“It took twelve minutes and thirteen seconds to find your full date of birth” smiles Kristen Sotakoun who I’m speaking to over Zoom. I face palm, realising how easily I shared information about my life online that could be manipulated by hackers.

The Chicago-based TikTokker calls herself a ‘consensual doxxer’, meaning she only looks people up who – as I have – challenge her to do so. She has amassed 1.1 million followers for this work and her specialty is finding birthdays. Fans who are confident in their internet privacy will put this to the test, asking Sotakoun to dig out specific details. So far, she hasn’t failed.

Doxing is a form of hacking. It is the act of searching for and revealing private information about someone (like their address, phone number, private pictures or other identifying information) with the intention of causing harm. Typically, this is done with malicious intent to cause distress to the victim like fear, public humiliation or revenge. Information is usually found by scouring the internet for digital footprints and collecting anything incriminating or personal.

Under UK law, doxing is strictly illegal. The acts often constitute offences under harassment, blackmail, data protection, the Computer Misuse Act and more. The Online Safety Act was passed in 2023 as a way to combat tech-based offences and includes the mention of doxing.

I’ve always thought I was fairly savvy to online safety, always conscious of not posting images of identifiable life details or personal information online. I don’t have a direct email address or number online and have even signed up to DeleteMe, a website that helps remove any sensitive information about you from Google and data broker sites, like addresses and contact numbers. So, in the name of journalism, I tasked Sotakoun with seeing how much she can dig up about me.

I am curious as to how she was able to retrieve my date of birth in such a quick amount of time. Sotakoun explains that while my Facebook is pretty much locked down, this didn’t stop her. “The first thing I did was scroll on your Instagram feed to see if I could find the exact same photo on your Facebook profile picture”, she says. “You posted the photo in 2019 so it confirmed to me I'd found the right person. You have two birthday posts that you posted yourself, both of them are on July 25”. So far, so simple. But how did she find my year of birth? “Your birthdate was harder to find,” she explains, “but then I saw a post about you talking about a documentary you watched when you were twelve and seventeen years later you got the privilege to then interview that person. I did the maths, so I concluded that your full birthday is July 25th 1994”. She’s bang on.

But while Sotakoun’s speed at recovering my date of birth is impressive, I’m not particularly concerned with it being out there (which is why I’ve happily published it here), and most of us post birthday images online now, so it’s not completely unexpected for it to be an easy piece of information to find. What concerns me more is, if someone can figure out that information in twelve minutes, what can they find if given more time?

I'm able to obtain all this information yet have never worked in tech or in cyber security

A lot, as it happens. “I also found your full family” in under fifteen minutes my hacker beams, listing my cousins, aunts, uncles, parents and my sibling. My eyes widen. My parents don’t even have Facebook, but Sotakoun was still able to find out about them through tagged posts. My heart pounds as I worry about what other private information I've willingly published online without thinking. And then, Sotakoun finds it. My address. “I could see exactly what area of London you live in because of that lamp you were selling on Facebook marketplace,” she reveals. I want to kick myself.

In my eagerness to sell something that was definitely not worth risking my safety for, I’d shared where I live. Apparently, I’m far from alone in this. “Facebook marketplace is the most exposing place to find out where someone lives,” Sotakoun explains, as privacy settings and the ability to type in someone's name makes it the most convenient and quickest option in finding someone.

Sotakoun has no training in doxxing or online safety, to her it’s all about the challenge of seeking out information as if it’s a game. “I’ve worked in restaurants, on cruise ships and even at Disney World, I think it’s scarier that I'm able to obtain all this information and yet have never worked with tech or in a cyber security capacity”… “I just love puzzles, and to me this is another example of one, but an opportunity to raise awareness about internet safety too” she explains.

low angle view of a woman using a mobile while leaning on a bicycle in the citypinterest
Jordi Mora igual//Getty Images

While she only uses her skills consensually and for fun, the results are often eye-opening. “Once I was challenged by someone and I ended up finding out they’d actually been apprehended four years ago for armed robbery” she grimaces, explaining that she found Facebook posts from the police about it which deterred her in wanting to continue with their challenge.

