Security Hygiene

A Practical Doxxing Protection Checklist

July 3, 2026 10 min read Haven Team

Doxxing rarely starts with a hack. It starts with someone patiently assembling public records, old posts, and data-broker listings that were already sitting there, waiting to be connected to a name. Most of the exposure is closeable, and the work is specific, not vague.


"Doxxing" (from "dropping docs") means compiling and publishing someone's private information, usually a home address, phone number, workplace, or family members' names, with the intent to enable harassment or intimidation. It's distinct from a data breach: the information is almost always gathered from sources that are individually legal to access. The harm comes from aggregation, not from any single leak.

That means defense is also about aggregation. You cannot make yourself invisible, but you can close the specific, named sources that doxxers actually use, and closing enough of them makes the compilation take real effort instead of twenty minutes.

Where the Information Actually Comes From

In order of how often they show up in real doxxing incidents documented by outlets like the Coalition Against Stalkerware and digital-rights researchers:

The pattern worth noticing

Almost none of these sources require breaking into anything. A patient person with a few hours and free tools can build a surprisingly complete profile using only sources that are, individually, perfectly legal. That's what makes this different from a security breach and why "I have nothing to hide" isn't the right frame. It's about aggregation surface, not secrets.

Closing the Data Broker Surface

This is the highest-value, most tedious item on the list. Data broker opt-outs are individually free but there are dozens of sites, each with its own process, and most re-list you periodically from fresh public-record scrapes. Services like DeleteMe, Optery, and Kanary automate the opt-out and re-check cycle for a subscription fee. If you'd rather do it manually, the nonprofit Privacy Rights Clearinghouse maintains a list of major broker opt-out links, and doing the top fifteen or so covers a large share of what shows up in a basic people-search.

Locking Down What You Control Directly

Source Action
Domain WHOIS Enable WHOIS privacy/proxy through your registrar. Most now include it free; some older registrations predate this and need a manual toggle.
Photo uploads Strip EXIF/GPS metadata before posting (most phone OSes offer a "remove location" share option; desktop tools like ExifTool handle bulk stripping).
Voter registration Some U.S. states let you request your address be withheld from public voter files, typically for survivors of domestic violence, journalists, or law enforcement. Check your state's Address Confidentiality Program.
Reused usernames Use distinct handles per context (professional, gaming, activism) so accounts can't be linked by username alone. A password manager makes this painless.
Property records Some jurisdictions let you route mail through a P.O. box or registered agent for property tax purposes. Rules vary heavily by county; check local assessor's office options.

Account Takeover Is the Doxxing Multiplier

A doxxer who gets into one of your accounts, especially email, doesn't just read your messages. They can reset passwords on connected services, pull address history from shipping confirmations, and pivot into your contacts. This is why strong two-factor authentication and a password manager with unique passwords per site matter directly for doxxing resistance, not just generic account security. Hardware security keys (FIDO2/WebAuthn) are the strongest option because they resist the phishing pages that SMS and app-based codes can still fall for.

Every account that reuses a password, or accepts SMS as its only second factor, is a door a doxxer's account-takeover attempt can walk through without ever touching the target directly.

If It Already Happened

Document everything before it gets taken down: screenshots with visible timestamps and URLs, since posts get deleted or edited once a platform is notified. Report to the platform under its harassment or doxxing policy specifically (most major platforms, including Reddit, X, and Discord, have dedicated doxxing report categories that get faster review than generic abuse reports). If the exposed information includes a home address and there's any credible threat attached, that crosses into a police matter, and having the documentation ready makes that report far more actionable. Organizations like the Cyber Civil Rights Initiative and, for journalists specifically, the Committee to Protect Journalists' Digital Safety team, provide direct incident support beyond generic advice.

What This Doesn't Solve

None of this closes every avenue. Someone determined enough can still find things through social engineering, mutual contacts, or records this list doesn't cover. The goal isn't zero exposure, which isn't achievable for anyone who exists in public life at all. The goal is raising the cost from "a search engine and twenty minutes" to "sustained, deliberate effort," which is where most casual harassment campaigns stop.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →