At this stage, we have all been the victims of a data breach in one way or another. A password gets stolen, an email address added to some spam mailing list, and so on. Thankfully, in these instances, all is not lost. While it may be bothersome, it is easy to change things like passwords, email addresses or even phone numbers in some instances. But what about your social security number? That is a little harder to change, and having it leaked into public domain would be terrifying, but it's still possible fix. But what about the colour of your first car, or the name of your first pet?

In addition to your own, what about your family's social security numbers, driving licenses, addresses and previous addresses? Your ethnic background, your education, voting history, tax payments, and more. And not just what's been made available online through data breaches, through phishing, malware or other means - but even documents requested from citizen databases used by law enforcement and private investigators - credit reports, property ownership, convictions and legal history, and so on.

The point being, there are some things that are difficult or maybe even impossible to change. If you as an individual find yourself in the crosshairs of a doxxer, then you might find that they are able to dig up far more on you than just your email or password.

The rules of the game have changed. Anyone can act the amateur PI should they want to, but today it is terrifically cheap and simple to simply hire the services of a doxxing group to do it for you. Thus, Doxxing-as-a-Service (DaaS) is now a real and genuine threat that people need to be aware of. DaaS enables identity fraud, spear phishing, malware deployment and even personal endangerment of its victims. 

This article explores the types of DaaS services now on offer, and discuss ways to protect yourself or mitigate the damage done by a dox.

The Data Supply Chain

The crux of the issue is that as soon as institutions realised that they could profit from breaching your privacy, your privacy no longer existed. From the moment you are born, data is logged and continuously harvested from you your entire life, secreted away by referencing agencies. At one point, before the establishment of the modern data supply chain these companies were sitting on enormous amounts of valuable data but unsure what else to do with it - at this stage, it really was chiefly used by banks, governments and law enforcement. They soon discovered vast profits in the vending of this data, or at least the parts which were made legal for them to sell. This is sometimes referred to as credit header information, which is simply your credit report without the financial detail. What this includes is a person's name, contact information, address, date of birth, and insurance number. This is what was made legal to sell off to third parties.

For example, a business whose service is to provide information for the purpose of investigation, or for the prevention of fraud may use this data to create a skiptrace database. These databases are used by private investigators, debt collectors and law enforcement in order to track down individuals, usually for legitimate purposes. It is at precisely this point where criminals have managed to infiltrate the data supply chain.

Figure 1: Censored information that was exposed by criminals illegitimately accessing skiptrace databases. This particular document contained sensitive data belonging to the individual, the individual's family, and even data belonging to further personal and professional relations.

Telegram channels exist where you can pay bitcoin in order to request a lookup from popular skiptrace databases. How they obtain access to these databases can vary - in some cases, they are able to fraudulently claim they have a legitimate interest and the data broker in question does not verify their claim. In other cases, they have been able to obtain access by stealing the credentials of registered private investigators.

It is our observation that US data is disproportionately affected, and these Telegram channels are able to offer access to services such as USInfoSearch (USIS), or TransUnion's TLOxp tool. These services are used to acquire TransUnion Locator Service (TLO) data, which includes the majority of the aforementioned credit header information. Even if the data isn't necessarily TLO data, it is sometimes termed "a TLO" colloquially by these underground groups. The telegram channels in question offer their customers the ability to pay per search, and some even allow you to purchase an API key which allows for unfettered access to these databases and the ability to make unlimited lookup requests.

The kicker is the affordability. To uncover data that would seriously harm an individual's privacy, security and maybe even their livelihood, you need only pay around $25 in cryptocurrency to a DaaS group who will do all the dirty work for you.

Remediation

Doxxing is incredibly harmful, and the degree to which you will be able to remedy the situation is governed in large part by the laws of your country. For example, in the European Union individuals may exercise their Right to be Forgotten, which compels companies to remove your public data from a website or from their internal records. The legal systems of the United States largely do not offer individuals such rights, however exceptions may apply to protected groups such as minors depending on their federal jurisdiction. By leveraging the law, you may achieve some success in removing your data from websites and from data brokers, but you may still be vulnerable.

It is not recommended to delete any of your online accounts or to change your phone number, despite those being knee-jerk reactions to the threat of infiltration. The reason for this is, by deleting them, you may inadvertently make them available to somebody who could use them to impersonate your identity. Instead, it is safer to create new email addresses and to obtain a new phone number, while retaining access to the old ones.

Where your personal safety is concerned, it may be advisable for you to move if you are able to do so. You should also ensure that your location does not continue to be tracked by scanning and removing malware on your devices, and from revoking access to your location by apps that use it.

Regarding your identifiable data such as your insurance number or driving license, you may be able to have these changed on the basis that you are at risk to identity theft. Research the institutions where you live and pursue this outcome if possible. If it is not, then you may still be able to better protect yourself against the misuse of your data - organisations such as the IRS offer a type of two-factor authentication called an IP PIN which may aid those whose US Social Security Number has been breached.

Naturally, if you don't already use unique passwords for every website and employ Multi-Factor Authentication (MFA) wherever possible, it is certainly time to do so. In fact, it may be good to read up about proper cyber hygiene and ensuring that you browse the internet safely and securely at all times.

And unfortunately, as is often the case where a serious dox has taken place, you may need to walk your affected relatives through similar processes as their information may also have been exposed.

There will be things that you cannot change. But if you do enough to protect yourself then you can still return to a normal life, and may even be able to scrub some of your data from the internet.

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free