers know someone’s mobile phone number, they can easily find out more about the person. Reverse phone lookup services like Whitepages let you type in a mobile phone number to identify who owns the number. Sites such as Whitepages, Who Called Me and Reverse Australia offer free or paid services to provide information about the number’s owner.

Packet sniffing

The term packet sniffing is sometimes used in relation to doxing. This refers to situations where doxers intercept a target’s internet data to look for sensitive personal information. Doxers do this by connecting to an online network, cracking its security measures, and then capturing the data flowing into and out of the network. Using a secure virtual private network (VPN) is a good way for users to protect themselves from this sort of activity.

Using data brokers

Data brokers gather personal information from publicly available records and then sell that information for a profit. Many sell their information to advertisers, but several people-search sites offer comprehensive records about individuals. All a doxer has to do is pay a small fee to obtain this information.

Famous doxing examples

The most common doxxing situations tend to fall into three categories:

1. Releasing an individual's private, personally identifying information online
2. Revealing previously unknown information of a private person online
3. Releasing information about a private person online could be damaging to their reputation and those of their personal and/or professional associates.

Some of the most famous and commonly cited examples of doxing include:

Ashley Madison

Ashley Madison is an online dating site that caters to people interested in dating outside of committed relationships and marriages. In 2015, a hacker group stole user data from the website and made demands of the management behind Ashley Madison. When those demands were not met, the group released the sensitive user data it had acquired, doxing millions of people in the process.

Cecil the Lion

In July 2015, a dentist from Minnesota illegally hunted and killed a lion named Cecil, who was living in a protected game preserve in Zimbabwe. Amid the public outcry of the killing, some of the dentist’s identifying information was released, resulting in even more personal information publicly posted online by people who were upset by his actions and wanted to see him publicly punished. 

Boston Marathon bombing

During the search for the Boston Marathon bombing perpetrators in April 2013, thousands of users in the Reddit community collectively scoured news and information about the event and subsequent investigation. They intended to provide information to law enforcement that they could then use to seek justice. Instead, innocent people who were not involved in the crimes were outed, resulting in a misguided witch hunt.

Tesla owners

In March 2025, several Tesla owners and dealerships –confirmed that an online map had published their personal details, including names, home addresses, and phone numbers. Viewers of the map were encouraged to vandalize Teslas – a Tesla service center in Las Vegas was attacked by someone wielding a gun and Molotov cocktail. The doxxing was an attempt to stir backlash against Elon Musk.

Is doxing illegal?

Doxing can ruin lives by exposing targeted individuals and their families to both online and real-world harassment or ruining their reputations. However, doxing tends not to be illegal if the information exposed exists in the public domain and it was obtained using legal methods – though it also depends on the specific information revealed. For example, disclosing someone's real name is not as serious as revealing their home address or telephone number. However, in the US, doxing a government employee falls under federal conspiracy laws and is seen as a federal offense. Regardless of the law, doxing violates many websites' terms of service and, therefore, may result in a ban.

The laws around doxing are constantly evolving and not always clear-cut. For example, in Scotland, there are no laws that explicitly ban doxing, but in cases where doxing is seen as abusive behavior, stalking, or improper use of public electronic communications networks, for example, it could be considered a criminal offense.

Australia is also introducing targeted doxing laws that may include jail time but could include exemptions for public interest journalism and other specific situations.

It's also important to distinguish between doxing and swatting. While both involve a person’s personal information, they are different. In doxing, the attacker usually takes the target’s personal information from the public domain and then exposes it online. However, in swatting, the target’s personal information may be taken from various sources and used to send emergency services to the target’s location under false pretenses. Swatting is illegal in most jurisdictions and often carries a penalty of jail time or fines.

How to protect yourself from doxing

Almost anyone can be a doxing victim. If you’ve ever posted in an online forum, used a social media site, signed an online petition, or purchased a property, your information is publicly available. These safeguards may help users wondering how to prevent doxing.

Protect your IP address with a VPN

A VPN offers excellent protection against exposing IP addresses by encrypting traffic and keeping users anonymous. Kaspersky Secure Connection protects you from public Wi-Fi risks, keeps your communications private, and ensures you’re not exposed to phishing, malware, viruses, and other cyber threats.

Practice good cybersecurity

Anti-virus and malware detection software such as Kaspersky Premium can stop doxers from stealing information through malicious applications. Just be sure to keep all software up to date.

Use strong passwords

A strong password normally includes a combination of uppercase and lowercase letters, plus numbers and symbols. Avoid using the same password for multiple accounts, and make sure to change them regularly. A password manager can help.

