Human Risk Management Institute

Doxxing: What It Is and How to Protect Yourself

Written by Hastin Lia | 24 Feb 2025

Doxxing is the act of collecting someone's private information and publishing it online without consent, usually to harass, intimidate, or punish them. The word comes from "dropping dox" (hacker slang for "documents"), and the data exposed can include a home address, phone number, workplace, financial details, or family members. Roughly 11.7 million U.S. adults, about 4% of the population, have been doxxed, according to a 2025 SafeHome survey. This guide explains how doxxing works, the legal position in Malaysia, how to lower your risk, and exactly what to do if you are targeted.

What is doxxing?

Doxxing (also spelled doxing) is the deliberate online exposure of an individual's private or identifying information without their permission, with the intent to cause harm. The information itself is often pieced together from sources that are technically public. The harm comes from compiling those scattered details into one place and weaponizing them against a target.

Exposed data typically includes full name, home address, phone number, email address, employer, photos, and sometimes financial or medical records. Fortinet describes doxxing as a form of cyberbullying that uses sensitive records for harassment, exposure, or financial harm. The distinction that matters legally is intent: sharing a public business address is not doxxing, but publishing someone's home address to invite a mob to their door is.

The threat scales with your digital footprint. Every account, post, and form you fill in leaves traces that an attacker can collect. SiberMate works with organisations precisely because most exposure starts with ordinary employee behaviour online, not sophisticated hacking.

Types of doxxing

Doxxing is not a single act. It covers several distinct patterns, and recognising which one you face shapes your response.

Identity doxxing

The attacker reveals who is behind an anonymous or pseudonymous account, linking a username to a real name, face, and location. This is common against activists, journalists, and online creators who rely on anonymity for safety.

Targeted information doxxing

Specific high-value details are published to enable real-world harm: a home address for stalking, a phone number for harassment campaigns, or banking details for fraud. This is the most physically dangerous form.

Swatting-enabled doxxing

An attacker uses a leaked home address to make a false emergency report to police, sending an armed response to the victim's home. Swatting depends entirely on doxxed address data and has caused deaths.

Workplace and reputational doxxing

The attacker contacts an employer, family, or community with information (often distorted or out of context) to trigger job loss, social exclusion, or public shaming. Nearly four in ten doxxing cases involve some form of public shaming, per SafeHome.

How do doxxers find your information?

Doxxers rarely rely on a single breach. They assemble a profile by combining many small, legal-to-access sources, then fill gaps with illegal methods. Understanding their toolkit shows you where to cut off the supply.

Open-source intelligence and social media

Public profiles, photo metadata, tagged locations, and "about" pages give away employer, routine, and address clues. A single geotagged photo or a visible friends list can anchor an entire investigation.

Data brokers and people-search sites

Data brokers compile public records, purchase histories, and online activity into searchable profiles sold for a few dollars. People-search sites surface home addresses and relatives in seconds. University security guides, including UC Berkeley's privacy resource, rank these as one of the most productive sources for doxxers.

WHOIS records and breach databases

Domain registrations can expose a registrant's name, address, and phone unless privacy protection is enabled. Leaked credentials from past breaches let attackers cross-reference reused passwords and link accounts together. Stolen records frequently surface on underground marketplaces, a supply chain we cover in how dark web black markets operate.

Social engineering and phishing

When public data runs out, attackers trick the target or a third party (a colleague, a customer-service agent) into revealing the missing piece. A convincing phishing message or a pretext phone call often unlocks the last detail needed to complete a dossier.

Why is doxxing dangerous?

Doxxing converts online conflict into physical and financial risk. Once a home address or phone number is public, the victim loses control over who can reach them and how.

The consequences fall into three layers. Physical safety comes first: exposed addresses enable stalking, unwanted visits, and swatting. Financial harm follows when leaked identifiers feed fraud and identity theft. Psychological damage runs throughout, with victims reporting sustained fear, anxiety, and disruption to work and relationships.

The risk is not evenly distributed. Women are targeted more often than men, at 5.2% versus 3.6% according to SafeHome's 2025 survey. Because doxxing is frequently a vehicle for intimidation, it overlaps heavily with cyberbullying in the digital era. For organisations, a doxxed employee can become an entry point: attackers who map one person's accounts often pivot to corporate systems, which is why human risk is now a board-level concern.

Is doxxing illegal in Malaysia?

Yes. Malaysia criminalised doxxing directly through the Penal Code (Amendment) (No. 2) Act 2024, which added a dedicated cyber-harassment regime under Sections 507B to 507G.

Section 507E is the doxxing provision: it prohibits the unauthorised publication or dissemination of a person's identity information with the intent to harass, threaten, or alarm them. Conviction carries imprisonment of up to three years, a fine, or both. Section 507F covers conduct that causes the victim to fear that harm will follow, or that facilitates actual harm. The wider sections also criminalise threatening, abusive, or insulting communications that are likely to cause distress or fear.

