Doxing and Online Harassment Campaigns: What They Are and How to Protect Yourself

A Growing Threat in the Digital Age

Doxing, derived from an older spelling of 'documents', refers to the practice of researching and publicly publishing private or identifying information about an individual without their consent. It is often used as a tool of harassment, intimidation, or retaliation. Combined with coordinated online harassment campaigns, where groups of people direct sustained abuse at a target, it can have severe consequences for the victim's safety, mental health, employment, and daily life.

What was once a tactic associated primarily with online subcultures and gaming communities has become a mainstream concern. Journalists, activists, researchers, customer service workers, public figures, and ordinary people who express opinions online have all been targeted. You do not need to be famous or controversial to become a target. Sometimes doxing is triggered by a comment, a social media post, or even just being in the wrong place at the wrong time online.

Understanding how doxing works, what information is at risk, and how to reduce your exposure is an increasingly important aspect of digital safety for everyone.

What Information Is Typically Doxed?

A doxing 'package' typically includes personal identifying information that the attacker has gathered about the target. This often includes full legal name; home address or general location; phone number; email address; employer and workplace address; social media accounts and usernames across platforms; photographs; family members' names and information; and in some cases, financial information or identification numbers.

Attackers may also include fabricated or exaggerated information designed to provoke stronger reactions from those they are trying to incite against the target.

Once published, this information is used to enable further harassment, including abusive messages and calls, swatting (making false emergency calls to send armed police to a person's address), physical intimidation, contacting the person's employer to cause professional damage, and threats of violence.

How Do Attackers Gather This Information?

One of the most important things to understand about doxing is that a significant amount of the information used is gathered from publicly available sources. Attackers are skilled at combining fragments of information from multiple places to build a detailed picture of someone's identity and location.

Common sources include social media profiles, where people often share their location, workplace, daily routines, and personal details; old forum posts and public comments, sometimes going back many years; public records, which in many countries include property ownership, electoral rolls, court records, and company director information; data broker websites, which collect and sell personal information and are accessible to anyone willing to pay a small fee; LinkedIn and professional networking sites, which often contain detailed employment information; and metadata embedded in photographs, which can reveal the location where an image was taken.

Some attackers also use social engineering, impersonating officials or acquaintances to extract information from the target or people who know them. Others use data from historical breaches that have been leaked online.

The picture that emerges from combining these sources can be remarkably detailed, even for people who believe they have been careful about their online privacy.

Reducing Your Digital Footprint

Reducing the amount of personal information that is publicly accessible is the most effective long-term defence against doxing. This does not mean disappearing from the internet entirely, but it does mean being more deliberate and cautious about what you share and where.

Start with your social media accounts. Review your privacy settings on every platform you use, including older accounts you may not actively use but have not deleted. Set personal profiles to private where possible. Remove specific location information from posts and your profile. Avoid posting your home address, workplace address, or daily routine. Be cautious about tagging locations in photographs, particularly those taken at or near your home.

Review the personal information visible on your professional profiles, such as LinkedIn. Consider whether it is necessary to display your precise location, your phone number, or your full employment history publicly. Many people share far more than is professionally necessary on these platforms.

Search for yourself online periodically. Use your name, your username, your phone number, and your email address as search terms and see what comes up. This gives you an idea of what is visible and allows you to take action to remove or restrict it.

Disable location data in your phone's camera settings or strip metadata from photographs before sharing them online. Many photo-editing applications and websites can do this automatically.

Data Brokers: The Hidden Risk

Data broker websites are companies that collect personal information from public records, social media, commercial transactions, and other sources, and make it available for purchase or free viewing. They are largely unregulated in many countries and represent a significant privacy risk, because they aggregate information in ways that make doxing much easier.

Opting out of data broker sites is time-consuming but worthwhile. Many brokers have an opt-out process, though it is often deliberately cumbersome, requires you to submit personal information (which is itself a risk), and may not be permanent. There are services and tools that can help automate the opt-out process across multiple data brokers; some are free and some charge a fee. Given the scale of the problem, these services can be a worthwhile investment.

In some regions, data protection legislation gives individuals the right to request that their personal information be removed from commercial databases. In the European Union, the General Data Protection Regulation (GDPR) includes a right to erasure in certain circumstances. Similar rights exist in various forms in Brazil, California, and other jurisdictions. If you are in a region with such laws, you can use them.

Using Separate Identities for Different Online Activities

One practical strategy, particularly if you participate in online communities where there is any risk of attracting hostile attention, is to use separate usernames and accounts for different activities. A username you use for gaming or political discussion should ideally not be traceable to your real name, employer, or physical location.

This compartmentalisation is not about deception. It is about limiting the amount of information available to a bad-faith actor who might want to compile a profile of you. If your gaming username is not connected to your real name, your professional profile, or your location, it is much harder for someone to build a dossier on you.

