Doxxing: What It Is and How to Protect Yourself
Doxxing is the act of researching and publicly exposing someone's private information without their consent — their home address, phone number, workplace, full name, family members, or anything else that can be used to identify, harass, or harm them.
The word comes from "docs" — dropping documents on someone. It started in hacker culture in the 90s as a way to expose rivals. It's since become a mainstream harassment tactic used against journalists, activists, streamers, public figures, and increasingly ordinary people who attract the wrong kind of attention online.
How doxxers find information
The uncomfortable reality is that most of the information used in a doxxing attack is technically public. Doxxers aren't usually hacking databases — they're aggregating information that already exists across dozens of sources and connecting the dots.
Data broker sites. Spokeo, Whitepages, BeenVerified, Intelius, and dozens of similar sites compile public records — property records, court filings, voter registrations, business filings — and sell access to anyone who pays. A name and city is often enough to pull a home address, phone number, relatives, and previous addresses.
Social media. People give away more than they realize. A photo with location data, a post mentioning your workplace, a check-in at a gym, a comment using your real name on an account you thought was anonymous — each piece is small, but they add up. Cross-referencing multiple platforms is often enough to build a complete picture.
Old accounts and forum posts. Usernames get reused. An email address or username from a forum post years ago can be connected to a current identity through search. Old profiles, comments, and registrations leave trails that don't expire.
WHOIS records. If you've ever registered a domain name without using a privacy service, your name, address, and contact information were historically required to be publicly listed in WHOIS records. Many older registrations still have this data accessible.
Reverse image search. A photo used as a profile picture on one platform can be searched across the internet to find where else it appears — connecting anonymous accounts to real identities.
IP address exposure. Clicking a link, loading an image, or joining certain online services can expose your IP address, which reveals your approximate location and ISP. In some cases this is enough to narrow down a city or neighborhood.
What happens after a doxx
The information itself is only part of the damage. What people do with it is the rest.
Harassment campaigns. Swatting — calling in false emergency reports to send armed police to someone's home. Showing up in person. Contacting employers. Sending threats to family members. Flooding someone's phone with calls. The intent is to make someone feel unsafe, to silence them, or to punish them for something they said or did online.
Doxxing has led to people losing jobs, being forced to move, and in documented cases, physical violence. It's not a technical problem with a technical solution — but reducing your digital footprint makes you a harder target.
How to reduce your exposure
Remove yourself from data broker sites. This is tedious and never fully permanent, but it's worth doing. The major sites — Spokeo, Whitepages, BeenVerified, Intelius, MyLife, Radaris — all have opt-out processes. You submit a removal request, they take you down, and you periodically repeat the process as your information gets re-added. Services like DeleteMe automate this for a fee if you don't want to do it manually.
Lock down your social media. Private accounts, no location data on posts, no geotagged photos. Be deliberate about what information you're making publicly visible — your employer, your city, your daily routine. Most people are more exposed than they realize when they actually look at their profiles from the outside.
Use a separate email for public-facing activity. If you're active in communities where you might attract hostile attention — streaming, writing, public commentary — use an email address that isn't connected to your real name or primary accounts.
Register domains with privacy protection. If you own any domain names, check whether your registration information is publicly listed in WHOIS. Most registrars offer privacy protection that substitutes their information for yours. Enable it.
Be careful with usernames. Reusing the same username across platforms makes it trivial to connect your accounts. An investigative search for a username will turn up every platform it appears on. Different usernames for different contexts, especially between anonymous and real-identity accounts, limits this.
Keep your phone number private. Your phone number is one of the most useful pieces of information for someone trying to find you — it connects to your carrier, your identity verification on most platforms, and often your address. Use a Google Voice number or similar for situations where you need to provide a number publicly.
The role of your IP address
Your IP address can contribute to a doxx in ways people don't always think about. Clicking a link sent by someone hostile — even just an image link — can log your IP. Some platforms expose user IPs to other users under certain conditions. Discord, before policy changes, had this problem. Direct connections in some games and voice services also expose IPs.
Your IP reveals your ISP and approximate location. Combined with other information, it can narrow someone's search considerably.
A VPN prevents this by replacing your real IP with the VPN server's IP. If someone logs your IP from a link you clicked, they get the VPN's IP — a server in another country, traceable to a VPN provider rather than to you.
How Veilock helps
Veilock masks your IP address across everything you do online. Every connection you make goes through Veilock's servers — websites, apps, services, and anyone trying to log your IP see the server's address, not yours.
The no-logs policy means Veilock doesn't retain records of your activity. DoH encryption prevents DNS queries from leaking your browsing to your ISP. And Vortex, Veilock's obfuscation layer, makes the VPN connection itself harder to detect on networks that try to identify and block VPN traffic.
It's one layer of protection among several, but it's the one that closes the IP exposure gap that most people leave open.
Common questions
Is doxxing illegal?
It depends on the jurisdiction and what's done with the information. Publishing publicly available information is generally not illegal on its own in most countries. What often is illegal is what follows — harassment, threats, swatting, stalking. Some jurisdictions have passed laws specifically targeting doxxing, but enforcement is inconsistent and prosecution is rare.
Can I find out if I've been doxxed?
Search your own name, phone number, and email address regularly. Check the major data broker sites to see what they have on you. Set up Google Alerts for your name. If your information is being circulated in hostile communities, it sometimes appears in search results or gets reported by people who see it.
What do I do if I'm being doxxed?
Document everything — screenshots with timestamps. Report to the platform where the information is being shared. File a police report even if you're skeptical of the outcome — it creates a paper trail. Contact your employer if your workplace information is being shared. If you feel physically threatened, take it seriously and contact local law enforcement.
Does a VPN stop doxxing completely?
No. A VPN closes the IP exposure gap but doesn't address the information already in data broker databases, on your social media, or in public records. Protection from doxxing requires reducing your overall digital footprint — a VPN is one part of that, not the whole answer.
What is swatting?
Swatting is the act of making a false emergency report — typically a bomb threat or hostage situation — to send armed police to someone's location. It's been used as a doxxing escalation tactic, particularly against streamers and public figures. It's illegal and has resulted in deaths. It requires knowing someone's physical address, which is why keeping that information out of public databases matters.