35

Doxing (publicly releasing private information about an individual, to make it easier to harass them) is becoming an increasingly popular tactic not just for hackivists and Anonymous, but also for petty individual revenge.

What are actionable, best practice steps that an individual should take to regain control of their personal information after they have been doxxed? A lot of social engineering advice is predicated on not releasing such information, or controlling access to it — clearly useless to a victim in this situation.

If details are needed, assume the following are present in the document dump:

  • Name, physical address, telephone number
  • Facebook profile, email address
  • Work history including contact numbers for employers past and current
  • Family members, their relationship and address or phone number

Assume that the victim was the victim of a personal attack, rather than a corporate breach, and thus has no IT or legal resources to draw upon.

Anko
  • 189
  • 10
J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • Can we also assume the victim has no back-up identity to fall back on and is not willing to burn parts of his current identity (including telephone number, Facebook profile and e-mail)? – Mast Nov 30 '15 at 22:23
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/32401/discussion-on-question-by-j-kimball-after-getting-doxxed-how-can-one-protect-pe). – Rory Alsop Dec 02 '15 at 13:26

6 Answers6

38

Once your information is made public, you cannot make it private again. That is unfortunately one of the things the Internet gives us. You can make formal complaints to sites hosting the information, but assume it will be there, available in large stores of PII, for bad guys to do with as they will.

So all you can do is decide which of those things you need to change, eg by moving house, changing your name, job, mobile phone number etc.

Personally, the only ones I'd want to change if I was under a personal attack would be email and phone numbers. If the attack grew to be physical, I'd get the police involved and if necessary, move and change my name.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 18
    This pretty much sums it up. While it's not really possible to get your information off the internet, it is possible in many countries to seek damages against someone for using your information in a malicious manner. – Mark Buffalo Nov 30 '15 at 16:16
  • 1
    // , Rory, are you sure you really see no technical efforts that could work to get control of your data back? – Nathan Basanese Nov 30 '15 at 20:50
  • 8
    It is no longer your data once published. You can not control the Internet - you may be able to get a hosting service near you to take down info, but most of the Internet will ignore you. Much of it is unenforceable even by three letter agencies. There is nothing technical or non-technical that you can do. – Rory Alsop Nov 30 '15 at 20:56
  • 2
    While not listed in the list there, I'd also add any financial data - if account numbers were leaked, even possibly, I would ask the bank to assign a different account number, etc. – corsiKa Nov 30 '15 at 21:51
  • 4
    @NathanBasanese: Your data is published, I see it, I read it, I memorize it. What are you going to do about that? – Jörg W Mittag Dec 01 '15 at 00:26
  • DRM your brain! – Sobrique Dec 01 '15 at 12:35
10

Unfortunately there is little that can be done once the info is public, besides going after those who host it (good luck for bulletproof hosting providers and Tor Hidden Services) or those who use it maliciously (good luck if the person is from a different country). A possible way of defense would be to publish fake data in your name as to make it harder for potential attackers to find the true info.

However what you can do to protect yourself from such attacks before they occur is to simply "dox" yourself, aka do the same the attacker would do and try to get as much information as possible just by searching the Internet (start with your full name, email, etc) and then delete any data that comes up. Usually the data you'll find will be on legitimate sites that you accidently put up, so it should be quite easy to remove it either by contacting them or resetting your account's password if you registered there with your email.

André Borie
  • 12,736
  • 3
  • 40
  • 76
  • 2
    // , I like the tactic of false doxing. This could actually be done anonymously as part of the prevention ideas you mentioned, and would likely not count as fraud. Plus, the "false" locations could, in the case of phone numbers, workplaces, and addresses, be used in the physical world the same way that honeypots are used in the virtual world. – Nathan Basanese Nov 30 '15 at 20:47
  • // , @DanNeely, why not add your own comprehensive answer including all of this? – Nathan Basanese Nov 30 '15 at 22:21
7

If you have a land- line phone, by default your address is in the phone book. If you're a registered voter, IIRC your name and address are publicly available as part of the voter rolls. Likewise if you own property. In the US voter rolls and land registries generally are still only available in dead-tree format at the country courthouse (or equivalent) but not in a freely accessible online format. A lot of the paid internet background check sites are just search engines for private companies that have laboriously collected and digitized huge amounts of dead-tree public records.

