Topic: PSA: Resources for Artists At Risk Of Being Doxxed

There's been a recent spike in artists being doxxed over their content, so I thought I'd make a thread of info about what you can do to prevent or hamper the progress of doxxers, and what you can do in the event you've already been doxxed. Now, a little background...

How Doxxers Get Your Info

Doxxers typically use parts of info they already have (often an email address, like one given out publicly for commissions or leaked from disgruntled commissioners) to look up more info about you on people search sites, which are websites made by data brokers to sell public records about individuals for various purposes searchable by name, phone number, and/or email- think like phone books back in the day for when you wanted to look up your friends' phone numbers (if you were alive back then). They often combine data they get from public government records with data from advertisers to create a more complete personal profile about you. This data often includes who people are likely related to you and sometimes employment records, which is how doxxers get this information to threaten you with (and proceed to look up those peoples' info too). These records are inexpensive to purchase and likely won't put a dent in the doxxers' wallets. I purchased my own for under $1.

This publicly available data is also referred to as open-source intelligence, commonly called OSINT for short, and is the primary means that people are doxxed.

The other somewhat common way doxxers get your info is by brute-forcing your accounts on gallery sites like Fur Affinity or Inkbunny which often do not have proper multi-factor authentication (more on what that is later) to make absolutely sure it's you. Although, this is less common as it's often easier for doxxers to get more damaging info from people search sites, and it'd be more likely be employed to get your email address on-account in case they don't already have it.

Understanding how doxxers get your info is half the battle, and knowing that, you can choke it out... at the source!

Getting Your Info Scrubbed From Data Broker Sites

Since doxxers use people search sites to get your info, removing your info from public display from them will make matter significantly harder for them. The process to get your info removed is different per-site, and I'm going to defer this to a few different reputable guides with a few of my own addendums to correct info I've found to be outdated.

The first resource I'd recommend is Privacy Guides' Data Removal Services guide though there's one little correction I'd like to add. That would be that the opt-out link for BeenVerified in the guide doesn't work. Use this one instead.

While linked in the first guide, the Big Ass Data Broker Opt-Out List is worth linking on its own as it lists more sites. Though, note that a lot of people search sites are "white labeled" services that just piggy-back off of the bigger ones, so removing your info off the bigger ones like Intelius may remove it from smaller ones which resell the same data.

Keep in mind your info may float back onto them over time (specifically if your info changes, e.g. home address or phone number), so stay diligent! Check every few months. Dedicate a day off and figure out if your info has ended up on the bigger sites again and check a few smaller ones too.

Removing your personal information from public view is a great start, but it's not a replacement for having good security posture. While we can't totally prevent our information from getting in the hands of data brokers, as that industry is almost entirely unregulated and not public-facing, there are some other things we can do to protect themselves that are within our controls. Though do note that using an ad blocker and privacy-protecting browsers like Firefox, LibreWolf, and Brave instead of Chrome helps thwart some trackers that send your information to data brokers.

Exercising Good Security Posture

For the sake of example let's make up a hypothetical artist as a vessel to convey the points here. Let's call them FeralCubVore69420. Some whackado- let's call him Jack Schitter- who really wants to dox FeralCubVore69420 as their mere existence greatly offends Jack's unstable fringe extremist worldviews. They use the artist's public-facing GMail account with a tool to look up which name to find a starting point to dox them, and... I don't think "Ferali Cubvorichi" is their real name. Not to be stopped, Mr. Schitter goes and look up that email on a people search site and to find that it's not associated with any name or address. What are they supposed to go off of now?

Thankfully, our good friend FeralCubVore69420 used a dedicated, purpose-made email address not associated with their real-world identity that had a pseudonym or fake name associated with it. Data brokers want to sell things to you, or to sell your information to people who want to sell things to you- and if you're not looking like a real person, your fake info doesn't help them. Not divulging your real information where possible prevents it from getting in the wrong hands.

But FeralCubVore69420 still doesn't want Jack getting into their accounts. So how can they stop Jack from getting into their accounts and finding info from their private messages and account settings? Well, they could set a 4-digit pin- but that's terrible practice, as it only contains 10,000 unique possible combinations, which Jack could automate guessing in a few hours. This is because the keyspace - the number of possible combinations of valid characters used for the password- is small. Let's throw in some symbols, uppercase and lowercase letters, and numbers, and then increase the length of the password from 4 characters to 12 or more- now the keyspace is huge, and Jack will be booted off the website he's trying to guess the password on, or just not finish guessing till the heat death of the universe. More complex passwords are harder to guess!

But, unfortunately, FeralCubVore69420 chose an easy-to-guess password, and Jack got it right. Even if your keyspace is bigger, the password still needs to be very difficult to guess! Perhaps "feralCubVoreRules!123" was too simple... But thankfully, our artist friend did do something right- Jack still can't get into their account. Jack is being asked for an authentication code from an email address he does not know and does not have access to. This is because our artist has set up their account with multi-factor authentication, which is a second line of defense needing something you have rather than just something you know to get into your account. Jack may know FeralCubVore69420's gallery site password, but doesn't have access to their email- so, he still can't get in. So, our artist can just click the "that's not me" link in the email and reset their password, locking Jack out. Multi-factor authentication is still not an excuse for making bad passwords!

Note that most furry gallery sites and e621 do not have support for multi-factor authentication, so you will just need to make a very good password that's complex and not easy to guess. This will greatly increase the amount of effort needed to get into your account as well as greatly reduce the likelihood an attacker will succeed. You should still use multi-factor authentication when available.

Note for my fellow techies: I know there are other forms of MFA, but this guide is meant for artists who aren't going to be as technically inclined on average.

When The Worst Happens

Let's the worst happens, and Mr. Schitter now has FeralCubVore69420's name, address, and list of family members plus their info. He's probably going to try to get them fired at work, order 66 pizzas from every local Italian restaurant, and maybe even swat our artist companion. What are they to do?

Alert the people who will be receiving contact from harassers in advance- local pizza places, local FBI branch or equivalent (most developed countries let you do this online) so long as your work is legal where you live, anyone you can to avoid having their and your time wasted. File a report with appropriate authorities- this is often not your local police department, but a higher-up agency that's better equipped to deal with these kinds of issues. Your local police department likely doesn't have the resources to deal with doxxing and at most may be able to help you file them with higher-level law enforcement. Let local restaurants that allow call-in orders know they may receive orders under your name but not from you, and let them know how they'll be contacted if you're actually ordering food.

Additionally, lock your gallery sites to logged-in users, and posts to friends only if possible, to prevent your work being shared with unintended people in a way that has no plausible deniability. When a family member will be given links to your locked gallery sites by a doxxer, this will make it look blank for them.

Conclusion, and Other Resources

I should note this is mostly out of my own experience and knowledge of this kind of situation in America where I live and work as an IT professional. However, keep in mind other countries won't have data brokers as much of a problem as they're mostly an American issue, and other countries may have Know Your Customer laws which can make concealing your identity from doxxers harder. If anybody knows anything about that... please share your own experience! Everyone's stronger and more resilient together.

If you have other questions, feedback, or would like to share your own experiences as per how you got through doxxing scenarios to help other people who may be targets, please ask and please tell!

Other Resources:
Electronic Frontier Foundation's guide on how to deal with doxxing
Privacy Guides Knowledge Base - general info about protecting yourself online

Do not mention or share links to doxxing sites or posts, it violates the site rules.

mklxiv said: (insert a lot of shit here

Amazing post. Thank you so much for this information!

mklxiv said:
snip

Great post!
I guess I didn't notice e621's lack of MFA. I'd certainly use TOTP given the chance, artist or not.

braixenarchivist said:
Great post!
I guess I didn't notice e621's lack of MFA. I'd certainly use TOTP given the chance, artist or not.

Funny enough, it may be planned, I think I saw a dev posting about having it on the back burner but on their radar. Don't quote me on that though.

Should probably start paying for one of those data removal services. I'm not a very public figure, but I do quite like my anonymity. Plus you never know why people will dox you.

I only skimmed this, but I'l probably do more in depth reading on it later. Hope it gets more attention, this is a very important resource. Thank you.

thebraixentrainer said:
Should probably start paying for one of those data removal services. I'm not a very public figure, but I do quite like my anonymity. Plus you never know why people will dox you.

I only skimmed this, but I'l probably do more in depth reading on it later. Hope it gets more attention, this is a very important resource. Thank you.

The one recommended on Privacy Guides is EasyOptOuts, which is $20 a year. I generally trust Privacy Guides' recommendations. Note that you'll still have to opt out of Intelius and PeekYou manually, as EasyOptOuts doesn't support it (at least according to Privacy Guides), I will verify once I sign up for it as I went out and tested doing this stuff before writing this guide.

mklxiv said:
The one recommended on Privacy Guides is EasyOptOuts, which is $20 a year. I generally trust Privacy Guides' recommendations. Note that you'll still have to opt out of Intelius and PeekYou manually, as EasyOptOuts doesn't support it (at least according to Privacy Guides).

Noted.

What do you think about key wallet software? Obviously there is good and bad, eg. the relatively recent LastPass leak being predictable given that it was a cloud-based service. I just think key wallets deserve a mention because IMO they address the 'convenience of remembering' issue that leads people to compromise on password security; but I'm more confident about this WRT 'proper' computers than on phones (which IMO should be assumed insecure unless you've put significant effort into locking them down).