Thankfully, Sotakoun will now disregard my personal information, but a real hacker, now in possession of my date of birth, address and the details of my extended family, could use this information for a number of nefarious reasons. This is what Sotakoun is keen to highlight. “No one is really safe on the internet,” she says. “People can use things against you, it’s really scary. A funny caption you put next to a photo a few years ago might not be something you think about, but people should.”

I speak to Michelle Kradolfer who works in Police Crime Prevention for Secured by Design, an official police security initiative for further advice. She explains that doxxing can be used for anything from ‘pranks’ to cause stress to a victim (such as “fake email sign ups or pizza deliveries sent to someone’s house or filling someone’s mailbox with junk mail”); for theft and fraud or, at the most serious end, “acts of vigilantism or stalking”.

Kradolfer explains that doxing is often used for blackmail. “While some do it for their own twisted entertainment, we’ve also seen cases where doxxing has become a way for criminals to extort their victims into publishing private photos or stealing their identity, especially with high-profile figures and celebrities. It’s become common practice to now reveal real names and addresses of influencers, YouTubers and Discord users as an act of revenge”, she tells me.

Women are more likely to be the targets of such attacks and having their private information leaked

According to Kradolfer’s research, women are more likely to be the targets of such attacks and having their private information shared online without their consent. “Women are more likely to experience gender-based violence in the real world and it has now extended into the cyberspace. It is another tool that has the capability to amplify that violence in harassing, silencing and making women feel unsafe in any space they exist.” Most often she also explains, the main culprits of giving details away are loving parents and grandparents who aren’t very tech savvy and might be unknowingly sharing these details to a wider audience than they realise.

It has become so normalised to post details of our lives online, but while we might think that a “new homeowner!” post taken by the front door of our house or a family photo with your street name accidentally in the background or a snap of you near your car number plate might be harmless, it can all make you extremely vulnerable online. We’ve seen news stories about influencers being burgled after opportunists found their address, then saw a post from their holiday, put two and two together and took their shot, or dognappers tracking down expensive-looking pets after seeing them on social media.

closeup hand of developer programmer, software engineer, it support, typing on computer keyboardpinterest
Nattakorn Maneerat//Getty Images

Kradolfer says we all have an online presence and it’s unrealistic to suggest to anyone to remove themselves from the internet entirely, but there are numerous measures individuals can take to reduce their personal risk online, including doing frequent Google searches for your personal information to see what others may be able to find about you; checking your privacy settings and being extremely conscious of what you post online [Kradolfer has shared some further tips below].

I’ll be following her advice to the letter. I’m alarmed that I’ve unwittingly opened myself up to serious risk and it’s given me a real wake up call to what I'm posting and how I need to think harder before I do. I'm going to make sure my family is aware of their privacy settings and posts too (or maybe a lesson to my uncle on how Facebook works)! I'm just lucky I found out in a controlled environment.

Crime Prevention expert Michelle Kradolfer shares advice for staying safe online:

How to protect your information online

  • Do frequent Google searches for your personal information to see what others may be able to find about you. Use quotation marks around search terms, such as “Jane Doe”, to make your searches more specific
  • Contact websites where your information is publicly available and request removal. With the implementation of GDPR, EU & UK users have the ‘right to be forgotten’ and such requests need to be followed through
  • Check privacy settings on all devices and apps to ensure all your accounts are protected and use strong passwords (use three random words) and Multi-Factor Authentication (MFA)
  • Create a personal email account for yourself and close friends and create a separate email to register on forums and websites, as these sites usually have poor security measures
  • Try not to put your personal phone number or home address online and remove them wherever possible
  • Opt-out of the Open Register

If you have been doxxed - what can you do about it?

  • Contact the police if you feel that you are in danger and/or have received threats
  • Change passwords on any potentially compromised accounts immediately
  • Take screenshots of the shared information, including dates and URLs where possible. If you need to delete posts/images/etc, take screenshots before removal, as this may be necessary information for any police investigations
  • Request removal of personal information from websites – you have a legal ‘right to erasure’ in the UK. Contact the website via any means - the onus is on them to get your query to the correct person
  • Doxxing goes against Terms of Service on most websites and social media platforms, so report any instances immediately, giving as much information as possible. Copy and paste the first report you make to save time and stress
  • If your physical location has been shared and you feel unsafe, let the police know and go somewhere safe temporarily as a precaution

Visit the Secured by Design Cyber Security Advice hub for further advice about staying safe online.