Threat Glossary

What is doxxing?

Doxxing (also spelled “doxing”) is the deliberate collection and public release of someone’s private, identifying information — such as their home address, phone number, employer, or family members — with the intent to harass, intimidate, or put them in physical danger.

The word comes from “dropping docs” (documents). What makes doxxing dangerous isn’t that any single fact is secret — most of it is scattered across public records, breach dumps, and social media. It’s that an attacker aggregates those scattered fragments into a single dossier and then weaponizes it. Below is how the attack actually works, and what you can do to break the chain before it reaches your front door.

How doxxing works

A doxx almost never starts with a hack. It starts with aggregation — stitching together data that is already exposed. A typical sequence looks like this:

  • Seed identifier. The attacker starts with one thing you’ve made public: a username, an email, a phone number, or a photo.
  • Correlation. Reused handles link your gaming account to your Reddit account to your LinkedIn. A single reused username can bridge an anonymous profile to your legal name.
  • Broker lookup. People-search sites (data brokers) sell your legal name, current and past home addresses, age, and relatives for a few dollars — or show them for free.
  • Public records. Voter registration, property deeds, court filings, business registrations, and domain WHOIS records fill in the gaps.
  • Breach data. Old data breaches expose the email-to-password-to-phone links that confirm identity and unlock accounts.

Put together, these turn a pseudonymous online presence into a real person at a real address with a real family — often in under an hour, using only public and for-sale data.

How attackers use a doxx

Publishing the dossier is rarely the end goal — it’s the enabler. Once your information is compiled, it fuels:

  • Harassment campaigns. Coordinated mobs flood your phone, email, and employer with threats.
  • Swatting. Attackers place a false emergency call (a hostage situation, a bomb threat) to your real address, provoking an armed police response. Swatting has caused deaths.
  • Stalking and physical intimidation. A home address turns online conflict into real-world danger for you and the people you live with.
  • Extortion and account takeover. The same data feeds SIM-swap attempts, password resets, and social-engineering of your bank or carrier.

Real-world examples

Doxxing has been used against journalists to intimidate them off a story, against streamers and content creators who are then swatted mid-broadcast, against activists and abuse survivors to expose their location, and against ordinary people caught up in a viral online dispute. In many high-profile harassment campaigns, the participants never breached a single system — they simply assembled what data brokers and old breaches were already handing out. That is what makes it so accessible, and why removing your data from those sources is the single most effective defense.

How to protect yourself

Concrete steps you can take today to reduce your exposure.

Remove yourself from data brokers

People-search sites are the backbone of most doxxes. Opting out (or using an authorized agent to file removals across hundreds of them) pulls your address and phone off the open web.

Break username correlation

Use distinct usernames and emails for pseudonymous accounts so a reused handle can’t bridge your anonymous profile to your legal identity.

Lock down social media

Set profiles to private, strip location tags and EXIF geodata from photos, and remove birthdays, hometown, and employer where you don’t need them public.

Turn on strong authentication

Enable app-based or hardware two-factor authentication so a leaked password can’t be turned into a full account takeover.

Shield high-risk records

If you’re at elevated risk, use a PO box or a registered-agent address, and check whether your state offers an address-confidentiality program.

Monitor continuously

Brokers relist you within weeks and new breaches surface constantly. Ongoing monitoring catches re-exposure before an attacker does.

Frequently asked questions

Is doxxing illegal?

Doxxing itself sits in a legal gray area because much of the data is public. But the acts it enables — stalking, harassment, threats, swatting, and identity theft — are crimes in most jurisdictions, and several states and countries have passed laws that specifically target the malicious publication of private information.

What should I do if I’ve been doxxed?

Document everything with screenshots, report the posts to the platforms hosting them, contact law enforcement if there are threats, tighten your account security immediately, and begin removing the exposed data from the data brokers and breach sources that fed the doxx so it can’t simply be reassembled.

Can I remove my information once it has been posted?

You can’t always erase a screenshot that’s already circulating, but you can cut off the supply. Removing your data from people-search sites and securing breached accounts means that when the current post fades, an attacker can’t easily rebuild the dossier from fresh sources.

See what’s exposed about you — free

Attackers start with the data that’s already public: your leaked passwords, your breached accounts, and your address on data-broker sites. Run a free scan to see exactly what’s out there about you — then remove it.

The first scan is free with no signup. Broker removals are filed as your authorized agent under CCPA and state-equivalent law. Your results are private to you — we never sell your data.