Subscribe to the Non-Human & AI Identity Journal
Identity Beyond IAM

Doxing

← Back to Glossary
By NHI Mgmt Group Updated July 11, 2026 Domain: Identity Beyond IAM

Doxing is the collection and publication of personal information with the intent to harm, harass, or intimidate. In identity security terms, it turns exposed profile data into an attack asset and can amplify fraud, stalking, and coercion risks.

Expanded Definition

Doxing refers to the deliberate gathering and disclosure of personal information, often by combining fragments from social media, breached datasets, public records, and image metadata. The term is used across cyber abuse, identity safety, and online harassment contexts, but its security significance is broader than publicity or privacy loss alone. In practice, doxing can convert ordinary profile data into an operational threat, enabling stalking, account takeover attempts, impersonation, extortion, or targeted social engineering.

In identity security, doxing matters because it reduces the attacker’s search cost. A full date of birth, home city, employer, family member names, or routine travel patterns may be enough to bypass weak verification steps or to craft highly believable pretexting. Guidance varies across vendors on whether doxing should be treated as a privacy incident, an abuse issue, or a precursor to fraud, but the common thread is harm through exposure. The NIST Cybersecurity Framework 2.0 is useful here because it frames risk treatment, governance, and response around protect and detect outcomes rather than treating exposed information as a purely social problem.

The most common misapplication is assuming doxing only involves stolen secrets, which occurs when teams ignore public-source aggregation that can still create direct harm.

Examples and Use Cases

Implementing controls against doxing rigorously often introduces friction in content moderation, identity verification, and incident response, requiring organisations to weigh user safety against the cost of tighter review and reporting workflows.

  • A public post includes an employee’s home address and family details, then hostile actors use the information for intimidation or repeated contact.
  • An attacker correlates a person’s username across forums, professional networks, and image uploads to build a dossier that supports credential-reset fraud.
  • A leaked roster, conference badge photo, or directory entry is republished alongside commentary designed to encourage harassment or swatting.
  • A support desk receives a convincing account recovery request that relies on facts assembled from public records and social media, not from secret compromise.
  • An executive’s travel posts and location tags are combined into a pattern that helps an adversary plan surveillance or targeted coercion.

For defensive context, CISA resources and tools and the broader NIST guidance ecosystem reinforce that exposure management is part of security operations, not an afterthought. Doxing is especially dangerous when public information becomes enough to satisfy weak knowledge-based verification or to intensify a harassment campaign across multiple channels.

Why It Matters for Security Teams

Security teams need to understand doxing because it bridges privacy, identity, and operational security. Once exposed details are assembled into a profile, attackers can target real people with customized fraud, coercion, or reputational damage. That creates downstream risk for help desk verification, privileged access workflows, executive protection, and employee safety. For organisations that rely on online self-service or remote support, doxing can also undermine trust in identity proofing if staff assume public data is harmless.

From a governance perspective, doxing highlights why exposure reduction, incident handling, and people-focused response controls belong in the security program. Teams should distinguish between ordinary personal data handling and malicious publication intended to cause harm. The OWASP guidance for AI and application abuse is relevant where automated systems surface or amplify personal data, because generated content can accelerate discovery and redistribution. Organisations typically encounter the operational cost of doxing only after a harassment event, at which point information removal, threat triage, and verification hardening become operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the technical controls, and EU AI Act define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Doxing is a risk that governance and response processes must explicitly account for.
NIST SP 800-63IAL2Publicly available data can be misused to weaken identity proofing and recovery.
OWASP Non-Human Identity Top 10Doxing can expose operational details tied to NHI administration and access paths.
NIST AI RMFGOVERNAI systems may surface or amplify personal data that enables doxing.
EU AI ActAI systems that intensify harassment or expose data can raise governance concerns.

Limit public disclosure of service identities, owners, and access-linked metadata.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org