What Is Doxing? Leveraging Threat Intel to Protect Your Brand and Executives

The threat of doxing

In 2020, some of Brazilian President Jair Bolsonaro’s private information—including his own financial assets as well as the home addresses of his cabinet members—was posted on Twitter by the hacking group Anonymous. At the time, Antifa protests were emerging to counter pro-Bolsonaro demonstrations—a particularly vulnerable moment for political addresses to surface online.

This targeted online information exposure, known as doxing, is now a common form of online harassment. If your organization has high-profile executives or other prominent personnel, doxing increases the risk of physical threats and data security issues like identity theft. Once online, exposed information can also enable future risks like phishing, undermining your organization’s security posture and reputation.

The good news is that threat intelligence can provide a window into the illicit online communities where the seeds of doxing occur. In other words, when security and intelligence teams are armed with data into the tactics, techniques, and procedures (TTPs) of doxers, they can better identify and combat risk to brand, reputation, and executives.

What is a dox? What is doxing? 

Doxing is the act of exposing personally identifiable information (PII) without the victim’s consent. Doxes target an individual or an organization and are typically motivated by hacktivism, extortion, harassment, retribution, or ideological differences. While doxes vary in their content, they can include:

• Home addresses
• Workplace information
• Credit card information and other financial data
• Phone numbers
• Email addresses
• Passwords
• Social security numbers (SSNs)
• Family member information
• Private correspondence
• Photographs and videos
• Criminal records
• Romantic histories

When this data becomes publicly available, victims are susceptible to cyberbullying, in-person harassment, and swatting.

Doxing (which comes from the phrase “dropping docs”) originated in the 1990s. The practice started within online hacking groups as a way of punishing rivals. Doxing gained prominence in gaming communities and is becoming more widespread as adversaries target companies and high-profile individuals like celebrities, executives, and politicians.

Exposed PII can also fuel long-term consequences like phishing attacks and identity theft since it’s hard to protect sensitive information once it’s published online. While doxing is associated with high-profile individuals, lower-level personnel are also targeted. Amateur doxes can also attribute PII incorrectly, which can cause false accusations and misinformation, putting uninvolved people at risk. 

Real-world doxing examples

• In 2011, the hacking groups AntiSec and Anonymous exposed private information targeting 7,000 law enforcement officers. Data included SSNs, email logins, phone numbers, and personal addresses. This is the first cited and mainstream account of doxing.
• In 2019, Proctor & Gamble launched an anti-toxic masculinity ad campaign. Shortly after, 4chan users shared the LinkedIn profile of P&G’s Chief Brand Officer, calling for others to send threatening messages. 8chan users also shared the names of staff involved in P%G’s ad production.
• In 2022, five Supreme Court justices were doxed on the dark web in response to the controversial overturning of Roe v. Wade. Doxed information included personal addresses, IP addresses, and credit card information.

Identifying and preventing doxing

Doxers follow breadcrumbs across the internet to create targeting profiles for their victims. Vast amounts of publicly-available information often makes this task extremely easy.

For example, doxers can exploit information found on your company’s website or your executive’s social media profile. Leaked company information from data breaches also supports doxes. Skilled hackers often use advanced tools, such as Maltego and Intelius, to gather data across the internet and build a more accurate and comprehensive dox.

Threat intelligence solutions can help security teams find doxing-related intelligence that can help protect your organization and its people against doxes. For example, Flashpoint addresses doxing threats by generating intelligence from doxing-associated data sources—such as social networks, paste sites, forums, and dox-hosting sites on the deep web and dark web. These sources can give your organization early visibility into attack chains leading to a dox by identifying:

• Emerging tactics, techniques, and procedures (TTPs) that hacking communities are using to dox their targets.
• Discussions suggesting that a dox targeting your organization could be imminent.
• Leaked credit cards or other vulnerable information found on paste sites.
• Patterns of life found on an executive’s social media page.

Additionally, threat intelligence platforms can alert your organization to doxes as soon as they emerge. This allows you to take proactive security steps, such as reporting the dox to social media sites where the dox may be hosted, securing the victim’s accounts and home, and documenting evidence.

Over the last decade, doxing has emerged as a mainstream harassment tactic targeting both high and low-profile victims. If your organization has an online presence, information that adversaries could use in a dox is likely hiding in plain sight—whether it’s on your social media page or hidden in a data leak on Pastebin. Even though doxing is commonplace, protect yourself by uncovering valuable intel from doxing communities.

What are threat actors in illicit online communities saying about your organization? Sign up for a free Flashpoint trial to find out.