What is Doxxing?

Digital literacy and online safety work hand in hand – they are educational tools to navigate the online world safely and confidently.

In school we teach children to be considerate about what they are posting online, particularly personal and private information, and that’s mainly from the perspective of safeguarding. However, there’s much more to to it than that, although safeguarding should always be a primary consideration.

Doxxing is where someone has deliberately looked for information about you and is using that information against you online, perhaps to cause embarrassment, to intimidate, to victimise, extort and a relatively new phenomena, to identify people who outrage the public. For example people who have attended rallies and their pictures are on social media, then people try to identify them and their personal/private information.

There have been some pretty serious consequences in the past where people have been wrongly identified and accused of things such as being a sexual predator, a racist etc. For most purposes, the person being doxxed hasn’t done anything wrong, perhaps they’ve made an opinion online and someone disagrees then goes to extraordinary lengths to ‘out’ them online.

So why talk to students about doxxing?

Telling children, “Don’t share personal information,” is a pretty weak, but well-intentioned message. It’s impossible not to share personal information, particularly when you understand that personal information in the digital age relates to much more than age, school, date of birth etc., and whilst messages such as this might work with younger children we’ve got to go a lot deeper for older children, particularly through their teen years.

Whilst not strictly doxxing, I would like to give you an example of something that happened to me a couple of years ago (and still happening now) which goes to show how difficult it is when considering what we are sharing online because, for the most part we have control over what we share (we choose whether we share or not), but sometimes there’s nothing whatsoever we can do.

I have a couple of websites for different purposes; the site you are on now, and my Online Academy where I deliver online safety training via video modules.On each of those sites I have security software installed. One function of that software is to prevent unauthorised access to the administrative tools on the website. In practice this means that if someone uses the wrong username or password twice in the space of a few minutes, their computer address (IP address) is automatically blocked for a few hours. If this happens I am notified by email what has happened and the username they have tried. This is all fairly standard and is mostly used to prevent a ‘brute force attack’ where someone can use a huge dictionary containing tens of thousands of words to attempt to guess the password.

Every now and again I get scores and scores of emails every hour from the security software which is someone trying to hack my website using automatic software (bots) from all over the world, but what struck me as odd on this occasion was one of the usernames they were trying to use. This was odd because the username being used was correct for the admin login, yet you would not be able to guess this username from the website or from me, it was a random username and not even a proper word, so how did they know?

I have used this particular username a few times in the past (yes I know, lesson learned!), but I have never ever made it public. Now I’m no IT security expert, but I do know a few things, and the only way I can think for that username to be somewhere online is that a site I have used in the past had been hacked, and the username (plus email address and sometimes other information such as passwords) had been posted online.

So using the advice I always give to others, I went to the site www.haveibeenpwned.com and entered the username, and there it was. That username had been hacked from a web service I used a few years ago.

Coincidence? I don’t know. Whether I had been targeted deliberately or by chance I’ll never know, but it just goes to show that the longer we spend online, the bigger digital trail we leave behind us, and unfortunately we cannot always be in control of that data. Once the information is out there, either posted by us or by others, it’s extraordinarily difficult to remove it and in a lot of cases it’s impossible. The number of big hacks we are seeing reported is extraordinary and it just goes to show that it can potentially affect every single one of us, not just celebrities that get the media attention.

I always give young people the advice to check their credentials on sites such as HaveIBeenPwned every so often, although I do wish the site owners could change the name as it’s always met with much hilarity when I say the name out loud! It’s a good way of checking if their username or email address has been hacked from an online service because this sort of thing is happening all too often now. The difficulty lies in convincing young people that it may sound completely meaningless now, but not necessarily in 2, 5, 10 years time which is why using real examples is so important, not to scare the living daylights out of them, but just let them know it can happen to anyone and give them support and guidance what to do.

I always advocate giving them examples of the real services they are using so that this will hopefully have a greater impact, for example the hack of 4.6 million Snapchat user credentials HERE or the more recent Instagram hack HERE. There’s plenty more, Google is your friend here.

Here’s some advice for to give to the students:

  • If you’re able, change the password to something unique and complicated (the length of the password is important).
  • If you’re going to continue using the service, enable two-factor authentication (in the Settings).
  • If you don’t use that service anymore, delete or suspend it.

Snapchat support page – HERE
Instagram support page – HERE

Online Safety Pro

Keeping up with the ever-changing world of online safety. A unique 1-day course for your online safety lead, including training for all your teaching and support staff, and your governors plus a new video every half term to keep everyone up to date.

Upcoming courses:
Lincoln 29th Nov 2018
London 3rd Dec 2018
Manchester 10th Dec 2018

Keep up to date with the latest online safety trends and advice.

FREE half-termly magazine for school staff and for parents.