Use a unique username that does not incorporate your name, initials, or other identifying information. Avoid using the same username across multiple platforms, as this makes it easy to connect your different online identities.

Securing Your Accounts and Personal Data

Account security is closely related to doxing protection. If an attacker can access your email, social media, or other accounts, they gain access to a wealth of personal information that they can then publish or use for targeted harassment.

Use strong, unique passwords for every account. A password manager makes this practical. Enable two-factor authentication (2FA) on all accounts that support it, particularly email, social media, and financial accounts. Be cautious about phishing attempts, which are messages designed to trick you into providing your login credentials.

Consider using a separate email address for public-facing activities such as forum registration, online shopping, and mailing list subscriptions, keeping your primary email address as private as possible. Virtual phone numbers, available through various apps and services, can serve a similar purpose for providing a contact number without exposing your real mobile number.

If You Are Doxed: Immediate Steps

If you discover that your personal information has been posted online without your consent, act quickly. The aim in the immediate term is to document what has happened, limit the spread, and protect your physical safety if necessary.

First, take screenshots or otherwise document the doxing post before it is taken down, as you will need this evidence for any reports or legal action. Note the URL, the platform, and the date and time.

Report the content to the platform where it has been posted. Most major platforms have policies against doxing and will remove such content when reported. Use the platform's reporting tools and, where possible, escalate to trust and safety teams. Be persistent; reports sometimes require follow-up.

If your home address has been posted and you are concerned about your physical safety, consider whether you need to take precautions. In some situations, this might mean staying with a friend or family member temporarily, alerting trusted neighbours to be watchful, or contacting police. In situations where there are credible threats of violence, contact the police immediately.

Consider contacting your employer if your workplace has been exposed, so that they are aware and can take appropriate precautions. Similarly, alert family members whose information may have been shared, so they are not caught off guard by contact from strangers.

Dealing With a Coordinated Harassment Campaign

Coordinated harassment campaigns, sometimes called pile-ons or mob harassment, typically involve large numbers of people sending abusive messages, death or rape threats, calls for the person to be fired, and other targeted abuse, often orchestrated through shared forums or social media groups.

These campaigns are deeply distressing, even when you know intellectually that most of the messages come from strangers with no real knowledge of you. The volume and persistence of abuse can make it feel inescapable.

Practical steps include temporarily making your social media accounts private or restricting who can contact you; using platform tools to mute, block, or filter out abusive content; stepping away from the platform entirely for a period if the campaign is overwhelming; and leaning on trusted friends, colleagues, or support organisations.

Do not engage with or respond to abusive messages. Responses, even defiant ones, typically provide fuel for further escalation. The goal of many harassment campaigns is to provoke a reaction; withholding that reaction removes some of the satisfaction for those involved.

Document everything. Save evidence of the harassment, including usernames, messages, and dates. This is important both for any reports you make to platforms and for any potential legal action.

Legal Options and Reporting

The legality of doxing and online harassment varies by jurisdiction, but many countries do have laws that apply to these behaviours. Depending on where you are, relevant offences might include harassment, stalking, making threats, malicious communications, and in some cases, specific laws around the non-consensual sharing of personal information.

In the UK, the Protection from Harassment Act 1997, the Malicious Communications Act 1988, and the Online Safety Act 2023 are among the laws that may apply. The police can investigate harassment and threats, though resources and willingness to pursue online cases vary. In many other countries, similar legislative frameworks exist.

Report to police if you have received credible threats, if someone has turned up at your home or workplace, or if the harassment is severe and sustained. Having documented evidence significantly supports any report you make.

Some organisations provide legal support or advocacy for victims of online harassment, including referrals to lawyers who specialise in this area. These organisations vary by country but are worth researching if you are in a serious situation.

Looking After Your Mental Health

Being doxed or targeted by a harassment campaign is a traumatic experience. The feelings of violation, fear, anger, and helplessness that result are entirely understandable. Do not minimise the impact on your wellbeing or tell yourself you should simply be tougher about it.

Reach out to people you trust. Isolation makes the experience harder to bear, and talking to friends, family, or a mental health professional can be enormously helpful. If the experience is significantly affecting your daily functioning, speaking to a doctor or counsellor is a sensible step.

Online communities for people who have experienced doxing and harassment exist, and connecting with others who understand the experience can reduce the sense of being alone with it. Organisations that support victims of online abuse can also provide practical and emotional support.

Prevention Is the Best Defence

While no level of preparation can guarantee that you will never be targeted, taking proactive steps to reduce your digital footprint, secure your accounts, and use separate identities for different online activities significantly reduces your risk. The time invested in these precautions is modest compared to the potential cost of being targeted.

Digital safety awareness is increasingly a core life skill. Understanding the landscape of threats, including doxing and harassment campaigns, and knowing how to navigate them gives you a meaningful degree of agency in an environment where these threats are real and growing.