The threat of doxing
In 2020, some of Brazilian President Jair Bolsonaro’s private information—including his own financial assets as well as the home addresses of his cabinet members—was posted on Twitter by the hacking group Anonymous. At the time, Antifa protests were emerging to counter pro-Bolsonaro demonstrations—a particularly vulnerable moment for political addresses to surface online.
This targeted online information exposure, known as doxing, is now a common form of online harassment. If your organization has high-profile executives or other prominent personnel, doxing increases the risk of physical threats and data security issues like identity theft. Once online, exposed information can also enable future risks like phishing, undermining your organization’s security posture and reputation.
The good news is that threat intelligence can provide a window into the illicit online communities where the seeds of doxing occur. In other words, when security and intelligence teams are armed with data into the tactics, techniques, and procedures (TTPs) of doxers, they can better identify and combat risk to brand, reputation, and executives.
What is a dox? What is doxing?
What does it mean to be doxed? Doxing is the act of exposing personally identifiable information (PII) without the victim’s consent. Doxes target an individual or an organization and are typically motivated by hacktivism, extortion, harassment, retribution, or ideological differences. While doxes vary in their content, they can include:
When this data becomes publicly available, victims are susceptible to cyberbullying, in-person harassment, and swatting—a criminal hoax, such as a fake 9-11 call, with the goal of diverting unneeded emergency resources that are typically reserved for real-life public safety needs, to a person’s home.
Doxing (which comes from the phrase “dropping docs”) originated in the 1990s within online hacking groups as a way of punishing rivals. The practice gained prominence in gaming communities and is becoming more widespread as adversaries target companies and high-profile individuals like celebrities, executives, and politicians.
Exposed PII can also fuel long-term consequences like phishing attacks and identity theft since it’s hard to protect sensitive information once it’s published online. While doxing is associated with high-profile individuals, lower-level personnel are also targeted. Amateur doxes can also attribute PII incorrectly, which can cause false accusations and misinformation, putting uninvolved people at risk.
Real-world doxing examples
- In 2011, the hacking groups AntiSec and Anonymous exposed private information targeting 7,000 law enforcement officers. Data included SSNs, email logins, phone numbers, and personal addresses. The dox was in response to law enforcement investigations into hacking activities and is often cited as the first mainstream account of doxing.
- In 2019, Proctor & Gamble launched an anti-toxic masculinity ad campaign. Shortly after, 4chan users shared the LinkedIn profile of P&G’s Chief Brand Officer, calling for others to send threatening messages. On 8chan, another imageboard site, users shared the names of staff who may have been involved in P&G’s ad production.
- In 2022, five Supreme Court justices were doxed on the dark web in response to the controversial overturning of Roe v. Wade. Doxed information included personal addresses, IP addresses, and credit card information.
Identifying and preventing doxing
Doxers follow breadcrumbs across the internet to create targeting profiles for their victims. There is plenty of publicly-available information across the web that can be aggregated for this purpose. For example, doxers can exploit information found on your company’s website or your executive’s social media profile. Company information that has been leaked in past data breaches can also support doxes. Skilled hackers often use advanced tools, such as Maltego and Intelius, to gather data across the internet and build a more accurate and comprehensive dox.
Threat intelligence solutions can help security teams find doxing-related intelligence that can help protect your organization and its people against doxes. For example, Flashpoint addresses doxing threats by generating intelligence from doxing-associated data sources—such as social networks, paste sites, forums, and dox-hosting sites on the deep web and dark web. These sources can give your organization early visibility into attack chains leading to a dox by identifying:
- Emerging tactics, techniques, and procedures (TTPs) that hacking communities are using to dox their targets.
- Discussions suggesting that a dox targeting your organization could be imminent.
- Vulnerable information—such as leaked credit card information on a paste site or patterns of life on an executive’s social media page—that could be used to build a dox.
Additionally, threat intelligence platforms can alert your organization to doxes as soon as they emerge. This allows you to take proactive security steps, such as reporting the dox to social media sites where the dox may be hosted, securing the victim’s accounts and home, and documenting evidence.
Over the last decade, doxing has emerged as a mainstream harassment tactic targeting both high and low-profile victims. If your organization has an online presence, information that adversaries could use in a dox is likely hiding in plain sight—whether it’s on your social media page or hidden in a data leak on Pastebin. While doxing is commonplace, your organization can stay protected by uncovering valuable intel from doxing communities and identifying vulnerable data before it gets leveraged.
What are threat actors in illicit online communities saying about your organization? Sign up for a free Flashpoint trial to find out.