What is doxing and how to protect yourself from it

There are many dangers lurking on the Internet, both obvious and hidden. One of them is called doxing. This is the publication of a person's personal data without their consent. How do attackers obtain confidential information, why do they post it in the public domain, and how can you protect yourself and your loved ones in such a case?

While surfing the Internet, every fifth user comes across information about themselves or their family that they would prefer not to see in the public domain. Moreover, 64 percent of people using the Internet take measures to hide data about themselves. And they are absolutely right: such information, if it falls into the hands of intruders, can turn into a formidable weapon.

Doxing (from the English word "doxing", which comes from "docs" - documents) is the collection and public disclosure of personal information about a person without their consent. Such actions may be for profit, blackmail or simply bullying. The consequences of doxing can seriously affect a person's life, up to and including its complete destruction. This is a threat to reputation, family well-being, career and even physical safety.

Information that ends up secretly online can include a name, address, phone number, email, scanned documents, personal photos, and more. Doxxing, sometimes called deanonymization, dates back to the early days of the internet in the 1990s. The term comes from the word “docs,” which emphasizes the connection to finding and publishing sensitive data.

When the Internet was just starting to develop and did not provide such broad opportunities as today, there were already people who were engaged in sabotage. They obtained scanned copies of documents in various ways, and then collected them into files and posted them in the public domain, for example, on file sharing services. This approach was often used for revenge or simply to harm a person. Doxing became especially painful for hackers, for whom anonymity was a key element of security.

Doxing has often been used for noble purposes. For example, in the late 1990s, Usenet forum members gained access to data on people suspected of having ties to neo-Nazi organizations. There have been cases where anonymous activists have posted information about drug dealers or doctors who perform illegal abortions. In the US, a website called the Nuremberg Files even appeared, where information about such doctors was posted.

In the 2010s, doxing received a new boost due to the growing popularity of social networks. Gradually, the purposes of its use began to change. If earlier these were revelations or attempts to achieve justice, now doxing has increasingly become a tool of extortion or political pressure. Journalists, politicians, businessmen and public figures increasingly became victims of online attackers.

There are many methods to obtain data from an active Internet user. Social networks remain one of the main sources of information. People post photos from home, work or leisure, add geolocation, tag friends and relatives. In the right hands, all this information can turn into a formidable weapon.

Photos often contain small details that an inexperienced viewer might not notice: car numbers, landscapes, interiors, views from the window, random links on the monitor, and much more. For doxxers, such little things are of great value. And this is despite the fact that in 2022, according to social surveys, 30 percent of people admitted that they themselves posted their real phone numbers, addresses, places of work, and other personal data on social networks.

The most convenient platform for trading confidential information is the darknet. In the shadow segment of the Internet, you can buy almost anything: credit card numbers, insurance numbers, logins and passwords, intimate photos or personal correspondence. Information is even sold wholesale, in whole databases.

Personal information is obtained in many clever ways. One of them is searching by IP address. Each device, be it a computer, smartphone or tablet, receives a unique address when connected to the network. For an ordinary person, this is just a set of numbers separated by dots. But for a specialist, these numbers hide the user's location.

To obtain an IP address, doxxers use an IP logger, a special code that helps track the victim's online activity and determine their geolocation. This code is attached to an email, and the victim activates the mini-program by simply opening the message. The location data is then sent to the attacker.

Another common method is phishing. In this case, doxxers create websites that at first glance look harmless and useful. Sometimes these are exact copies of existing resources: marketplaces, online stores or institutional websites.

After receiving the link, the victim is taken to a page that is outwardly indistinguishable from the official one, where they are asked to enter personal data: name, phone number, address, or bank card information. Phishing is considered one of the most popular doxxer tools. In 2023 alone, the number of phishing links blocked based on user complaints in Russia increased fivefold.

There are people for whom trading other people's data has become a business. They are called data brokers. They buy information from hackers or even random users. This data is obtained in various ways: through leaks, hacker attacks, website scraping or social engineering methods. Your address, phone number and card number can fall into unscrupulous hands even through such popular services as Yandex.Food. This service is periodically subject to attacks, as a result of which customer bases are stolen.

Unfortunately, the Criminal Code of the Russian Federation does not have a separate article punishing the publication of someone else's personal information. Such actions can be classified as an offense only in the context of other crimes. Doxxers are often prosecuted under Article 137 of the Criminal Code of the Russian Federation, which provides for liability for violating the privacy of private life. If we are talking about extortion, their actions may fall under Article 163 of the Criminal Code of the Russian Federation.

In many other countries, doxxing is already considered a separate crime. Publishing or transmitting someone else's confidential data is punishable by law in Hong Kong, the United States, Spain, and the Netherlands. Punishment includes large fines, reaching five-digit dollar amounts, and even imprisonment.

In our reality, we have to rely on ourselves, not on the law. Surprisingly, it is not that difficult to fight doxing. Even users with minimal experience can handle it. The first thing to pay attention to is passwords. Using complex combinations of random numbers, letters in different registers and symbols will help protect accounts from being hacked by brute force or using popular programs.

Two-factor authentication is a great way to protect your accounts from intruders. Even if someone finds out your password, they won’t be able to access your account: they’ll need additional confirmation from your phone to log in. It wouldn’t hurt to be as cautious as usual. Try not to share details of your life on social networks. It’s best to make your pages private so that only friends can see them.

Be careful with emails and instant messages, especially if they contain links or images. Often, clicking on an image or link launches malicious code that sends your data to criminals. Regularly updating applications and operating systems helps improve the level of protection. Developers quickly respond to new hacker tricks and release patches.

Try to avoid using public Wi-Fi networks. These hotspots are especially vulnerable to cybercriminal attacks. Some are created specifically to steal personal data. If you download a program or mobile application, give preference to official versions from trusted sources, such as Google Play and App Store.

Doxing is a serious threat that can affect anyone. In a world where information is becoming increasingly accessible, the issue of personal data security is of particular importance. Have you ever wondered how much information about you can be found in the public domain? What precautions do you already take, and which do you consider excessive? Share your thoughts in the comments!