Doxxed: How It’s Done and How to Combat it

Posted on by

To be doxxed is to have private information about you published publicly on the internet usually for intimidation or humiliation. Doxxing is extremely scary to the average person because without understanding the process of a doxxer it seems like they have access to some confidential computer system or have hacked you in some form. The reality is they likely used tidbits of information about your online persona and filled in the full picture of your life from that. Doxxers gain information exponentially as they find more since they are gaining new hints about other online profiles, usernames, friends, family, etc.

Below is an example scenario of how a more straightforward dox could unfold:

A screenshot of a social media post Description automatically generated

The scenario is Jason Bourne irritates someone while playing on his Xbox account, the doxxer then goes to Google and does a search on his xbox live gamertag, this gives him a twitter account that shares the same username, while searching through Jason’s tweets the doxxer finds his cell number, with this number he goes to facebook and imports the phone number as a contact and gets a link to Jason’s facebook profile, then from there he can build out a full dox to send to Jason as a show of intimidation.

The process of doxing is almost never as straightforward as this example but the principles remain the same:

  1. Find usernames that have been reused
  2. Many people don’t have unique full names, use critical thinking and personality hints to know when you have found the right profile. Example: knowing their favorite band and seeing posts about the band on their twitter
  3. Find links to other social media then grab those usernames and repeat the process until no information is returned from search engines that hasn’t already been discovered
  4. When a person has locked social media profiles start looking for family members with public profiles and build a dox around that

Resources:

Google

Google has the largest amount of indexed pages compared to any other search engine site, they also have cached pages which helps if the page no longer exists but the cached paged is still available on google. For example:

Here is a listing of my site’s About page, if you click the green arrow you can see if a cached version of the page is available.

Other Google tips:

You can search for the exact username and not just what google thinks is relevant by encasing the search string in double quotes:

Without the double quotes we get less relevant results unrelated to the actual username:

If you want to search for results just for a certain site you can do: site:websitename.com search string

Twitter

Twitter users tend to be younger 18-29 while Facebook users tend to be older.

Like many other social media platforms you can find the owner of a twitter account with either their phone number or email address. To do this you need to create a contact in your phone with a found email or phone number then import your contacts through the twitter app. If an account with the given phone number or email is found twitter will show you a link to their full profile.

To combat against this you can change your twitter Privacy and Security settings to turn off discovery.

Facebook

Similar to Twitter you can make a contact in your phone for a given email or phone number then sync it to Facebook and it will give you a link to the profile if an account exists with one of them.

You can protect yourself from this by going to Settings-> Privacy and changing the settings to:

Setting your friends list to private also protects you from Doxxers that will look through your friends list. This still isn’t fully effective as things like Cover Photos and Profile Pictures will show likes by friends even when private which a doxxer can take and build around that.

Snapchat

Yet again the import contacts option can be used maliciously. That’s why having a throwaway email account for each online account is so important.

To turn off discovery you can do the following:

A screenshot of a cell phone Description automatically generated A screenshot of a cell phone Description automatically generated

Radaris and Spokeo

https://radaris.com/

https://spokeo.com/

With a name and a general location you can use Radaris or Spokeo to get a physical address. These are paid services but the sample information they give you can usually be enough to narrow down a location to a street name.

You can opt out of these through their opt-out pages/process, they use multiple data sources unfortunately, so you’ll likely have to keep removing your data once or twice a year.

https://www.spokeo.com/optout

https://radaris.com/page/how-to-remove

Final Notes:

The benefits vs. consequences of social media should always be considered when making an account under your real name with details about your personal life. At the very least you should always lock down your accounts to be as private as possible and remove any accounts that are inactive.

Even an account that is private can give enough data for a doxxer to gain insight into your personal information.