Doxxing: It’s Like Hacking, But Legal

Michelle Obama’s supposed social security number was posted. So was Beyoncé’s purported address. And Ashton Kutcher’s phone number, too. The list goes on: Joe Biden, Donald Trump, Hillary Rodham, Britney Spears, Mel Gibson, and Attorney General Eric Holder were all targeted in the information dump.

In what must have been a particularly galling note for law-enforcement officials, the cyberattack also sussed out the alleged credit report of LAPD chief Charlie Beck. All of these details and more were posted to the mysterious website The Secret Files, which as of Wednesday afternoon was back online after going dark the day before. 

But this wasn’t a hack attack, police and cybersecurity experts say. It was a classic case of “doxxing,” the act of obtaining and posting private information about a person by scouring the Internet. And it’s surprisingly easy to do. In many cases, it’s not even illegal.

“You can post it as long as there is nothing nefarious about it,”  says LAPD cyber crimes detective Andrew Kleinick. “They are public figures and that kind of thing happens. It’s not right, [but] I know of no crime.”

The exception, says Kleinick, occurs when information obtained through doxxing is used to threaten someone, steal someone’s identity, or infiltrate private emails. That was the case with 36-year-old Christopher Chaney, who three months ago was sentenced to 10 years in prison after hacking into the email accounts of actresses Scarlett Johansson and Mila Kunis.

It’s still unclear who’s accountable for the The Secret Files stunt. LAPD officer Bruce Borihanh says the department is partnering with the FBI to find out more information and determine whether criminal charges apply. “They are looking at the sourcing of it,” Borihanh says, “and if it was obtained through illegal means. Otherwise, it is information that was put out there before.”

This isn’t the first time the LAPD has been doxxed. In 2011, a group affiliated with the online hackers Anonymous claimed responsibility for posting personal information of more than 40 officers, including their home addresses, campaign contributions, property records, and names of family members after they claimed the LAPD oppressed them by shutting down the Occupy L.A. Movement.

But it doesn’t take a master hacker to pull off such a feat. Experts say that doxxing has become almost commonplace when it comes to major celebrities. After all, finding a person’s address or phone number is easy to do by searching the web or paying small fees to online search providers. For an extra fee, plenty of search engines will also hand out phone numbers and addresses of next-door neighbors as well as some criminal background information.

Credit reports and social security numbers are also obtainable on the Web, though they are harder to track down—and this is where the case of The Secret Files may have veered into criminal hacking territory. On Tuesday, the nation’s three biggest credit-report agencies said that the perpetrator had input “considerable amounts” of information, including social security numbers, to impersonate the famous victims and come away with their credit reports, which would be illegal. Due to the connection to Obama and Clinton, the Secret Service is reportedly looking into the mess.

Chaney impersonated his victims, too, scouring celebrity magazines and websites for clues to stars’ email passwords. After clearing common security hurdles—mother’s maiden name, favorite pet’s name—he was able to infiltrate the Google, Apple, and Yahoo email accounts of Johansson and Kunis, leaking several nude photos. In fact, during a four-month period, he cracked the passwords of close to 50 celebrities’ accounts.

He pled guilty to nine felony counts including identity theft, wiretapping, and unauthorized access and damage to a protected computer.

"There is no such thing as complete cybersecurity," says John Villasenor, a UCLA professor and nonresident senior fellow at the Brookings Institution. "As the number of devices and services continues to increase, personal information is stored on more and more systems. Not all of those systems are sufficiently secure, which means that we're likely to see more of these sorts of data compromises in the coming years."

The Secret Files bore the Internet suffix .su, originally assigned to the Soviet Union. The front page of the site featured a creepy picture of a zombie-like girl who looks like she is asking viewers to be quiet. Music from the Showtime series Dexter plays in the background; near the girl’s picture is written: “If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve.”

Before it went offline, the website had more than 147,000 visitors.

Kleinick, the cyber crimes expert, says the line between legal doxxing and criminal activity is fairly clear. “You cannot use it to make financial gains,” he said. “You can’t say, ‘I am Tom Cruise send me money for this or that.’ You can’t impersonate someone. I can post Tom Cruise’s birth date because it is public information. If the information was taken illegally or if it was stolen, then it would be something we would handle.”

Kleinick himself says he became a victim of cyber intrusion after a person he was investigating posted some of his private information on the Web. Still, he says that while plenty of people have incurred the wrath of these pesky cyber seekers, it is “technically not a reportable crime.”

“If it is just posting personal information we don’t take a report, because it is not illegal.”

Sorry, Ashton.