Stop Getting Doxxed: Our Guide

Hi. We work in this space for a living and we'd like to keep it short. Doxxing in 2026 is faster, cheaper, and more automated than it used to be. The good news is the defenses are also better than they used to be — most of them existed before, but the threat finally caught up to the point where doing them is worth your time.

This guide is not a "10 surprising tricks Big Privacy doesn't want you to know." It's the same advice your friend who works in security has been giving you, organized.

Step 0: Search yourself. Right now. We'll wait.

Before you fix anything, find out what's already out there. This is the privacy equivalent of "have you tried turning it off and on again." It's annoying because it makes the problem real.

Three searches:

1. Google your full name in quotes. Plus your city. Note what comes up that you didn't expect.
2. Search your face on PimEyes and Precheck.ai. Both are free for the first peek. You will be surprised. Most people are.
3. Search your most common username on the open web. Use namechk.com or similar. If you've used the same handle on Reddit and Venmo, that's a problem and we'll get to it.

Done? Good. Now we can talk about fixes. They're roughly in order of leverage — top of the list buys you the most, bottom is polish.

Step 1: Get your face out of the consumer face-search engines.

This is the highest-leverage move in 2026 and it's the one most privacy guides written before 2024 don't mention.

Photo-first doxxing — "I have a photo, give me a name" — is genuinely new infrastructure. PimEyes turned it on in 2017. Precheck.ai followed. Then a dozen others. The pipeline is: photo → identity → data broker → home address, and it takes about five minutes if you're not removed.

Two paths:

• DIY — every major face-search service has an opt-out form. They're slow, government-ID-gated, and lapse when the service re-scrapes. We wrote a PimEyes-specific walkthrough if you want to do it yourself.
• Pay someone — that's us. FacePrivacy at $9.99/month files removal requests across PimEyes, Precheck.ai, FaceCheck.id, Clearview AI, Corsight, and more, then re-files when they re-scrape. We're somewhat biased.

Both work. The DIY route takes a weekend, the paid route takes ten minutes. Pick what fits.

Step 2: Get your name and address out of data brokers.

Data brokers — Spokeo, Whitepages, BeenVerified, Radaris, etc. — are the reason a name search returns a home address. Removing yourself from them takes a name → address chain off the table.

DIY is theoretically free; in practice it's a part-time job because there are 200+ of these things and they all have different opt-out flows. The realistic options:

• DeleteMe, Optery, Kanary, Aura, Privacy Duck, Incogni — pick whichever. They all do roughly the same job at roughly the same price ($90–$200/year). We have an opinion on which to pick but they're all real.

None of these touch the face-search engines from Step 1. Different industry, different vendors, different paperwork. You need both layers. Here's the structural reason why.

Step 3: Lock down your social media.

"Going private on Instagram" doesn't undo the damage that's already done — anything that was public when it was first posted is probably already in PimEyes. But it slows the rate at which new exposure happens.

The minimum useful changes:

• Instagram, TikTok, Twitter/X: private accounts. Photo tagging permission required. Friend-of-friend visibility off where it exists.
• Facebook: who-can-find-me-by-email/phone set to friends. "Allow search engines to link to my profile" off. Friends list hidden.
• LinkedIn: harder, because LinkedIn is supposed to be findable. Minimum: turn off "let me appear in search results from external search engines" and don't list your home town.

Step 4: Stop reusing usernames.

If your Reddit username is the same as your Venmo username is the same as your old Xbox Live tag from 2009, you've made it trivially easy to follow you across platforms. People who do OSINT for a living start with a username and unwind a life from there.

The fix is annoying but durable: use different handles in different categories. Your "for friends" handle (Instagram/Venmo/Steam) can be one thing. Your "public-facing" handle (Twitter/Mastodon/Substack) can be another. Your throwaway handle for forums can be its own.

The point isn't to be untraceable. It's to make casual cross-referencing not work.

Step 5: Use a real password manager and 2FA on everything.

Doxxing often piggybacks on account takeover. Someone gets into your email; from your email, they get into everything else. From everything else, they have your real name attached to your delivery address attached to your work email attached to that one drunken eBay listing.

Run 1Password or Bitwarden. Turn on 2FA — and use an authenticator app or hardware key, not SMS. Protecting accounts isn't quite the same problem as preventing doxxing, but the failure modes overlap.

Step 6: VPN if you need it. Probably you don't.

VPNs are good for two things — not letting your ISP and random Wi-Fi hotspots see your traffic, and bypassing geo-restrictions. They are not magic anti-doxxing tools.

If you're a journalist, activist, or person with a specific reason to hide your IP, get one. Mullvad and Proton VPN are the boring correct answers. If you're a normal person who occasionally has a stalker problem, the VPN is useful but not load-bearing.

Step 7: Don't post your real-time location.

This is the boring evergreen advice that still works. Don't geotag photos in real time. Don't post the restaurant before you've left it. Don't post the airport gate. Don't post the gym you go to every Tuesday.

Strava is a famous offender. Snapchat Maps is another. Instagram Stories show up in the location feed. None of these are doomsday vectors on their own — they're each a small edge to give up by default.

Step 8: Plan for "if it happens to me anyway."

None of the above gets you to zero. Sometimes you do everything right and somebody dedicated still figures it out. Have a plan.

• Save evidence. Screenshot the doxx, the threats, the original posts. Time-stamp everything.
• Report to the platforms first. Most major platforms have an explicit "I've been doxxed" path. They're not always great about it, but the report creates a record.
• Lock down your accounts. Change passwords. Re-check 2FA. If your email was compromised, escalate first there.
• Tell someone. A friend, a partner, a coworker. Don't keep it to yourself. If you're worried about physical safety, the local non-emergency line is a real option.
• If it's bad, get a lawyer. Civil rights attorneys, the EFF, and the Cyber Civil Rights Initiative all take cases. There's more legal recourse now than there was even three years ago.

Doxxing is exhausting. People who've been through it describe it as a full-time job for a couple of weeks. Build the support around you before you need it.

What we're not going to tell you to do

Some things popular guides recommend that we don't think are worth the friction:

• "Wear anti-recognition glasses everywhere." Most of them stopped working in 2017. We wrote about why.
• "Move." If your safety is in real danger, sure. Otherwise it's expensive overkill that doesn't fix the underlying problem (your face is still searchable from anywhere).
• "Use a fake name on every site." Too brittle, too much overhead. Use real-but-private names where you have to and pseudonyms where you can.
• "Buy a Faraday bag for your phone." No. Stop. This isn't the threat.

The TL;DR

If you only do three things from this whole guide, do these:

1. Remove your face from the consumer face-search engines. Either DIY or pay someone (us, probably).
2. Remove your name from data brokers. DeleteMe / Optery / Kanary / pick one.
3. Lock down social media and stop reusing usernames everywhere.

Each of those takes you further out of the easy-doxxing zone. None of them gets you to zero. Together they push the work it takes to doxx you from "five minutes" to "actually motivated investigation," which is enough to make most opportunistic stuff stop.

We'll be here either way.