Use separate usernames for different platforms

If you’re using online forums like Reddit, 4Chan, and Discord, make sure you use different usernames and passwords for each service. By using the same ones, doxers could search through your comments on different platforms and use that information to compile a detailed picture of you.

Create separate email accounts for separate purposes

Consider maintaining separate email accounts for different purposes - professional, personal, and spam. Your personal email address can be reserved for private correspondence with close friends, family, and other trusted contacts and should not be publicly listed. Your spam email can be used to sign up for accounts, services, and promotions. This may appear publicly in some situations but try to limit this as much as possible. Finally, your professional email address can be listed publicly.

Review and maximize your privacy settings on social media

Review the privacy settings on your social media profiles and make sure you are comfortable with the amount of information being shared and with whom. For example, on Instagram, it’s possible to make your profile completely private so that only people you allow to follow you can see your grid posts, stories, and followers. Facebook’s privacy settings are even more nuanced. For example, you can choose specific settings for email addresses, phone numbers, locations, photos, posts, and friends. It is possible to completely hide email addresses and phone numbers and set different levels of settings – visible to friends, friends of friends, or the public – for the other details. To activate and review privacy settings, simply navigate to the account settings section of each social media platform.

Use multi-factor authentication

Enabling multi-factor or biometric authentications where possible is another expert-recommended way to prevent doxing. Activating these security features means that you — and anyone else trying to access your account — will need at least two pieces of identification to log onto your site.

Delete obsolete profiles

While sites like MySpace and Xanga may now be out of fashion, profiles that were created over a decade ago are still visible and publicly accessible. Try to delete obsolete profiles.

Stay alert for phishing emails

Doxers may use phishing scams to trick potential targets into disclosing personal details. They often impersonate legitimate organizations, so be wary whenever you receive a message that supposedly comes from a bank or credit card company, or even a popular e-commerce company, and requests your personal information.

Hide domain registration information from WHOIS

WHOIS is a public database of all registered domain names on the web that includes personal details of the domain’s owners. Make sure to hide your details so doxers can’t find this on the database.

Ask Google to remove information

If their personal information appears in Google search results, individuals can request its removal from the search engine. Google makes this a straightforward process through an online form.

Scrub your data

Removing your information from data broker sites is another useful method for how to prevent doxing. However, it can be labor-intensive if you want to do it yourself without incurring costs. If you have limited time, start with the three major wholesalers: Epsilon, Oracle, and Acxiom. You’ll need to regularly check these databases because your information can be republished even after being removed. You can also pay for a service like DeleteMe, PrivacyDuck, or  Reputation Defender to do this for you.

Be wary of online quizzes and app permissions

Online quizzes may seem harmless, but they’re often rich sources of personal information. Since many quizzes ask for permission to see your social media information or your email address before showing you the quiz results, they can easily associate this information with your real identity. It’s best to avoid these. Mobile apps are also sources of personal data, and many ask for access permissions that are not required for their operations. Always verify an app’s legitimacy before using it and download it from official stores.

Avoid disclosing certain types of information

Wherever possible, avoid disclosing certain pieces of information in public, such as your Social Security number, home address, driver's license number, and any information regarding bank accounts or credit card numbers.

Check how easy it is to dox yourself

The best defense is to make it harder for abusers to track down your private information. You can find out how easy it is to dox yourself by:

• Googling yourself
• Carrying out a reverse image search
• Auditing your social media profiles, including privacy settings
• Checking to see if any of your email accounts were part of a significant data breach by using a site such as Haveibeenpwned.com
• Checking CVs, bios, and personal websites to see what personal information your professional presence conveys

Set up Google alerts

Set up Google alerts for your full name, phone number, home address, or other private data you’re concerned about, so you know if it suddenly appears online. It may mean you have been doxed.

Avoid giving hackers a reason to dox you

Be careful what you post online, and never share confidential information on forums, message boards, or social media sites. People may believe that creating anonymous identities gives them the chance to express whatever opinions they want, no matter how controversial, with no chance of being traced.

What to do if you have been doxed

Understanding what is doxing and how to prevent doxing is easy, but what should you do if it happens to you? The most common response to being doxxed is fear if not outright panic. Doxing is intentionally designed to violate your sense of security and cause you to panic, lash out, or shut down. If you become a doxing victim, here are some steps you can take:

Report it

It’s important to report doxing to the platform on which personal information has been posted. For those wondering how to report doxing, here’s how it works. Search the relevant platform's terms of service or community guidelines to determine their reporting process and follow it. While filling a form out, save it for the future. You’ll often need to fill out details such as your account information, contact details, the doxer’s account, and details of the doxing.