A "better" option, if not one you can easily consciously select, could just be having the same name as someone who is apparently trying to SEO his visibility. The only top 100 Google hits for my name that are me as opposed to one or more of my doppelgangers are my profiles on stack exchange and another programming site. Since my most visible double runs a tech company at a casual glance they could be mistaken for his as well. And as noted above, if someone is seriously determined to Dox me; I can't stop them from getting a significant amount of my real data from public records anyway.

2

In the US, most of that information is publicly available already. The only information on there that's actually private is work history, and that's only private to the extent that all parties involved choose to keep it so.

Aaron
  • 45
  • 1
  • 2
    // , Can you give us an example of something we might expect to be private, but is not? For instance, a residential address or a cell phone number? – Nathan Basanese Nov 30 '15 at 20:45
  • That seems surprising to me. Perhaps because I'm from Europe, where privacy is considered a bigger issue. But how for example is a telephone number or address publicly available? This answer could be greatly improved by citing a public register for each of the items in the question that are publicly available. – Jon Bentley Dec 01 '15 at 17:23
0

Notify related people

It's important that other parties mentioned in the doxxing are aware that they might receive unwanted contact, so they can take appropriate action - family members might be threatened or scammed, and the ability for a bad actor to take advantage of them is significantly decreased if they're aware.

Notify businesses

Informing work that your details have been released and that you are being actively attacked allows them to take it into account: they can avoid releasing any further information or accepting negative claims about you at face value.

Other companies you deal with - banks, in particular - will be using parts of this personal data to identify you. Notify them and require them to ask for a password from you before making any changes to your account or revealing any information.

Online accounts and email

Review privacy settings and friends lists. Don't accept new friend requests post-doxxing without definate confirmation that it's them. Consider replacing affected accounts. Ensure your passwords are strong.

Telephone

Consider changing number; screening calls from unknown numbers. This is not a risk - they can't do anything but talk and tie up the line - but can be potentially quite scary if they choose to threaten you.

Physical address

This is the big one; people could turn up at the door. There's no particularly good approach other than deciding whether or not you can still live there.

Dragon
  • 109
  • 2
  • These are all good suggestions, but they don't answer the question. – Rory Alsop Dec 01 '15 at 13:33
  • 1
    @RoryAlsop I disagree. The question asks about "protecting" or "taking control of" personal information after it has been released. It's vaguely worded enough that damage limitation can be included in that. If my telephone number is made public, then I am taking control of it by screening calls or changing it (thus rendering the published information useless). If I request additional security measures form my bank, I am protecting my personal details (from being used for further attacks). – Jon Bentley Dec 01 '15 at 17:27
-3

What to Do After Search ?

Imagine you found content with your info, like a picture on Flickr that got indexed in Google. All You Have to do is to Contact the person who uploaded the content and ask them to remove it, If you didn't get response in 3 days, you could ask the Website, After deleting it from website make a report to google and ask them to remove the Thumb as well.

What Else ?

I use some methods and I'm happy with them even if they're not so pro.

Use VPN

VPN will keep you as safe as possible, by changing your IP and transferring info through TCP or UDP at least you know that you encrypt your data and hide your actual location from online Eyes.

Turn Your GPS off

I've told my friend why your GPS is on and she said, It's because of find my phone. I had to explain to her for 3 hours that even with find my phone or anything else phones could get Hard Reboot through Terminal and That means you're just wasting your Battery and making yourself public.

Close Your Online Dating Accounts This is the most horrible thing that could of happen, Some of them literally selling your info to other companies.

Use Fire Fox + Addons. Make sure Adobe and Java are updated at all times.

Watch where you're going

Don't click on every web or link you see, they could possibly infected.

Pay Companies To Delete Your Records

There are Companies That Use Deep Search For Your Info and you can charge them to delete your online information. That's cool, Available, Very Useful but kind of expensive.

Lighty
  • 2,378
  • 1
  • 23
  • 36