Personally I use KeePassXC (which runs on Windows, MacOSX, and Linux; I only have experience of using it on Linux).

On a slightly different topic: When making long, secure passwords some care is needed; some sites will silently truncate passwords longer than a given length (I've seen this with lengths as low as 20), and if they explicitly state a length limitation, there's no guarantee that number remains accurate. So it's wise to verify that you actually can login with the password you set. (I think it's possible to test this inside of a new private/Incognito window, if you don't want to risk logging out from your normal browser session)

mklxiv said:
Funny enough, it may be planned, I think I saw a dev posting about having it on the back burner but on their radar. Don't quote me on that though.

Yeah, that was me & Donovan; it's on the list.

And thank you, this is good work.

savageorange said:
What do you think about key wallet software? Obviously there is good and bad, eg. the relatively recent LastPass leak being predictable given that it was a cloud-based service. I just think key wallets deserve a mention because IMO they address the 'convenience of remembering' issue that leads people to compromise on password security; but I'm more confident about this WRT 'proper' computers than on phones (which IMO should be assumed insecure unless you've put significant effort into locking them down).

Personally I use KeePassXC (which runs on Windows, MacOSX, and Linux; I only have experience of using it on Linux).

On a slightly different topic: When making long, secure passwords some care is needed; some sites will silently truncate passwords longer than a given length (I've seen this with lengths as low as 20), and if they explicitly state a length limitation, there's no guarantee that number remains accurate. So it's wise to verify that you actually can login with the password you set. (I think it's possible to test this inside of a new private/Incognito window, if you don't want to risk logging out from your normal browser session)

I think credential storage with zero-knowledge encryption is pretty good, I'd personally recommend Bitwarden for that use case. It hasn't had any breaches and is regularly audited, plus it's cross-platform as well (I run it on Fedora and through a Firefox extension). Also, good point about password truncation. I've not seen it on sites I use (there aren't many I have accounts on) but I'll take your word for it.

Thank you for sharing this information

Thanks for taking the time to offer a writeup.

If I understand correctly, it seems like the three takeaways are:
1. Use a dedicated email for art
2. Use a good, hard-to-guess and hard-to-brute-force password
3. Use MFA when available

Could you help me understand how a doxxer could get my info if I've used a dedicated email for my entire career as an artist? Not an artist but I'm trying to understand the threat model. Taking a whole day to opt out of a bunch of data broker sites is more than some of my artist friends who are already living on the margins can muster, especially when new ones just crop up later anyway.

It's also worth mentioning in this guide that artists who must use Paypal should absolutely use a Paypal business account for handling transactions via email pseudonym. Too often do I see on my receipt for a commission an artist's full name and sometimes even their home address. Commissioners should also use one (again, if they must use Paypal) to avoid the same issue.

laikakudryavka said:
Thanks for taking the time to offer a writeup.

If I understand correctly, it seems like the three takeaways are:
1. Use a dedicated email for art
2. Use a good, hard-to-guess and hard-to-brute-force password
3. Use MFA when available

Yes. In as artist-friendly of a way I could manage to demonstrate why. For non-technical people the why's are very important to drive home in my opinion. I tried to keep things very basic for someone who's just starting out trying to protect themselves digitally.

laikakudryavka said:
Could you help me understand how a doxxer could get my info if I've used a dedicated email for my entire career as an artist? Not an artist but I'm trying to understand the threat model. Taking a whole day to opt out of a bunch of data broker sites is more than some of my artist friends who are already living on the margins can muster, especially when new ones just crop up later anyway.

Sure thing. As I mentioned, most NSFW artists already separate stuff to some degree. A doxxer could get your info in a way I addressed- a disgruntled commissioner could've leaked your email out, which they could very well do alongside your name in the case of PayPal like you mentioned. Publicly making a PayPal email available as a NSFW artist is a bad idea to begin with, given PayPal's policies and their admission they'll scan places you put it automatically. One thing I think a lot of artists should do to avoid that is to make an attempt to verify commissioners are who they say they are and that they aren't gonna flip over some of the content you make. You know, ask how they found them, where they were looking for them, what account they follow them as and where, etc.- politely, of course- to make sure they're not just trying to fish for info. A lot of doxxers and harassers are very sophisticated in social engineering but coming up with aged, used accounts is harder unless they use compromised accounts (though for these targeted attacks that's sort of rare- I've seen something similar like once, and it was obvious). If they check out, then it's OK to give it to them privately. A lot of commission artists' income comes from their regulars so I don't think this is too much to ask, it's basically an "onboarding" of sorts.

