Dox'd by Design
Your personal data is already leaked, on purpose, and the standard advice does not work: rotation only fixes identifiers that rotate. A five-step protocol, walked through a client's leaked phone number, for making data you cannot un-leak useless to whoever holds it. It can identify you. It must never authenticate you.

One of my clients has a phone number that anyone can find. It has been scraped, brokered, and posted. Type it into the right box and his name comes back, then the town he lives in, then a good deal more.
The advice every guide gives is to change it. He won’t. He has had that number for twenty years. His mother has it. His first customers have it. Changing it would cost him more than the exposure does, and he knows it.
He is right. Rotation only fixes identifiers that rotate, and the ones that matter do not: Social Security number, date of birth, the deed on your house, your face. The phone number is the easy case. Defend it in place and you have the method for the rest.
You are dox’d by design
Start from the fact and not the fear. The dossier on you already exists, and it was assembled on purpose. Type your own number into the same box he was found in. The profile that comes back is not hypothetical.
Some of it is law. Property records, voter rolls, court filings, and business registrations are public by statute. Voter files alone carry “millions of people’s names, dates of birth, and home addresses,” some otherwise unpublished, as Michael Bazzell catalogs in his work on breach data. Your date of birth, the one a bank will read back to confirm it is really you, is sitting in a file the state hands out.
Some of it is business. Shoshana Zuboff named the engine in The Age of Surveillance Capitalism: an “extraction imperative” under which “raw-material supplies must be procured at an ever-expanding scale” and users “became the unwitting suppliers.” Data brokers exist to aggregate the public records with the purchased ones. In 2018 a single marketing broker, Exactis, was found sitting on an open database with detailed records on more than 200 million people: names, phone numbers, addresses, religion, politics, household details, no password required. That is not a breach of the system. That is the system running as designed.
And some of it is required. Know-your-customer law forces every regulated exchange to record exactly who you are. Andy Greenberg’s Tracers in the Dark makes the point in the crypto context: the moment value touches a regulated venue, identity gets handed over and can be subpoenaed. The most sensitive dossier on a crypto holder exists because the law says it must.
The broker profile does not even stay still. It refills. Every change of address filed with the post office, every new utility account, every DMV record in a state that sells them, feeds back in. Bazzell’s own removal workbook is a subscription for a reason: opt out today and ordinary life re-enrolls you by next quarter.
So the breach notification emails in your inbox are not a string of accidents. They are the ambient weather of a system built to copy you. In 2026 alone, Charter Communications lost 4.9 million records with names, phone numbers, and home addresses. A Texas licensing vendor lost three million more, with passport numbers and residential addresses attached. Stop reading those emails as failures to be angry about. Read them as confirmation of the premise.
Assume the leak, and take away what it can do
Corporate security has already been through this. For years the model was a perimeter: keep the bad actors out, and trust whoever is inside. Then the perimeter kept failing, and the discipline changed its mind. Kelly Shortridge puts it plainly in Security Chaos Engineering: “Failure is inevitable and happening all the time,” and demanding perfect prevention “is setting ourselves up (ironically) for failure.” The goal moved from preventing compromise to surviving it. Assume breach. Design so that being inside the wall confers nothing.
Run that transplant on a person. You cannot prevent the leak. So stop spending your effort there and spend it making the leaked data inert.
Your personal data can identify you. It must never authenticate you.
Those are two different jobs. The field has known to keep them apart for decades and betrays the distinction constantly. Bruce Schneier, in Beyond Fear: “The name and number identify you, and the picture authenticates you.” An identifier says which person this is. An authenticator proves it is really you. The catastrophe is what happens when one thing is asked to do both jobs, because, as Schneier notes, an identifier is not a secret. “You leave a fingerprint everywhere you touch.”
This is a known and named failure. Ross Anderson, in Security Engineering, tells it through the Social Security number. The Department of Defense knew the SSN had become overused, so it minted a replacement identifier, the EDIPI. And then, in Anderson’s words, “sure enough, people started using it as an authenticator instead of as an identifier.” The lesson he draws is the one this whole piece runs on: never assume today’s identifier won’t become tomorrow’s password.
There is a reason this maps so cleanly onto protecting a person. Gavin de Becker, who has spent a career on exactly this problem, found that the loudest signal is almost never the dangerous one. “Not one successful public-figure attacker in the history of the media age directly threatened his victim first.” The threatening letter is not the attacker. The dossier is not the attack. What matters is not who knows the fact but what they can do with it. So we take away what they can do.
One scope note. Reducing what you leak going forward, fewer brokers, tighter settings, aliases instead of your real address in forms, is its own discipline and I have written about it separately. It will not save you here. The data is already gone.
Five steps. Walk them through the phone number first, where the stakes are an inconvenience. The mechanics are identical for the identifiers where they are not.
The five steps, walked through a phone number
1. Map the blast radius. Not “who has my number,” which is everyone, but “what can my number do.” Walk every account and write down where the number is load bearing. It is your login recovery here. It is your second factor there. It is the name on file at your carrier, which is itself an account someone can attack. A phone number is, in one OSINT researcher’s phrase, “a semi-permanent digital identity, linking an individual across platforms.” It is exactly as powerful as the privileges you have quietly attached to it, and the list is almost always longer than you expect.
