February 2, 2019

Doxing attack against media: Germany hit by global trend

After the recent cyberattack on German politicians, celebrities and journalists Reporters Without Borders (RSF) observes with great concern that following various incidents in other countries journalists in Germany are now also confronted with “doxing” attacks, a practice in which personal information is published with the aim of damaging the reputation of the targeted persons. RSF expects this dangerous practice to become more commonplace in Germany, posing a risk to journalists’ personal safety and their sources.



On Friday, January 4th, it came to light that links to the private data of politicians, satirists, actors and journalists had been published daily on the Twitter account @_0rbit since the beginning of December as a kind of advent calendar. But it was only on the January 4th, when various media outlets analysed and reported on the leaks, that this became known to the general public. Among others, employees of the German public broadcasters ARD, ZDF and their web service for youths and young adults, “funk”, were affected by the leaks.


RSF analysed the data and came to the conclusion that contrary to initial media reports of a major “hack” against media companies, this was more a targeted doxing of journalists and other individuals in the public eye. This is the first time German journalists have been doxed on a large scale, meaning that a trend that media workers in other countries have had to contend with for some time has now arrived in Germany.


“The doxing of journalists is not a trivial offence, but an attack against the integrity and freedom of the media in general," said RSF Germany’s Executive Director Christian Mihr. "The current 'hack' shows clearly that media can protect themselves against such partisans with simple measures. We urge all journalists to take these measures promptly to protect their own data and those of their colleagues."




One of the biggest doxing attacks on a media outlet to date took place in the US in June 2018 against journalist Luke O'Brien and other Huffington Post staff members. The trigger was a report by O'Brien in which he identified the person behind the infamous Twitter account @AmyMek. At the time, the account had over 230,000 followers and was known for spreading far-right propaganda, crude conspiracy theories and vocal support for US President Donald Trump. After five years of anonymity O'Brien revealed, on the basis of extensive research, that the account was operated by a 45-year-old New Yorker named Amy Jane Mekelburg.


According to an analysis by the US-based Digital Forensic Research Lab a movement comprising hundreds of users who regarded O’Brien’s article as doxing then formed on social media and right-wing platforms. O’Brien and his colleagues at the Huffington Post were bombarded with hate posts on social media and at the same time the digital mob gathered all the information available about the editorial staff and compiled it into extensive lists of personal information such as phone numbers and home addresses. Frequent calls were also made for the information to be used for further action against the journalists, for example threatening phone calls or personal "visits".




Several cases of doxing attacks against media outlets have also come to light in Brazil. At the end of last year, RSF Germany trained a reporter working for the online magazine Vice Brazil in digital security as part of its Berlin Scholarship Programme for empowering journalists in the digital field. She became the target of doxing in her country after attracting the unwelcome attention of far-right trolls with her intensive coverage of illegal sex work in Brazil and feminist issues. Although the trolls openly supported Brazil’s new far-right president Jair Bolsonaro, according to research by RSF Germany they had no direct ties to either the president or his party. However, they had been stirred up by Bolsonaro’s fierce rhetoric against the media and saw themselves as supporters of his movement. The journalist was first bombarded with hate posts, then she and her family were doxed.


Entrepreneur Luciano Hang also made headlines in Brazil when he posted the mobile phone number of journalist Ricardo Galhardo on Twitter after the latter raised questions about his support for Bolsonaro’s election campaign. According to the Brazilian Association for Investigative Journalism (ABRAJI), Galhardo received hostile text and WhatsApp messages for days as a result.


In an extensive report, RSF documented a number of similar cases from around the world in the summer of 2018 and published a list of 25 recommendations for ensuring that journalists are better protected against cyberattacks.




The arrest of a 20-year-old student from the central German state of Hesse suspected of carrying out the data breach seems to confirm that in the German case it was not foreign intelligence agencies that were at work, but a single perpetrator. The analysis of the data cache also suggests that the attacker did not have very advanced technology at his disposal, but simply invested a great deal of time in searching for private data and preparing it for publication. However, the accounts of certain journalists were also hacked, providing access to details from address books and chats and other personal information.


The case shows how vulnerable journalists can be even vis-à-vis supposedly harmless attackers if they don’t follow the basic rules of cybersecurity. RSF recommends that after this incident everyone who works in the media sector revise their own security standards. Journalists, in particular, should use stronger passwords, avoid using the same password for different purposes, and always secure their accounts with two-factor authentication. This applies not only for work-related profiles, but also for private ones and those of persons close to them, such as family members and friends.




In addition, the attention this data theft has received in the media is likely to encourage copycats. As a result, we can expect doxing attacks to become more frequent in Germany. RSF therefore also recommends that in future media outlets refrain from reporting on such cases until they have thoroughly examined the material. The amount of attention this case has attracted in Germany is unwarranted in view of the quality of the data.


RSF also takes a critical view of the various political reactions to the case, which included calls for intelligence agencies to be given more powers. It is highly questionable whether increased powers would enable the already well-equipped agencies to better protect the online activities of millions of citizens. Rather, the population needs to be sensitized to the dangers of doxing, and steps should be taken to ensure that citizens significantly increase their own security through simple measures.




Even before the current doxing attack RSF had already begun work on setting up a digital help desk that is to be launched in March. It will provide journalists with information on cybersecurity and behaviour strategies, and from April on will also offer online seminars on a regular basis. In addition to the “classic” threats such as state surveillance of communications the service will focus on new, “softer” types of attack, on how to deal with hate speech, and on account management.


Germany ranks 15th out of 180 states on Reporters Without Borders’ Press Freedom Index.