There are other ways they could do get your info that are much harder. If you upload a selfie or your home's surroundings publicly, for example, someone could dox you off of that. But as these are less common and also kind of common sense not to do, I didn't mention them.

My threat model is that email-related information (including information added by other sites, like PayPal) is usually the weak point for NSFW artists and that it's usually the seed that grows into full-on doxxing if not managed correctly. I've watched someone try to dox Nine-Volt/TalentlessHack across 2 chan boards (one of them very notorious for successfully doxxing artists) and fail because they couldn't get anything useful from his email address. Emails are also commonly linked to your real name and relatives on data broker sites, so stopping that association from being publicly visible is crucial and where a lot of artists slip up.

And really, you don't need to spend an entire day on opting out of data broker sites. That was mostly a suggestion- you could spread this out over weeks or months and still get effective results as long as you do it well ahead of time, just as long as you opt out. If you can manage like $20 a year then you can have most of it automated for you by services like EasyOptOuts. If you're really strapped for cash, then spreading it out is fine and perfectly serviceable. I went through Privacy Guides' list in its entirety and it took a few hours. And as I mentioned, the smaller ones are usually just white-labeled versions of the bigger ones, so taking info down from the bigger ones will usually take info off all the sites the bigger company owns.

laikakudryavka said:
It's also worth mentioning in this guide that artists who must use Paypal should absolutely use a Paypal business account for handling transactions via email pseudonym. Too often do I see on my receipt for a commission an artist's full name and sometimes even their home address. Commissioners should also use one (again, if they must use Paypal) to avoid the same issue.

I'm not too familiar with that as I'm a hobby artist who doesn't normally take commissions other than from friends (and even that's rare). If you could provide some more info about it, I could add it.

mklxiv said:
Yes. In as artist-friendly of a way I could manage to demonstrate why. For non-technical people...

The nature and form of your explanation is good, I only wanted to make sure I understood it properly. The guide you linked is very helpful, and you have my gratitude.

I'm not able to find a proper source for the Paypal stuff. The best I have is this WikiHow article, but it doesn't exactly match the method I used, I don't think. A lot of what I learned I researched years ago and then forgot once I had it set up the way I like, I'm afraid.

But I know this: If you don't use a business account, then when you send an invoice or receive payments, they include the legal name you gave Paypal. If you use a business account, though, then you have more control over what information is given, and can limit it (in theory) to only the name of the business itself. I currently have it set up so that when an artist sends me an invoice to that account, I can pay however I please, and they only see the name of the business, not my real name or contact info. This may help with the "disgruntled person doxxes me out of spite" threat model.

I'm not sure how that works for receiving payments, though, and therein lies the rub: Paypal can place limits on whether and how you can withdraw money from your account if you set up a business account for this purpose. I only ever used Paypal for payments, so these limits never impeded my use cases and I didn't research them further.

Something that might be worth mentioning is that two furry sites support MFA

Weasyl supports it through an autenticator app https://www.weasyl.com/help/two_factor_authentication
Sofurry also supports it through an autenticator, but ALSO supports passkey using WebAuthn

So if you want some gallery sites with extra safety, those are your best options (Sofurry is also MUCH more active than Weasyl is and has more features, so I'd lean towards it).
Also note, Furaffinity plans to implement 2FA too, and now with the new tech lead actually making site updates, it might come sooner than expected

devourer_ita said:
Something that might be worth mentioning is that two furry sites support MFA

Weasyl supports it through an autenticator app https://www.weasyl.com/help/two_factor_authentication
Sofurry also supports it through an autenticator, but ALSO supports passkey using WebAuthn

So if you want some gallery sites with extra safety, those are your best options (Sofurry is also MUCH more active than Weasyl is and has more features, so I'd lean towards it).
Also note, Furaffinity plans to implement 2FA too, and now with the new tech lead actually making site updates, it might come sooner than expected

They have MFA now? Neat to know. Though, the reason I don't recommend them in general is that many of the artists who are currently being doxxed would face content bans those places.

Overall okay guide, but if you use MFA, don't have it tied to your phone number (I.E. SMS)

A phone number is linked to your actual name, and also if its SMS, it's not secure.

kyiiel said:
Overall okay guide, but if you use MFA, don't have it tied to your phone number (I.E. SMS)

A phone number is linked to your actual name, and also if its SMS, it's not secure.

That's why I specifically mentioned emails in that part, actually. I should probably update it to mention that about SMS. This is very much a "v1" guide (already at >10,000 characters) and I need to figure out how to explain more technical stuff to for a less technically inclined audience. I'm well aware there's a lot more you can do, and I do intend to update it with stuff like avoiding infostealers/IP grabbers and the like.