How to Dox Yourself

Print More

বাংলা

Photo: Pixabay

Editor’s Note: If you’re like most people, there are bits of information about you scattered around the internet. These breadcrumbs can be used to “dox” journalists — that’s when malicious actors track down and share private information, including phone numbers and home addresses. At the recent NICAR 2019 conference, New York Times security experts Kristen Kozinski and Neena Kapur shared the following tip sheet outlining how to dox yourself and safeguard your information before someone else can make trouble for you.

Search Engines

Google and Bing Search Operators
Operator:What it searches:Example:
SiteProvides results of pages located on a specific domain.site:facebook.com
AND/ORUse the AND operator to return results containing two results. Use the OR operator to return results that contain one result or the other result.“John Smith” AND (Portland OR Salem)
AsteriskGoogle treats the asterisk as a placeholder for a word or words in a search string.“John * Smith”
HyphenThis operator allows you to exclude the text immediately following it.“JohnSmith” -site:personalwebsite.com
FiletypeFilter search results by a single file type extension.

Common File Types:
●DOC/DOCX
●XLS/XLXS
●PPT/PPTX
●TXT
●JPG/JPEG/PNG (image files)
●PDF
filetype:xls intext:youremail@gmail.com
Bing Search Operators
Operator:What it searches:Example:
LinkFromDomainCreates results that link to every website within a website.LinkFromDomain:website.com
ContainsAllows you to filter search results by a single file type extension on a specific website. Contains:csv site:website.com

Google Alerts

Once you’re signed in to your Google account, you can set up Google Alerts here.

Tip: We recommend you use Google alerts with your personal Gmail account. This way, if you leave your company you still have the alerts.

Tip: Please note that any alerts you set up are saved in your Google account — while we recommend setting up alerts for information such as your phone number or physical address, we do not recommend setting up alerts for particularly sensitive information, such as your Social Security number.

Public Record/People Aggregator

There are hundreds of people aggregator sites out there — many large sites “feed” smaller sites, making them a good starting point for significantly decreasing your online footprint. Below is a short list of sites that we recommend starting with. (Note that these sites tend to apply to people who are currently US-based or have previously lived in the United States.) Once you’ve tackled those sites, within a few weeks, the amount of your personal data across people aggregator sites will significantly decrease.

See if you can find profiles of yourself on these sites and consider taking steps to opt out. Please note that some of these sites will request you provide some personal data to opt out, such as an email address, phone number and address. Here are some tips for this:

●  Create a separate, “burner” email address to use for opting out. If you already have one, just use that.

●  Set up a virtual phone number, like Google Voice or Sudo.

●  Only provide sites with data they already have about you. If you see that they have an old home address, do not provide them with a current address, just provide them with the address they already have listed for verification.

●  Don’t EVER provide a copy of any documents, such as driver’s license or passport.

Site name:Website:Opt-out link: Notes:
CheckThemhttps://checkthem.comhttps://www.checkthem.com/optout/
Radarishttps://radaris.comhttps://www.safeshepherd.com/handbook/radaris.comYou are required to create an account when removing data.
Inteliushttps://www.intelius.comhttps://www.intelius.com/optout
Fast People Searchhttps://www.fastpeoplesearch.comhttps://www.fastpeoplesearch.com/removal
White Pageshttps://whitepages.comhttps://www.wikihow.com/Remove-Your-Listing-on-WhitePages
Family Tree Nowhttps://www.familytreenow.comhttps://www.familytreenow.com/optout
Spokeohttps://www.spokeo.comhttps://www.spokeo.com/optout
Instant Checkmatehttps://www.instantcheckmate.comhttps://www.instantcheckmate.com/opt-out
Peoplefindershttps://www.peoplefinders.com https://www.peoplefinders.com/manage
MyLifehttps://mylife.comhttps://www.privacyduck.com/mylife-com-opt-out-deletion-instructions-from-privacyduck/The instructions will say to send a copy of your driver’s license to remove your data —please do not do this! Instead state that you are concerned for your safety in the email.
Been Verifiedhttps://www.beenverified.comhttps://www.beenverified.com/f/optout/search
People Search Nowhttps://www.peoplesearchnow.comhttps://www.peoplesearchnow.com/opt-out
TruthFinderhttps://www.truthfinder.comhttps://www.truthfinder.help/remove/
Advanced Background Checkhttps://www.advancedbackgroundchecks.comhttps://www.advancedbackgroundchecks.com/removal

If you’d like to go further, take a look at IntelTechniques’ complete list of people aggregator sites with associated opt-out steps — but please note that The New York Times has not fully vetted all of these sites.

