Cyber Threats #doxxing#privacy#cyber harassment

Doxxing and Cyber Harassment: How to Protect Your Personal Data

How personal data gets aggregated, data broker removal steps, protecting your home address, securing social media, and what to do if you've been doxxed.

7 min read

Doxxing — the act of publicly publishing someone’s private personal information without their consent — has evolved from a niche internet threat into a widespread harassment tactic affecting journalists, activists, healthcare workers, public officials, and ordinary people caught in social media disputes. The term comes from “dropping documents” — releasing someone’s dox. The goal is almost always to expose a target to real-world harassment, threats, or harm by bridging their online identity to their physical location.

Understanding how personal data is aggregated and how to reduce your exposure is practical self-defense in the modern internet environment.

How Personal Data Gets Aggregated

Most people would be alarmed by how much information about them is publicly available and how easily it can be compiled into a detailed profile. Doxxers use a combination of:

Data broker sites: Companies like Spokeo, WhitePages, BeenVerified, Intelius, and dozens of others aggregate public records — property records, voter registration, court filings, motor vehicle records — and sell access. A search of someone’s name often returns their home address, phone number, age, known associates, and previous addresses. This information is legally obtained from public records but consolidated in a way that’s far more powerful than any individual source.

Social media OSINT: People routinely reveal more than they intend. A photo taken at home may reveal neighborhood details in the background or metadata. A post about a local coffee shop narrows down location. LinkedIn reveals employer, job title, and professional history. Connected accounts across platforms (Twitter, Instagram, LinkedIn, Reddit) can be cross-referenced to build a comprehensive profile.

Breach databases: Leaked databases from past breaches — available on dark web forums and paste sites — contain email addresses, usernames, passwords, phone numbers, and sometimes physical addresses. A target’s email address searched across breach databases can reveal usernames used on other platforms.

Voter registration and property records: In the United States, voter registration data is a public record in most states and often includes full name, address, date of birth, and party registration. Property ownership records are public in every state. These two sources alone can confirm a home address.

Username correlation: If a person uses the same username across platforms, their activity across gaming sites, forums, GitHub, Reddit, and social media can be compiled to build a detailed picture of their interests, beliefs, routine, and identity.

Data Broker Removal: Reducing Your Exposure

Removing yourself from data broker sites is time-consuming but meaningful:

Data Broker SiteOpt-Out Method
Spokeospokeo.com/optout — requires email confirmation
WhitePageswhitepages.com/suppression_requests
BeenVerifiedbeenverified.com/opt-out
Inteliusintelius.com/opt-out
PeopleFinderpeoplefinder.com/optout.php
Radarisradaris.com — requires account and identity verification
MyLifemylife.com — email request required

The challenge is that there are dozens of data broker sites, opt-outs expire, and new records can be re-ingested from public sources. Options for managing this at scale:

  • DeleteMe (joindeleteme.com): A paid service that handles opt-outs on your behalf and monitors for re-listing. Approximately $100/year.
  • Privacy Bee: Similar automated removal service with broader coverage.
  • Manual approach: Budget several hours to submit opt-out requests across the major sites, then set a calendar reminder to repeat every 6 months.

Protecting Your Home Address

Your home address is the most sensitive piece of personal information in a doxxing context — it enables physical harassment, swatting, and threats to family members.

Voter registration: Many states allow you to use a P.O. box or request a confidential listing if you can demonstrate threat of harm. Check your state’s Secretary of State website for “safe address” or “address confidentiality” programs. California, Washington, and others have formal programs for at-risk individuals.

Property records: If you own property, the deed is a public record. Options include:

  • Holding property through an LLC or trust, which places the entity name on the record rather than yours
  • Using a registered agent address for business entities

Mailing address separation: Use a P.O. box or a commercial mail receiving agency (CMRA) for any service that will publish or resell your address — package deliveries, subscriptions, contest entries.

Domain registration: If you own a domain, use WHOIS privacy protection (available free through most registrars) to mask your personal contact information from public WHOIS records.

Securing Social Media Against Data Harvesting

Review your privacy settings with the assumption that anything visible to “friends of friends” or “public” is effectively public to anyone:

  • Instagram: Set account to private; audit followers; remove location tags from photos
  • Facebook: Audit the “About” section — remove employer, hometown, phone number; set friends list to private; disable profile indexing by search engines
  • LinkedIn: Remove or generalize your location (city-level only); review what’s visible to non-connections
  • Twitter/X: Consider a pseudonym for accounts discussing sensitive topics; avoid posting from identifiable home locations
  • Google yourself periodically — use "Your Name" "Your City" search patterns to see what’s surfaced

Metadata in photos: Smartphone photos embed GPS coordinates in EXIF data by default. Most social platforms strip this metadata on upload, but not all do. Configure your phone’s camera to disable location embedding, or use a tool to strip EXIF data before sharing images.

If You Have Been Doxxed

If your personal information has been published without your consent:

  1. Document everything: Screenshot all posts before requesting removal — you’ll need this for reports. Note URLs, timestamps, and usernames of those sharing the information.

  2. Request removal: Contact the platforms hosting the content. Most major platforms have processes for removing content that facilitates harassment or reveals private personal information. Use terms like “private information,” “facilitating harassment,” and reference their specific policies.

  3. Contact your local police: File a report, especially if there are credible threats. Even if police cannot act immediately, a report creates documentation. In cases involving threats, federal statutes (18 U.S.C. § 2261A — cyberstalking) may apply and can involve FBI.

  4. Alert your workplace and family: If your home address is exposed, family members need to know. Inform your employer’s security team if you believe you may be targeted at work.

  5. Consider temporarily changing your routine: Avoid predictable patterns if you believe physical harassment is likely.

  6. Seek support: The Cyber Civil Rights Initiative (cybercivilrights.org) and the Coalition Against Online Violence provide resources and guidance specifically for doxxing victims.

The most effective protection against doxxing is reducing your pre-existing exposure before an incident occurs. Data broker opt-outs, careful social media hygiene, and separating your home address from your public identity are investments that pay dividends in privacy and safety — whether you’re ever targeted or not.

#personal security #OSINT #data brokers #cyber harassment #privacy #doxxing