It took a TikToker barely 30 minutes to doxx me
Kristen Sotakoun found out way too much about me in a consensual test of my online security.
In 30 minutes or less, TikToker and Chicago-based server Kristen Sotakoun can probably find your birth date. She’s not a cybersecurity expert, despite what some of her followers suspect, but has found a hobby in what she calls “consensual doxxing.”
“My first thing is to be entertaining. My second thing is to show you cracks in your social media, which was the totally accidental thing that I became on TikTok,” Sotakoun, who goes by @notkahnjunior, told me.
It’s not quite doxxing, which usually refers to making private information publicly available with malicious intent. Instead, it’s known in the cybersecurity field as open-source intelligence, or OSINT. People unknowingly spell out private details about their lives as a bread crumb trail across social media platforms that, when gathered together, paint a picture of their age, families, embarrassing childhood memories and more. In malicious cases, hackers gather information based on what you or your loved ones have published on the web to get into your accounts, commit fraud, or even socially engineer a user to fall for a scam.
Sotakoun mostly just tracks down an anonymous volunteer's birth date. She doesn’t have malicious intent or interest in a security career, she said she just likes to solve logic puzzles. Before TikTok, that was spending a ride home from a friend’s birthday dinner at Medieval Times discovering the day job of their “knight.” Sotakoun just happened to eventually go viral for her skills.
So, to show me her process, I let Sotakoun “consensually doxx” me. She found my Twitter pretty quickly, but because I keep it pretty locked down, it wasn’t super helpful. Information in author bios from my past jobs, however, helped her figure out where I went to college.
My name plus where I studied led her to my Facebook account, another profile that didn’t reveal much. It did, however, lead her to my sister, who had commented on my cover photo nine years ago. She figured out it was my sister because we shared a last name, and we’re listed as sisters on her Facebook. That’s important to note because I don’t actually share a last name with most of my other siblings, which could’ve been an additional roadblock.
My sister and I have pretty common names though, so Sotakoun also found my stepmom on my sister’s profile. By searching my stepmom’s much more unique name on Instagram, it helped lead Sotakoun to mine and my sister’s Instagram accounts, as opposed to one of the many other Malones online.
Still, my Instagram account is private. So, it was my sister’s Instagram account – that she took off “private” for a Wawa giveaway that ultimately won her a t-shirt – featuring years-old birthday posts that led Sotakoun to the day I was born. That took a ton of scrolling and, to correct for the fact that a birthday post could come a day late or early, Sotakoun relied on the fact that my sister once shared that my birthday coincided with World Penguin Day, April 25.
Then, to find the year, she cross-referenced the year I started college, which was 2016 according to my public LinkedIn, with information in my high school newspaper. My senior year of high school, I won a scholarship only available to seniors, Sotakoun discovered, revealing that I graduated high school in 2016. From there, she counted back 18 years, and told me that I was born on April 25, 1998. She was right.
“My goal is always to find context clues, or find people who care less about their online presence than you do,” Sotakoun said.
Many people will push back on the idea that having personal information online is harmful, according to Matt Edmondson, an OSINT instructor at cybersecurity training organization SANS Institute. While there are obvious repercussions to having your social security number blasted online, people may wonder what the harm is in seemingly trivial information like having your pet’s name easily available on social media. But if that also happens to be the answer to a security question, an attacker may be able to use that to get into your Twitter account or email.
In my case, I’ve always carefully tailored my digital footprint to keep my information hidden. My accounts are private and I don’t share a lot of personal information. Still, Sotakoun’s OSINT methods found plenty to work with.
Facebook and Instagram are Sotakoun’s biggest help for finding information, but she said she has also used Twitter, and even Venmo to confirm relationships. She specifically avoids resources like records databases that could easily give away information.
That means that there’s still a lot of data out there on each of us that Sotakoun isn’t looking for. Especially if you’re in the US, data like your date of birth, home address and more are likely already out there in some form, according to Steven Harris, an OSINT specialist that teaches at SANS.
“Once the data is out there, it’s very hard to take back,” Harris said. “What protects people is not that the information is securely locked away, it’s that most people don’t have the knowledge or inclination to go and find out.”
There are simple things you can do to keep attackers from using these details against you. Complex passwords and multi-factor authentication make it harder for unauthorized users to get into your account, even if they know the answers to your security questions.
That gets a bit more complicated, though, when we think about how much our friends and family post for us. In fact, Sotakoun said she noticed that even if a person takes many measures to hide themselves online, the lack of control over their social circle can help her discover their birth date.
“You have basically no control on your immediate social circle, or even your slightly extended social circle and how they present themselves online,” she said.