Incognito — November 2025: Did You Know Companies Dox You Every Day?

Welcome to the November 2025 issue of Incognito, your monthly dive into privacy and security with DeleteMe.

This month: 

• We’re talking about doxxing. Did you know companies dox you every day?
• She cracked Osama bin Laden’s phones: In a recent episode of “What the Hack?” forensics expert Heather Barnhart of the SANS Institute talks about decoding Osama Bin Laden’s phones and the digital clues that helped convict quadruple murderer Brian Kohberger. Listen here.
• Essential reading: New privacy laws, Google’s decision to scrap its Privacy Sandbox project and yet another service caught selling kids’ data. 
• Q&A: “What can I say to my family and friends who don’t understand why I care so much about privacy?”

Want to Share Your Feedback?

Record your quick thoughts or feedback here. 

You’re Being Doxxed Right Now

Doxxing—the terrifying exposure of someone’s private personal details online—is a term most people associate with high-profile feuds: influencers, politicians, or those who argue with internet trolls. While those high-value targets are certainly vulnerable, the frightening truth is that doxxing can happen to anyone. In fact, it’s almost certainly happening to you right now.

But here’s the thing: You’re not being doxxed for any particular reason. Most likely no one’s out to “get you” or looking to exact revenge (two of the most common motives behind individual doxxing). You’re not being targeted by an individual. There’s an entire industry.

And their motive for doxxing you? Money. (Yes, we’re talking about data brokers.)

“In order for data brokers to make money, they must advertise our information for sale, and therefore they are doxing us,” DeleteMe’s CEO Rob Shavell observed in a recent interview with Cybernews. 

And It’s Getting Worse

In recent years, the amount of data collected by brokers has exploded. 

Four years ago, data removal services like DeleteMe found roughly 250 pieces of personally identifiable information per customer. 

Today, that number has jumped to over 700 (!!!) PII records, and that includes information like your phone number, home address, voting history, court records, what kind of car you drive, and who you’re related to.

Depending on where you live and your particular situation, you may or may not be able to hold a human doxxer accountable. But data brokers who dox you? That’s perfectly legal. 

Why This Matters

Most people don’t give information exposure much thought until it’s too late – as when just a few weeks ago, just a few weeks ago, the hacking collective The Com exposed the personal details of hundreds of U.S. government officials.

According to 404 Media, the group shared spreadsheets on private Telegram channels containing the alleged names, addresses, and phone numbers of more than 680 Department of Homeland Security officials, over 170 FBI email addresses, and nearly 200 Department of Justice employees.

One message in their channel reportedly read: “Mexican cartels hmu [hit me up] we dropping all the doxes wheres my 1m [1 million].”

The leak came just days after the Department of Homeland Security warned that cartel-connected gangs were being urged to target ICE and CBP agents, even offering bounties.

It’s still unclear how The Com obtained the data, but it’s not hard to guess where some of it might have come from. Public records, scraped websites, and data broker databases are often the first stop for hackers building doxxing lists. 

The same data that companies legally buy and sell every day can easily fall into the wrong hands.

Doxxing Lite: The Zero Cost of Bothering You

​​If you’re thinking, “I’m not a government official. This doesn’t affect me,” you’re both right and very wrong.

You probably won’t be targeted by a hacking collective or threatened by a cartel (fingers crossed). But that same data ecosystem is affecting you every single day in ways that are no less invasive.

It’s partly why your inbox is overflowing with spam. Or why your phone won’t stop ringing with robocalls. Every click and purchase you make, every online form you fill out, and every new social media profile you open is another breadcrumb to your digital identity that data brokers eagerly collect and sell.  

It wasn’t always like this. 

As marketing visionary Seth Godin explained in a recent episode of “What the Hack?” targeting people before the advent of email wasn’t cheap. Someone had to do research, correlate prospects, print collateral, pack it and pay postage–a significant  investment that filtered out a lot of noise. 

“If it’s worth 50 cents for Land’s End to bother me,” Godin said, “I will be willing to put up with that because they cared enough to spend 50 cents.” 

But online, the cost of bothering you is zero. 

Your contact details, habits, and interests are stitched together and resold until you’re reachable from every direction. The result is more spam, more scams, and a bigger attack surface for anyone who actually wants to dox you.

BTW, it could have gone a different way. Listen to Seth’s entire episode to learn the wrong turn that led us to so much spam. 

Make It Hard to Get Your Attention 

Every valid email address, active social profile, or tracked click tells the system that you’re paying attention. This makes you a valuable target. 

So what if we made ourselves inaccessible, or, at least, less accessible? Here’s how. 

