Doxing (alternately spelled “Doxxing”) is the research and broadcasting of personally identifiable information about an individual or individuals. It is done for a variety of reasons.
Doxing (Doxxing) can be considered the “sucker punch” of cyber warfare, in the sense that people with limited skills can pull it off and be successful at it.
A Doxing (Doxxing) attack can be considered a success when the information sought is captured and then publicly posted.
What is the purpose of doxing (doxxing) ?
Doxing is done for purposes of intimidation, coercion, extortion, blackmail, or just an overall reduction of the intended target’s personal security.
Why is doxing/doxxing dangerous?
Grant Cunningham describes the problem posed with regards to defending a known (to the enemy) fixed position (your home).
The reality is that it’s relatively easy to mount a strong defense when you don’t have to do it for very long. You don’t get tired, you don’t get complacent, and you don’t spend every last dime keeping that strong defense active.
- Doxing (Doxxing) can be a springboard for
- Targeted Hacking of home networks, email, websites, blogs, social media accounts, etc.
- Spear Phishing
- War Driving
- Unwanted solicitations by mail and email
- Sabotaging of promotional efforts
- Identity Theft
- Online Impersonation
- Harassing phone calls or text messages
- Sabotage and any other threats facing a known fixed position
Historical Examples of Doxing (Doxxing) and the Usage of Dox
- 1996: Neal Horsley publishes the Nuremberg Files containing the personal information of abortion clinic doctors and nurses. The site is linked to the murder of Dr. Barnett Slepian by James Charles Kopp.
- 2004: The Cleveland Plain Dealer publishes the names and addresses of Ohio concealed carry permit holders.
- 2007: The names and addresses of Virginia concealed handgun permit holders are released by a Roanoke newspaper. Virginia public records law is subsequently updated to prevent media access to such records.
- 2011: CSGV’s Twitter account gets suspended for doxing a gun blogger.
- 2012: Film director Spike Lee posts a home address wrongly linked to George Zimmerman on his Twitter account. He was subsequently sued by the elderly couple who lived at the address in question and settles out of court for $10,000.
- 2013: Livestreaming gamer Jordan Mathewson is SWATted.
- 2013: John Cook of Gawker publishes the names of gun permit holders in New York City and his personal information is posted in retaliation.
- 2013: The Journal News of Westchester County, New York publishes the names and addresses of pistol permit holders. In retaliation, Journal News staff members’ personal information gets released by gun rights activists.
- 2013: An undercover Riverside County Sheriff’s deputy named Daniel Zipperstein befriends and then tricks an autistic teenager named Jesse Snodgrass into buying marijuana and then arrests him. Hacker collective Anonymous launches #OpZipperstein and posts the personal information of the deputy, his family, and the school officials that authorized the undercover operation in their school.
- 2013: The personal information of the Vice President Joe Biden, the Attorney General Eric Holder, and the First Lady Michelle Obama are released by hackers
- 2014: Anita Sarkeesian and the GamerGate controversy
- Her experiences detail some of the more sophisticated reputational attacks that can be done with access to personal information.
- 2014: After the shooting incident involving Mike Brown, Officer Darren Wilson’s personal information is published online
- 2014: The personal information of the NYPD Officers involved in the death of Eric Garner is released by various parties.
- Whois Information
- County and State Property Tax Offices
- County Clerk’s Offices
- University pages and alumni records
- email and phone number
- Targeted hacking of professional organizations
- Look at JustDeleteMe
- Intelius.com* – Opt-out
- Acxiom.com – Opt-out
- MyLife.com – To request that a Member Profile or Public Profile be deleted, please contact Customer Care at 1-888-704-1900 or contact us by email at firstname.lastname@example.org. Upon receipt of these requests, and confirmation that you are requesting that your own profile be removed, please allow MyLife 10 business days to complete this removal. It may be necessary to contact you to validate that you are the profile owner requesting the removal. This is to ensure the correct identity and profile ownership before completing these requests, and is for the protection of our users and their privacy.Zabasearch.com* – Opt-outSpokeo.com – Opt-outBeenVerified.com – LawyerCT’s guide Peekyou.com – Opt-Out USSearch.com* – Opt-Out PeopleFinders.com – Opt-Out: Annoying form you have to mail in PeopleLookup.com* – In order for PeopleLookup to suppress or opt out your personal information from appearing on our Website, we need to verify your identity. To do this, we require faxed proof of identity. Proof of identity can be a state issued ID card or driver’s license. If you are faxing a copy of your driver’s license, we require that you cross out the photo and the driver’s license number. We only need to see the name, address and date of birth. We will only use this information to process your opt out request. Please fax to 425-974-6194 and allow 4 to 6 weeks to process your request. PeopleSmart.com – Opt-Out PrivateEye.com – Opt-Out Whitepages.com – Opt-Out USA-People-Search.com – Opt-Out: Yet another form to mail in Spoke.com – Scroll Down to Access and Correction Section for more info PublicRecordsNow.com DOBSearch.com* – In order for us to “opt out” your public information from being viewable on the public DOBsearch People Finder search results, we need to verify your identity and require faxed proof of identity. Proof of identity can be a state issued ID card or driver’s license, or notarized letter. If you are faxing a copy of your driver’s license, you may cross out the photo and the driver’s license number. We only need to see the name, address and date of birth. Please fax to 516-717-3017 and allow 4 to 6 weeks to completely process your request. It is your responsibility to ensure legibility of your document Radaris.com – Opt-Out;
- Google yourself!
- Don’t let your phone applications access your GPS data
- Submit requests to directory sites to take down your information
- Segregate work and personal accounts
- Don’t use the same username and profile for every forum and site
- Lock down your Facebook profile
- Lock down your LinkedIn profile
- Create multiple user accounts on your home PC
- Make the passwords difficult to guess
- Use a LiveCD operating system for online banking.
- Do all of the above for your parents and relatives.
- Make sure your home WiFi is WPA2
- Make your home WiFi password VERY difficult to guess
- Make your email passwords very difficult to guess
- Use two-factor authentication whenever you can.