Doxing: How it works and how to defend against it

Laptop with a vault door.

The growth of the internet has seen a rise in cyberbullying, online stalking—and doxing in particular. But there are ways to protect yourself and your family.

Understanding how doxing works and identifying the most common forms of doxing will help you protect yourself from online harassment and having your private information leaked on the internet. 

[Want more tips on privacy and security? Sign up for the ExpressVPN Blog Newsletter.]

That said, unless you’ve taken the time to tighten up your online privacy and security settings, a lot of your personal information is available online. Perhaps more than you might think.

Jump to…
How does doxing work?
What are some examples of doxing?
How do doxers obtain your information?
Is doxing illegal?
How to defend against doxing

How does doxing work?

Doxing (which is sometimes written as “doxxing”) is short for “dropping documents” and the act of revealing identifying information about someone online—specifically without the victim’s permission. 

When your personal data is exposed online, it can be used against you in several ways. Someone with your mobile number or email address could harass you with messages, or if sensitive information about your past were revealed, you could suffer reputational damage among family, friends, or colleagues—or even the loss of employment or business. 

In extreme cases, it can result in identity theft, cyberbullying, harassment, online threats, or even physical threats. 

What are some examples of doxing? 

Doxing is often a malicious act to intimidate or embarrass someone—for example, a journalist who’s written a controversial piece that certain people disagree with. But you don’t have to be in a high-profile position to suffer this fate.

Common examples of personal, private information about you that can be doxed include: 

  • Your real name 
  • Your home address
  • Your workplace
  • Your contact information like phone number and email address
  • Important information like your social security or passport number
  • Your credit card numbers or bank accounts
  • Criminal records
  • Personal photos or private correspondence
  • Embarrassing personal history

How do doxers obtain your information?

You’d be surprised what you can learn about a person through public records armed with just their legal name. In many places, voting registration information is public and vehicle ownership information can be obtained through government departments or insurance companies. Court records are often easily searchable, as are professional licenses.

Be very careful about what you share online—especially your location. Think twice about posting that Starbucks selfie if your social media profile is publicly accessible and you’ve opted in to location tags; or what information you share on public forums like Reddit. Posting about local elections or your children’s school bus route (“First day of school! #proudparent”), for example, can give doxers clues about you and your family’s location. 

Doxers or online stalkers may be able to use an IP logger to trace your online activities and gain personal information. Even though your IP address is owned by your internet service provider, it can still reveal details about you (hint: use a VPN). 

Is doxing illegal? 

Whether doxing is illegal depends on what’s published and how the information was attained. Doxing often exposes information readily available in public records and obtainable through legal methods. 

So even if your previous criminal record, marriage certificate, or address is posted online without your consent, it’s not illegal in some jurisdictions—even if it’s highly immoral and a violation of your right to privacy. 

Doxing information that isn’t in the public record—such as your credit card details or bank account—however, is illegal. Beyond psychological harm and the feeling of helplessness doxing and online stalking causes, in extreme cases, it can translate to a physical threat if your real-world location is doxed.

How to defend against doxing

But there are ways to protect against online harassment and ensure doxing or stalking doesn’t become a physical threat to you or your family. 

Our guide on tech safety for survivors of domestic violence serves as help for those seeking to protect themselves using technological means. You might fear or experience harassment online because of who you are or what you write about. Perhaps you’ve been a victim of violence in the past or continually experience threats to your life and safety. If so, this directory may help you. 

Beyond technology, there are many other options to battle harassment, such as psychological help and legal action. What’s important is that you seek and receive support in a safe way. 

Legal deterrents have proven to be largely insufficient in preventing online harassment. Unfortunately, this means we have to take action to protect ourselves and those close to us. There is still hope, though, precautions against online harassment do not require advanced knowledge of technology. Solutions are cheap and easy to learn, so read on for ways to defend yourself against doxing.


Don’t use your real name online

Your best protection against harassment and being doxed by online stalkers is to separate your legal identity from your internet handle.

If your online pseudonym isn’t connected to your legal identity, it’s much harder to be doxed and therefore fewer resources are required to defend your physical space and protect those around you.

Using a pseudonym might not always be an option, however. You might, for ideological or principal reasons, choose not to “hide” behind a pseudonym. Maybe you’ve already built a brand around your legal name, or represent an institution that requires the use of your actual identity.

Using a pseudonym rarely seems like a fair solution. Why should we have to hide behind fake names while many perpetrators of doxing and harassment freely, and without repercussion, use their birth names? Keeping your physical location private is therefore tremendously important if you’re using your legal identity online.


Find out what information is out there

Knowing what information is publicly available can help you anticipate and prevent being doxed. Regularly search for your own name online, or even hire a private investigator to compile the information they find about you.

You can legally hide private records with lawyers and shell companies. Similarly, vehicle registration or homeownership can be registered to companies in privacy-friendly jurisdictions.

Stay anonymous on the internet whenever you can and be wary of de-anonymization methods. Revealing your legal name should be a conscious action and not something someone else controls. Separating your online activity between anonymous browsing, pseudonyms, and legal name is a good practice to avoid danger and frustration.


Delete your Google Activity frequently

Google Activity knows every link you’ve followed, every image you’ve clicked on, and every website you’ve visited—even if you’ve cleared your search history. Disabling or deleting your Google Activity history is therefore a good way to minimize the chances of this data being maliciously accessed and used against you. 

It’s also a smart move to turn off your phone’s GPS and delete your Google Maps Timeline, which keeps a record of routes you may have taken and places you may have visited based on your location history.


Secure your social media presence

Many social media platforms set your privacy settings to “public” by default. Changing this setting is a simple but effective way to prevent unwanted attention via social media.


Tighten up your password security

Don’t use easy to guess passwords containing common words like “password,” simple sequences like “1234,” or ones that include the names or dates of birth of your partner, children, or pets. 

Re-using passwords across different sites and apps is also a bad idea: If one account is compromised, then all your accounts are liable to be compromised. If you struggle to remember several long, complex passwords, consider using a secure password manager across your devices.

Use two-factor authentication wherever possible. This extra level of security means that once you enter your password, you’ll be sent a code to input (usually via SMS, email, or via an authenticator app on your device) before you can access your account.


Use a VPN when you’re online

Using a VPN is an excellent way to be more anonymous online as your device traffic is redirected through a secure and encrypted VPN tunnel. VPNs also make your location private by masking your real IP address, so no third parties snooping around can gain clues to your real-world location. 

If you’re connecting to public Wi-Fi networks, such as in cafes, hotels, or airports, it’s advisable to encrypt your traffic with a VPN—especially if you’re accessing your social media profiles or internet banking. 

If you’ve been affected by or are concerned about doxing, online stalking, or the potential for it to escalate into physical threats, read the full tech safety for survivors of domestic violence guide here.

Phone protected by ExpressVPN.
Mask your IP address with a VPN

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.