Authorities can act under the Communications and Multimedia Act 1998 and, where personal data is mishandled by organisations, the Personal Data Protection Act (PDPA). If you are doxxed in Malaysia, you can lodge a police report and a complaint with the Malaysian Communications and Multimedia Commission (MCMC). Victims and businesses preparing for these obligations can review SiberMate's overview of PDPA compliance in Malaysia.

How to protect yourself from doxxing

You cannot erase every trace you have ever left online, but you can make yourself a far harder target. The goal is to break the chain doxxers depend on at as many points as possible.

Audit and shrink your digital footprint

Search your own name, phone number, and email to see what is already exposed. Request removal from people-search sites and opt out of data-broker databases. Enable WHOIS privacy on any domain you own. The fewer public anchor points you leave, the less an attacker has to work with.

Lock down social media privacy

Set profiles to private, restrict who can see posts and friend lists, and strip location data from photos before posting. Social networking sites are the channel attackers most often use to expose information, so tightening them removes the easiest path. Our guide to the risks of oversharing on social media covers the specific habits that feed doxxers.

Strengthen account security

Use a unique, strong password for every account and store them in a password manager. Turn on two-factor authentication for email, social media, and financial services. Reused credentials let one breach unlock many accounts, which is exactly how doxxers connect a target's online identities.

Separate identities and limit oversharing

Use pseudonyms and dedicated emails for public-facing activity, and keep them isolated from accounts tied to your real name. Think before posting your workplace, real-time location, or home details. Recognising phishing attempts matters too, since social engineering is how attackers grab the data they cannot find publicly.

What to do if you are doxxed

If your information has already been exposed, act methodically. Panicking wastes the early hours that matter most.

Document everything first

Before anything is taken down, screenshot the posts, URLs, usernames, timestamps, and the specific data exposed. This evidence is essential for both platform reports and a police report, and it often disappears once you start filing complaints.

Report to the platforms

Use each platform's reporting tools to request removal under its harassment or private-information policies. Most major platforms prohibit doxxing and will remove the content, though you may need to escalate.

Contact authorities if threats are involved

If the doxxing comes with threats, blackmail, or a credible safety risk, lodge a police report immediately and, in Malaysia, file a complaint with MCMC. Provide your documented evidence to support an investigation under Section 507E.

Secure your accounts and identity

Change passwords on any account that may be compromised, confirm two-factor authentication is active, and consider changing an exposed phone number or email. Watch financial accounts for fraud and place alerts if banking data was leaked.

Get professional support

If exposure is severe or spreading, cybersecurity professionals can help contain it and guide recovery. Removal services can pressure data brokers to delete reposted information at scale.

The role of awareness in preventing doxxing

Most doxxing succeeds because of small, avoidable habits: a reused password, an oversharing post, a phishing email that lands. That makes awareness the most effective defence available, and one that scales across an organisation in a way technical controls alone cannot.

For companies, the exposure of a single employee can cascade into a wider breach. Structured security awareness training that covers privacy settings, password hygiene, and social-engineering recognition turns staff from the weakest link into a first line of defence. SiberMate builds this into a continuous human risk management programme rather than a once-a-year session, because attacker tactics shift constantly. Teams that want a foundation can start with understanding where stolen data ends up and how that data fuels doxxing.

Frequently asked questions about doxxing

What does "dox" actually mean?

"Dox" is shortened from "documents," via the hacker phrase "dropping dox." It refers to compiling and releasing identifying documents or data about a person to expose them publicly.

Is doxxing illegal in Malaysia?

Yes. Section 507E of the Penal Code, added by the Penal Code (Amendment) (No. 2) Act 2024, criminalises publishing someone's identity information to harass or alarm them, punishable by up to three years' imprisonment, a fine, or both.

Can you fully protect yourself from being doxxed?

You cannot guarantee total protection, but you can sharply reduce your risk by shrinking your digital footprint, opting out of data brokers, locking down social media, and using strong, unique passwords with two-factor authentication.

What is the difference between doxxing and a data breach?

A data breach is unauthorised access to stored data, often affecting many people at once. Doxxing is the targeted publication of one individual's information, which may use breach data but is defined by the intent to expose and harm a specific person.

What should be my first step if I am doxxed?

Document everything before content is removed: screenshot the posts, URLs, usernames, and timestamps. This evidence supports platform takedown requests and any police report under Section 507E.

Conclusion

Doxxing turns scattered public data into a real-world weapon, and the numbers show it is widespread, with millions affected and women hit hardest. The defence is layered: shrink your footprint, lock down accounts, recognise social engineering, and know your legal rights under Malaysia's Section 507E. If you are targeted, document the evidence first, report to platforms and authorities, and secure your accounts. The strongest protection, for individuals and organisations alike, is building the awareness that stops exposure before it starts.