Most social media platforms and community sites have their own online forms and reporting procedures. In many cases, it’s a straightforward process. However, Facebook and Instagram have different ways to report specific forms of harassment or doxing. On most of these platforms, doxing goes against their Terms and Services, so they’ll usually act, like suspending the doxer’s account or making them remove the post. To learn more or file a report, here are links to some of the most common sites:

• Facebook
• Instagram
• TikTok
• Snapchat
• YouTube
• Substack
• Reddit

Request information removal

You may also want to remove the information that was used in the doxing attack from the public domain. For example, if your details were taken from a government database, many countries allow you to request that your personal details be removed. Similarly, most website hosting services allow domain owners to keep their details private.

In the UK and Europe, the General Data Protection Regulation (GDPR) empowers citizens to request the removal of their personal data from government systems. The specific clause is defined in Article 17 and referred to as the right to be forgotten. The EU has an online form that you can fill out to request data removal – you will also need to supply documentation such as proof of identity. In the UK, you can use the government’s contact form to make the request. In some cases, you may need to go to the specific government agency you want your data removed from. Bear in mind that some countries do not have governmental data protection. For example, Australia does not currently have the right to be forgotten.

In many countries, including Hong Kong and Australia, consumer protection laws also allow individuals to request the removal of their data from company and business databases. In these cases, you would need to contact the organization directly and follow their specific reporting process. You can find more information about this for the UK on the Information Commissioner’s Office website. In the US, the right to delete for consumers varies by state, not federal, law. For example, the California Consumer Privacy Act allows consumers to request that businesses delete their data.

Involve law enforcement

In some situations, it’s not enough to report a doxing attack to the platform it occurred on. If the attack is severe or becomes physically threatening, it is best to go to the local law enforcement. Any information pointing to your home address or financial information should be treated as a top priority, especially if there are credible threats attached.

Each jurisdiction will treat this differently, depending on exactly what the attack involves. Most jurisdictions will have their own ways of dealing with doxing, depending on whether it constitutes harassment, abuse, violence, or some other legal violation.

To make a report, you can simply walk into or call your nearest police station. In the case of immediate danger, you could call the local emergency number. Some are listed below.

• Mexico/Canada – 911
• UK/UAE/Singapore - 999
• EU/Turkey/South Africa – 112
• Australia – 000
• New Zealand - 111
• Japan – 119

You can also choose to report the doxing attack to the appropriate government channels, depending on the exact situation. Some examples are outlined below. In each case, you will need to give your information and details of the attack, along with documentation.

• UK Police
• EU Cybercrime
• Australia Esafety Commissioner
• Hong Kong Office of the Privacy Commissioner for Personal Data

Seek legal advice

To understand what legal avenues might be available in your situation, it’s best to seek advice from a lawyer. If you do not already have legal counsel, you can ask your network for a good recommendation or find a free local legal aid offer. Many schools, universities, and big companies will also have legal services that can help. You will need to be able to outline and prove the full context of the doxing attack, including who the attacker is and what the doxing entailed – this is where documentation will be useful.

Document it

Take steps to ensure that you can prove various aspects of a doxing attack. This might include taking screenshots or downloading pages on which your information has been posted or shows the attacker’s handle, but it may include preserving any emails, voicemails, texts, or social media posts that relate to the attack. As far as possible, try to ensure that dates, times, and URLs are visible in any communication. All this evidence is essential for your own reference, but it can also help law enforcement investigate the incident or be used as evidence for legal action.

Protect your financial accounts

If doxers have published your bank account or credit card numbers, report this immediately to your financial institutions(s). Your credit card provider will likely cancel your card and send you a new one. You will also need to change the passwords for your online bank and credit card accounts.

Lock down your accounts

Change your passwords, use a password manager, enable multi-factor authentication where possible, and strengthen your privacy settings on every account you use.

Ask for support

Doxxing can be emotionally taxing. Ask someone you trust to help you navigate the issue, so you don't have to deal with it alone. You can also seek professional help, such as local support lines or therapists. Many universities and organizations also offer mental health support or referrals.

Doxxing is a serious issue made possible by easy access to personal information online. Staying safe online is not always easy, but following cybersecurity best practices can help. We recommend using Kaspersky Premium, which guards against viruses on your PC, secures and stores your passwords and private documents, and encrypts the data you send and receive online with a VPN.

Related Articles and Links:

How parents can address the dangers of doxxing

Staying safe on social media

A comprehensive guide to cybersecurity training

What is Doxing (Video) Open in new window

Related Products and Services:

Kaspersky Plus

Kaspersky Standard

Kaspersky Endpoint Security Solution Kaspersky Security Awareness