What Is Doxing? Leveraging Threat Intel to Protect Your Brand and Executives

The Threat of Doxing

In 2020, some of Brazilian President Jair Bolsonaro’s private information was posted on Twitter by the hacking group Anonymous. This included his own financial assets. It also included the home addresses of his cabinet members. Antifa protests were emerging to counter pro-Bolsonaro demonstrations at the time. This was a particularly vulnerable moment for political addresses to surface online.

This targeted online information exposure is known as doxing. It is now a common form of online harassment. If your organization has high-profile executives or other prominent personnel, doxing increases the risk of physical threats and data security issues like identity theft. Once online, exposed information can also enable future risks like phishing. This undermines your organization’s security posture and reputation.

The good news is that threat intelligence can provide a window into the illicit online communities where the seeds of doxing occur. In other words, security and intelligence teams can better identify and combat risk to brand, reputation, and executives. This is true when they are armed with data into the tactics, techniques, and procedures (TTPs) of doxers.

What is a Dox? What is Doxing? 

Doxing is the act of exposing personally identifiable information (PII) without the victim’s consent. Doxes target an individual or an organization. They are typically motivated by hacktivism, extortion, harassment, retribution, or ideological differences. While doxes vary in their content, they can include:

• Home addresses
• Workplace information
• Credit card information and other financial data
• Phone numbers
• Email addresses
• Passwords
• Social security numbers (SSNs)
• Family member information
• Private correspondence
• Photographs and videos
• Criminal records
• Romantic histories

When this data becomes publicly available, victims are susceptible to cyberbullying, in-person harassment, and swatting.

Doxing (which comes from the phrase “dropping docs”) originated in the 1990s. The practice started within online hacking groups as a way of punishing rivals. Doxing gained prominence in gaming communities. It is becoming more widespread as adversaries target companies and high-profile individuals like celebrities, executives, and politicians.

Exposed PII can also fuel long-term consequences like phishing attacks and identity theft. This is because it’s hard to protect sensitive information once it’s published online. Doxing is associated with high-profile individuals. However, lower-level personnel are also targeted. Amateur doxes can also attribute PII incorrectly. This can cause false accusations and misinformation. This puts uninvolved people at risk. 

Real-world Doxing Examples

• In 2011, the hacking groups AntiSec and Anonymous exposed private information targeting 7,000 law enforcement officers. Data included SSNs, email logins, phone numbers, and personal addresses. This is the first cited and mainstream account of doxing.
• In 2019, Proctor & Gamble launched an anti-toxic masculinity ad campaign. Shortly after, 4chan users shared the LinkedIn profile of P&G’s Chief Brand Officer, calling for others to send threatening messages. 8chan users also shared the names of staff involved in P%G’s ad production.
• In 2022, five Supreme Court justices were doxed on the dark web in response to the controversial overturning of Roe v. Wade. Doxed information included personal addresses, IP addresses, and credit card information.

Identifying and Preventing Doxing

Doxers follow breadcrumbs across the internet. This is done to create targeting profiles for their victims. Vast amounts of publicly-available information often make this task extremely easy.

For example, doxers can use information found on your company’s website or your executive’s social media profile. Leaked company information from data breaches also supports doxes. Skilled hackers often use advanced tools, such as Maltego and Intelius, to gather data across the internet. They build a more accurate and comprehensive dox.

Threat intelligence solutions can help security teams find doxing-related intelligence. This can help protect your organization and its people against doxes. For example, Flashpoint addresses doxing threats. It generates intelligence from doxing-associated data sources. These include social networks, paste sites, forums, and dox-hosting sites on the deep web and dark web. These sources can give your organization early visibility into attack chains leading to a dox. They do this by identifying:

• Emerging tactics, techniques, and procedures (TTPs) that hacking communities are using to dox their targets.
• Discussions suggesting that a dox targeting your organization could be imminent.
• Leaked credit cards or other vulnerable information found on paste sites.
• Patterns of life found on an executive’s social media page.

Additionally, threat intelligence platforms can alert your organization to doxes as soon as they emerge. This allows you to take proactive security steps. Examples include reporting the dox to social media sites where the dox may be hosted, securing the victim’s accounts and home, and documenting evidence.

Over the last decade, doxing has emerged as a mainstream harassment tactic. It targets both high and low-profile victims. If your organization has an online presence, information that adversaries could use in a dox is likely hiding in plain sight. This is true whether it’s on your social media page or hidden in a data leak on Pastebin. Even though doxing is commonplace, protect yourself by uncovering valuable intel from doxing communities.

What are threat actors in illicit online communities saying about your organization? Request a demo to find out.

Frequently Asked Questions (FAQ)

Q: What is doxing and how does it pose a risk to organizations?

A: Doxing is the act of exposing an individual’s personally identifiable information (PII) without consent. It increases the risk of physical threat, identity theft, and enables future phishing campaigns, ultimately undermining the organization’s security and reputation.

Q: What kind of sensitive information is typically exposed in a dox?

A: Doxes typically expose various forms of PII, including home addresses, phone numbers, email addresses, financial details (like credit card information), family member information, and sometimes passwords or private correspondence.

Q: How does Flashpoint use intelligence to prevent doxing?

A: Flashpoint addresses doxing by monitoring doxing-associated data sources (forums, paste sites, deep/dark web). This provides early visibility into the tactics, techniques, and procedures (TTPs) used by attackers, allowing security teams to act proactively, or as soon as a dox is published.