Social Media

Identify your social media accounts.

●  Enter your commonly used handles into NameCheckr to see where that handle is being used. This can help you discover old accounts you may have set up, as well as keep an eye for impersonation accounts.

●  Set up two-factor authentication on your social media sites. Check out Two Factor Auth for instructions on how to set up two-factor authentication for popular websites. We recommend using an authenticator application (aka a mobile security app or software token) rather than SMS text messages as your second form of authentication. This is a more secure method and prevents from attacks such as SIM hijacking.

Facebook

Tip: You must have a Facebook account and be logged in to search for other Facebook users. The tool below will not show any results if you are not logged in.

●  Visit Intel Techniques, and click on the “Tools” menu item on the top. From there, click the “Facebook Profile” menu item on the left, and select “Facebook Tool” from the drop down menu.

    • Enter a Facebook username into the first field that says “FB User Name” (it’s the small box ABOVE the bigger white box), and press “Go.” You can find your Facebook username by visiting your Facebook profile. It will show up in the URL after the “/”.
    • Once the user number is generated, copy and paste that number into the “Facebook User Number” field and press “Go.” This will populate the additional fields with your user number.
    • You must have a Facebook account to see what is publicly available. Remember, you can’t do this for your own account — find someone to help with that.

●  Select the View As option on your Facebook profile to see what personal information on your Facebook profile a user who is not friends with you can see.

● Consider modifying your privacy settings:

    • Hide your Friends list (Settings → Privacy)
    • Set approval request on picture tagging (Settings → Timeline & Tagging)
    • Remove option for search engines to link to your profile (Settings → Privacy)

●  Turn on two-factor authentication.

●  Enable alerts for unrecognized logins.

Twitter

●  Twitter simple search

Twitter advanced search

●  Turn on two-factor authentication.

Twitter Search Operators
fromMessages username is sending outfrom:yourhandle
toMessages being sent to usernameFrom:yourhandle to:friendhandle
geocodeTweets occurring within range of specific GPS coordinatesgeocode:40.753830318,-73.9 87329384,1km "mcdonalds"
AND/ORUse the AND operator to return results containing two results. Use the OR operator to return results that contain one result or the other result.from:yourhandle OR from:friendshandle
since:YYYY-MM-DD until:YYYY-MM-DDTweets occurring within a specific date rangeFrom:yourhandle since:2005-01-01 until:2005-01-31
Instagram

The in-app search field only shows users and hashtags related to search terms. However, you can search Instagram by “Google Dorking”:

● Site:instagram.com “username”

● Site:instagram.com “username” -site:instagram.com/username”

Turn on two-factor authentication.

LinkedIn

Google Dorking for Linkedin:

●  Site:linkedin.com “Google”

●  Site:linkedin.com “Software Developer at Google”

LinkedIn Privacy Settings:

●  To limit and protect your information navigate to: Me → Settings & Privacy → Privacy

●  Turn on two-factor authentication.

Additional Resources

Check to see if your email or username has been associated with a data breach at haveibeenpwned.com.

To search the Internet Archive for personal information, use the Way Back Machine.


This tip sheet was originally shared as a handout at NICAR 2019 and is reproduced here with the authors’ permission.

Kristen Kozinski is an information security trainer at The New York Times. She is the founder of Don’t Click on That, a business that teaches small companies how to secure and protect their information online. She has also worked at Mailchimp as an application security engineer.

Neena Kapur is a senior information security analyst at The New York Times. She previously worked as a cyber threat intelligence analyst at Booz Allen Hamilton, where she developed deep and dark web reporting capabilities as well as cybercriminal tracking processes.

Leave a Reply

Your email address will not be published. Required fields are marked *