A lot of people at the center of a catastrophe find themselves saying, “I never thought it’d happen to me.” Despite having been on the Internet long enough to know I should have been using strong passwords, I’d never thought anyone would bother to try to hack my accounts, so why would I bother making a password that contained uppercase letters, numbers, symbols, the painted nails emoji, two numbers that haven’t been invented yet, and one terrible secret?
That was until the flood of tweets from my own account — ones that I didn’t recognize. After a beat of confusion, I realized that a mob inspired by my ex’s rambling blog post attacking me with half-truths, lies and private information, and that would later organize into the movement known as GamerGate, was two steps ahead of me. I had been hacked, and someone was in control of my account, broadcasting whatever they felt like to my 17,000 Twitter followers as well as to all the creeps who had been manually lurking on my page. Worse still, they had already mobilized to discredit me, claiming I had faked the attack on myself for attention.
My phone started ringing, but I didn’t look at it just yet — I assumed it was concerned friends reaching out to tell me I had been compromised. Messages were still being posted to my Twitter account, but they were all linking to Tumblr. I had synced my blog with my Twitter account to automatically tweet a link anytime I posted there. That night, it worked as an open back door. A single insecure password on one site I barely used was all that it took to inflict maximum damage.
It only got worse from there — turns out “funkyfresh” (or something similar) wasn’t the kind of secure password that holds up when you have a horde of angry people trying to figure out any way into your life. Whoever had broken into my Tumblr also figured out that it had the same password as an eBay account that I’d used once to buy a pair of boots and forgotten about. The credit card tied to it was mercifully out of date, but the shipping address I’d given the seller wasn’t. The hackers weren’t just posting calls for me to die or talking about what a fat slut I was; they were sharing my personal information: my old address in Canada, cell-phone numbers from a few years back, my current cell-phone number and my current home address. They had edited the post in which I’d talked about standing my ground and not negotiating with online terrorists and replaced it with information showing that they knew where I was and where my family lived.
This kind of attack is known as doxxing. Doxxing (named for documents, or “dox”) is the public release of someone’s private information. Some argue over what constitutes a legitimate “dox” because of how freely available personal information is online, but my personal definition is the act of publishing someone’s personal information, for which there would be a reasonable expectation of privacy, in order to intimidate or threaten.
My phone continued to ring with calls from unknown numbers. My boyfriend at the time, Alex, answered it once, lowering his voice, hoping that the person would think they’d gotten the wrong number and would back off. In the quiet of the tiny room, I could hear grown men on the other end, asking if I could come suck their d—s if they promised to give my game a good review. People openly discussed on Twitter what had happened when they’d called my number and, to my horror, what had happened when they’d called my dad.
I rushed to change any accounts I could think of that had the same insecure password as emails came in to my main account notifying me that people were attempting to manually reset my stronger ones. My blood turned cold as I tried to focus on the task at hand and not think about how long they’d had my passwords and what else they had been able to steal. I’d push off feeling sorry for myself till later — every second matters when thousands of people are trying to infiltrate your life.
Sometimes it was easier to flat-out delete accounts than it was to go through the tedium of changing often hard-to-wrangle privacy settings, setting a new password, verifying it and setting up outside authentication options. It might sound trivial, but it was wrenching to delete so much of my life, like burning photo albums to make sure no one saw a private note written on the back of one photograph. In my haste, I deleted the account that hosted the award-nominated trailer I had made for my game Depression Quest, which I no longer had the backup for and is now gone forever. But my safety was at stake, and I was one person racing an unknown number of obsessive strangers who at this point seemingly knew my own life better than I did.
Hacked accounts are only one source of intel. We can also be our own worst enemy — a lot of people give out their information online without thinking anyone would ever possibly use it for things like this. You’ve likely given your birth date to more websites than you realize, and a home address and phone number are required to buy any website domain, with those details recorded in a public database that you have to pay money to remove yourself from.
Aside from flat-out posting your own vital information, a lot of people don’t think twice about privacy settings or what they share about their lives online, and in a perfect world, they wouldn’t have to. But in my case, photos I had posted were pored over for clues. Nonprivate friend lists or people with whom I’d publicly interacted online became potential targets if they seemed like they’d be useful to the mob.
Even if you have better Internet hygiene than I did when I got hacked, you could be in a searchable public database without knowing it. Buried in the End User License Agreements or privacy policies of most sites is a tiny clause letting you know that your information could end up elsewhere. Third-party information broker sites like Spokeo are a favorite tool of doxers. These sites are like a digital white pages where anyone can search your name (often for free) and find a list of home phone numbers, known addresses, the names of family members or other residents who have lived at those addresses at the same time, and more.
I started to get emails from previous employers asking if I had been using them as a reference for new job applications. Internet randos had been calling them, trying to get more information to use against me. I had to be concerned not only with how much information I’d put out there about myself but how much information other well-meaning people might share.
I was lucky that I was staying with friends when I became a target because it made my current physical location harder to track. Most targets don’t have that luxury. Obnoxious, the alias of a hacker who habitually abused geeky women who had rejected him online, used small pieces of public data to dupe customer service representatives into giving him personal information about his targets, including passwords and other account info in addition to vital data. He used this information to terrorize his victims and their families until he was arrested, and later pled guilty to twenty-three criminal charges, including harassment, extortion and false police reports.
In one of the many threads that coordinated the stalking and assembling of “my file,” an anonymous poster claiming to be an ex popped in to point people to the pinup modeling I’d done under another name. Those photos were eventually stolen off a site and disseminated by the mob. I had been very careful to disconnect myself from those images, especially since I was working in an industry that already has its fair share of boob-related issues. The pictures were now plastered all over my blog; broadcast to my fans and colleagues; and individually sent to me, Alex and my dad.
Given that these “detectives” are working backward, there’s often incorrect information in a dox. I frequently see information about two other women who share my name included in the mob’s dossiers. If either of you is reading this, I am so sorry.
Mobs never stop at just the original target and will dig into friends’ and families’ identities as well. In fact, I have never seen a dox that didn’t include someone’s family if they had any (and sometimes incorrect family members if they don’t). One of the first things I ask other people who have been targeted by online abuse is whether the mob latched on to a weird theory that they’re secretly rich, and almost every time, they ask how I could possibly have known. Through the magic of six degrees of separation, lazy Googling and the total absence of logic, it’s easy to connect a last name or a supposed relative to someone influential or rich. Surely, it’s easier to rationalize a crusade to ruin someone’s life if you can tell yourself they’ll just go cry into their big pile of money.
Everything the “detectives” find is documented and distributed through various outlets. In my case, “megathreads” would pop up on 4chan that kept getting larger, linking to external files that had photos of me along with my personal information, screenshots of my social media accounts, images users had made to defame me, and some of their favorite abusive things that had been said to me. People would download these files, add to the cache and reupload it, organizing all of their talking points and ammo in a centralized location.
All of this left me feeling violated and suffocated. It was hard to do anything but panic. I suddenly felt overexposed to the worst possible audience.
The fact that they were trying to mess with my family both infuriated and disturbed me. It’s one thing to be the target; it’s another thing to have to warn a friend or loved one that hordes of awful people are about to stalk them, too. And the rape and death threats started to feel terrifyingly real now that every conceivable detail of my life was at the mob’s disposal.
This article is adapted from Crash Override: How Gamergate (Nearly) Destroyed My Life, and How We Can Win the Fight Against Online Hate. Published in September 2017 by PublicAffairs, an imprint of the Hachette Book Group.