Limit the signals that mark you as “reachable” 

Don’t click unsubscribe links on junk mail (it confirms your address is active), don’t interact with ads, and use tracker blockers. (It’s okay to unsubscribe from known sources.) 

Mask your contact details 

Just because you gave a company or service permission to reach you before, it shouldn’t mean they get to keep that access forever. And it doesn’t have to, if you use email and phone masking. If the company handles your trust responsibly, the masked email/number keeps working. If they sell your data or get breached, you can delete the alias and watch the spam die with it. DeleteMe offers email and phone number masking. 

Make yourself harder to spot

Stop handing out free data in real life. Skip loyalty programs that trade discounts for your purchase history, pay with cash when you can, and think twice before downloading apps that demand excessive permissions or push notifications (most exist to track, not to serve). And when a store asks for your email at checkout, don’t give them your real one. Use a masked address instead.

We’d Love to Hear from You!

Have a story for our podcast? Any privacy stories you’d like to share, or topics you’d like to see in Incognito? We’d love to hear from you!

Drop a line to Laura Martisiute at laura.martisiute@joindeleteme.com. She’s keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.

Governor Newsom Signs Bills to Strengthen Privacy and Data Deletion Rights

Governor Gavin Newsom signed several new privacy bills into law. This includes AB 656, a law that will make it easier for users to delete social media accounts and the associated personal data, AB 361, which expands transparency around data brokers, and AB 45, which bans geolocation data use and geofencing near family planning centers and restricts health data sharing, among others. 

Nine States Unite to Enforce Stronger Data Privacy Standards

​​Nine U.S. states (California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon, Minnesota, and New Hampshire) have formed a joint privacy enforcement coalition to coordinate investigations, share resources, and apply more consistent data protection rules across state lines. This collaboration aims to close gaps created by the absence of a federal privacy law and to give consumers stronger, clearer rights over their personal data. 

Google Shuts Down Privacy Sandbox 

Google officially shut down its long-running Privacy Sandbox project as a result of low adoption, ending the company’s effort to build a more private way to deliver ads without using third-party cookies. Despite dropping the initiative, Google says it remains committed to improving privacy, though traditional tracking methods like third-party cookies will continue for now.

Florida Sues Roku, Says It Sold Children’s Data to Advertisers and Brokers

Florida has sued Roku, accusing the company of illegally collecting and selling children’s data (including viewing habits, voice recordings, and precise locations) to advertisers and data brokers without parental consent. The lawsuit claims Roku violated the state’s Digital Bill of Rights by ignoring signs that users were minors and misrepresenting its privacy controls. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: What can I say to my family and friends who don’t understand why I care so much about privacy? 

A: What a great question! And one that many privacy-minded people struggle with.

I’d also bet that you’ve probably had to sidestep some variation of: “Well, I’ve got nothing to hide, so why should I care?” If you don’t have a ready answer, that can be pretty frustrating.

One way to answer is that privacy isn’t about hiding bad things but about having control over who knows what about you.

There’s an excellent essay by the international privacy expert Daniel J. Solove on this exact topic (see the PDF version here) that I think you’ll really enjoy.

Q: There’s all these privacy things we supposedly should do. But are there any things we shouldn’t do that can protect our privacy and improve our security?

A: Yes! There are actually several common “privacy practices” that aren’t as helpful as people may think. 

Some that I found surprising: 

• Frequently changing passwords. Forcing changes every 30-60 days often leads people to create weaker, predictable passwords. Better to use strong, unique passwords and only change them if compromised.
• Declining all cookies. Always rejecting cookies can make you more trackable through something called “fingerprinting,” since your specific configuration becomes unique.
• Incognito mode for privacy. Only prevents local history storage. Your ISP, employer, and websites still see everything.

Question for our readers: Are there any “privacy” practices you have found that can backfire? 

Q: How can I know which service shared/sold my information?

One of the simplest ways to track where your information is used, sold, or leaked is through plus aliasing, which most major email providers support. 

How it works is that you add a plus (+) sign and a unique tag to the part of your email address before the @. 

For example, say your email address is “yourname@emailprovider.com.” 

When you sign up for a new website or service, use a unique alias, i.e., “yourname+sitename@emailprovider.com. 

If you start to receive unsolicited emails, check the “To” address. If the email was sent to yourname+amazon@emailprovider.com, you know that Amazon (or a company they sold your data to, or a service they use) is the source of the leak.

Note that this method doesn’t hide your actual email address. For that, you’d have to use dedicated aliases (slightly more complex). 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

That’s it for this issue of Incognito. Stay safe, and we’ll see you next month.