2. Strip its authentication power. Everywhere the number authenticates, remove it. Take it off as an account-recovery method. Turn off SMS two-factor and replace it with an authenticator app or, better, a hardware key. SMS to your number is a factor an attacker can steal without ever touching your phone, by stealing the number. Anderson again: attackers defeat SMS-based authentication “by SIM-swap fraud, pretending to the phone company that they’re the target, claiming to have lost their phone, and getting a replacement SIM card.” Once the number cannot recover or authenticate anything, most of the leak’s value is already gone.
3. Harden the one place the number is itself an account. You cannot make the number secret, but you can make it hard to steal. The number lives as an account at your carrier, so lock that account: set a port-out PIN and turn on the carrier’s number lock. Then know that the PIN is only as good as the least careful employee who can override it, and the SIM-swap record is full of reps who did. Bazzell’s fix is structural, and it is the one that fits a man who won’t give up his number: port the number to a VoIP service and keep it there. He never loses it. It still rings. But it is no longer a SIM a swap can seize in an afternoon, and stealing it becomes a week-long fight instead of a phone call.
Do not mistake a locked line for a clean one. A number that has already leaked is burned for authentication, on any carrier, forever. So demote it. The leaked number becomes inbound-only, a line that rings for the people who have always had it and authorizes nothing. Anything that needs a number for real gets a fresh one that has never been published.
4. Stop answering the phone. Start monitoring the frequency. A leaked number is no longer a phone line you pick up. It is a radio frequency, and most of what comes across it is noise: scam calls, scam texts, spoofed caller ID, a cloned voice reading a script. The mistake is treating every transmission as either a real call or a threat. It is neither. The default is not to listen. The handful of people who matter ring through; everything else lands in a pile you never read yourself. What reads the pile comes next. And when something does ask you to act, verify on a path you control: hang up and call back a number you already trust. The professionals call it callback authorization. For a family or a team, agree on a verification phrase. In a year when a cloned voice can beg for help in your child’s voice, the phrase is not theater. It is the authenticator the voice no longer is.
5. Turn the leak into a tripwire. Now that the number authenticates nothing, the noise on that frequency stops being a nuisance and starts being intelligence. This is the oldest good idea in detection. Cliff Stoll’s honeypot in The Cuckoo’s Egg worked because any access to it was, by definition, unauthorized. Richard Bejtlich built a discipline on the premise that “prevention eventually fails,” so you instrument to detect. A leaked identifier you have already defused is a free sensor.
But you do not watch it. That mistake rebuilds the hypervigilance we just tore down. Inbound from an unknown number is ignored by default, unread by you. A machine reads it: a filter, an assistant, whatever robot you can point at the channel. It surfaces the two things worth surfacing. The first is a threat: the same pretext arriving three ways, escalating, using real details about you. That is not weather, that is someone working, and now you know. The second is quieter and more useful over time. Every so often the machine finds a person who actually matters still calling the burned line, an old client, a relative who never got the memo. That is your cue to reach back and move them to a channel that is clean, so the dirty frequency slowly empties of everyone but the noise. The leak stops being a liability and becomes an antenna you never have to sit next to.
Now the expensive one: your address
If you do one thing, do the number this weekend. The address is a project you grow into, not a bar you clear today.
Run the same five steps against your home address and watch where they hold and where they strain.
Steps one, two, and four transfer cleanly. Map where your address authenticates (it verifies identity for more services than you would guess). Strip that power where you can. Treat the knock and the unexpected package as transmissions on a public frequency, not as proof of anything.
Step three is where the address is genuinely harder, and it is worth being honest about why. A phone number has a carrier, one account you can lock. A house does not. So the mitigations are heavier and slower. You put the title in a trust, a legal container with someone else’s name on the paperwork, so your name never appears on the public deed. You route mail through a commercial address, not your door, knowing a PO box fools no database built to scrutinize residential data. You treat broker removal as recurring maintenance, because a mailbox change propagates to the credit bureaus and the people-finding databases within about thirty days whether you like it or not. Notice that every one of these mitigations adds a human who knows the real address: the trustee, the mail clerk. Each is a phone call an attacker can social-engineer. Assume-breach does not stop at your own front door. It includes theirs. What remains is residual risk, and for a known crypto holder it is not abstract. Andy Greenberg followed the blockchain to an “ordinary home.” An attacker can do the same math.
The five steps still hold. They just cost more, because the identifier is one you were never going to be able to rotate. Which was the point of practicing on the phone number.
If you build the systems
If you build software, reread everything above, because all of it was cleanup after a decision someone like you made. Every place a leaked fact still does damage is a place some system accepted knowledge of the fact as proof of the person. Anderson’s warning is written for you: do not let today’s identifier become tomorrow’s password. Design as if your user table is already public, because a copy of it probably is.
The posture, not the win
You do not get to delete the dossier. It is out there, it is accurate, and next quarter it will be more complete. That is not the failure condition. That is the starting condition, and it is fixed.
That you have to do any of this is the real scandal. The companies that turned your date of birth into a password built this problem, and until they are the ones who pay for it, they will keep handing you the cleanup. Architect your way out anyway. Just do not mistake the personal fix for justice.
What you get instead is a number that identifies a man and authenticates nothing. An address that appears in a hundred databases and unlocks not one account. A leak that has been read, understood, and reduced to a tripwire. He kept his phone number. He simply made it safe to have leaked. And once a year he attacks his own defenses the way they will, to find the identifier still doing a job it should not. Do that with every identifier you cannot change, and being dox’d stops being a crisis and becomes a fact you have already handled.