On March 15, 2019, a white supremacist shot and killed 50 Muslim worshippers at two mosques in Christchurch, New Zealand. Six weeks later, another white supremacist shot and killed one Jewish worshipper and injured three others at a synagogue in Poway, California. Although the men who committed the attacks had never met or spoken, they had both spent countless hours lurking on 8chan, a surface web forum dedicated to “radical free speech” that proudly refers to itself as “The Darkest Reaches of the Internet.”
In 8chan’s largely anonymous and unconstrained culture, users often advocate violence and trolling campaigns meant to intimidate critics or public figures. This has led to a rise in doxxing—the practice of posting personally identifiable information about a person or organization on the internet. Information revealed in these attacks can range from addresses and phone numbers to much more sensitive information, such as social security numbers, social media and email passwords, and information about a target’s family members. People who have been doxxed may receive thousands of unsolicited phone calls, letters, or threats. More concerningly, personally identifiable information gives an adversary the tools to confront a target at their home or office, or send harmful substances or explosives in the mail. These tactics have become an increasingly popular way to intimidate, punish, or retaliate against people, groups, or organizations with divergent views or interests.
The idea of doxxing is not new; major league baseball umpire Don Denkinger famously had his home phone number and address published in retaliation for his alleged “bad calls” during the 1985 World Series. A more recent case involved a Congressional intern posting the personal information of three Republican Senators from the Senate Judiciary Committee—Mike Lee, Orrin Hatch, and Lindsay Graham—on the website Wikipedia prior to the congressional hearing to appoint Brett Kavanaugh to the U.S. Supreme Court. Even President Donald Trump used doxxing to undermine a political opponent prior to the 2016 election when he read out Lindsay Graham’s cell phone number during a televised speech in 2015.
Doxxing has also been used with more deadly aims in mind. In 2015, the Islamic State published a “hit list” with names and information about 1,400 U.S. military and government personnel that it wanted assassinated.
Other more recent cases of doxxing highlight a concerning confluence of internet trolling, the proliferation of online hate groups, and a toxic permissive culture in forums like 8chan where users encourage each other to act out their violent fantasies in the real world. One example of 8chan inspired harassment is the reaction by forum users after Robert Evans appeared on an ABC Australia documentary about the Christchurch attack to discuss the neo-Nazi rhetoric that pervades 8chan. Evans’ comments quickly spread across the forum’s “politically incorrect“ (/pol/) board after the documentary aired, inspiring one user to post a “Wanted” poster, featuring a photograph of Evans with a bullet in his head. The poster offered 15 bitcoin (approximately $60,000) for his murder. Moments later, another user wrote “for that much it can be done.” This example serves a chilling reminder of the vitriolic chatter that thrives on unmoderated web forums, and it was not the first—or the last—time 8chan users have attempted to intimidate critics.
Screenshot taken from 8chan
Some 8channers have also directly threatened the executives of companies. Shortly after the Christchurch attack, /pol/ users began dissecting the shooter’s manifesto. As his call to “KILL YOUR LOCAL ANTI-WHITE CEO” spread across the forum, many of its users began suggesting ways to find and kill high-profile CEOs. Another user suggested that someone could easily “kill them coming or going” by posing “as a delivery person and say they need to personally sign, [then] shoot them dead.” According to the user, CEOs’ home addresses “should not be hard to find.”
Doxxing presents a unique challenge for security professionals. Once personally identifiable information is posted, it is impossible to remove from online forums, making it a persistent threat. While the vast majority of 8chan users never go beyond cyber harassment, the normalization of violent rhetoric serves to encourage a small percentage who are eager to carry out violence in real life. Recent attacks on mosques, synagogues, and journalists have taught us that we cannot ignore the threat posed by 8chan and other forums that encourage this type of behavior.
Protecting yourself from being doxxed
Targets of doxxing are often journalists, celebrities, politicians, or high-profile individuals. However, increasingly we have seen doxxing used as an expression of grievance against ordinary individuals, company employees, or members of groups. As a result, this is a threat that everyone should take seriously and should protect themselves against. Tips for prevention:
Scrub any personally identifiable information off of the sites that you find. Most sites have the option to remove your own listing. Check periodically to ensure that they have not reacquired your data and started sharing it again.
Check your social media accounts to determine what information is visible to the public. In particular, make sure that your email address and phone numbers are not posted. Check privacy settings on sites such as Facebook periodically, as they change their settings frequently.Disable geotagging on all social media sites. Consider automatically deleting old posts on forums such as Twitter. Make photo sharing sites, such asInstagram and Flikr, private since photos can inadvertently disclose personally identifiable information.
Be mindful when sharing information. Some apps and websites share or sell your data once you provide it to them. Be cautious about giving your information to third parties, particularly if they are not reputable or well known, or if they have a history of poor cyber security practices.
What to do if you have been doxxed
If you feel that you are in immediate danger, call your local law enforcement. While most doxxing attempts are focused on harassment, take any threats seriously.
Do not publicly address being doxxed. Bringing attention to it will likely encourage the perpetrators to continue their harassment and bring further attention to the disclosed information. Likewise, do not confirm or deny the accuracy of the information that has been disclosed.
Credit card numbers, banking information, and social security numbers should be reported immediately to the relevant institutions. Your bank will recommend actions you should take to protect yourself from further fraud and identity theft. Also consider if your security questions could be answered by the information that has been disclosed (such as a mother’s maiden name) and change it with your financial institution.
If your home address is included in the doxxing, it is recommended that you call your local police department and let them know that you’ve been doxxed. They can flag your address, in case there is a swatting attempt.
If account passwords have been disclosed, securing any compromised accounts should be a top priority. Consider adding two factor authentication to any account that supports it, including social media. If you suspect one of your accounts has been compromised, immediately attempt to recover it, change passwords, sign out all other sessions, and notify anyone who may have been contacted from it.
Go through the steps listed above to make sure your personal information is removed from online sites and social media accounts.