A comprehensive guide on how to stay safe on youtube and keep yourself from getting doxxed/swatted/etc. (written for Twitch-streaming, but applicable for youtube as well)

Hi, my name is none of your goddamn business, and I'm here to tell you guys a bit about how to keep yourself safe while live-streaming or uploading content on the internet.

It's a topic that isn't talked about often enough in my opinion, and the only time we ever hear about it is when it's already too late, and someone got doxxed, swatted or otherwise harassed again.

I'll try to explain how to minimize the chance of this from happening to you. Be aware however that, as with all things in cyber-security, you can only ever try to be one or two steps ahead of anyone trying to harm you - there is no such thing as 100% safe (unless you simply stop/never start streaming), and anyone trying to tell you so is a liar.

To do this I will walk you through how I, as an hypothetical attacker, would try to cause you harm, and then explain how you could stop me from doing so.

1. What dangers do even exist?

When you are streaming, you obviously want to entertain your audience, without having to worry about someone ruining your life. Sadly there are always elements on the internet who find joy in doing just that. There are plenty of ways to ruin your life on the internet, and here are some to watch out for:

• doxxing: this term describes a practice where the person trying to do you harm is gathering information about you (e.g. your home address, your phone number, your real name, information about your family and loved ones, etc.) and then causing harm to you with it (be it by releasing the information or blackmailing you into doing something so they don't release it).

• swatting: this term describes the pratice of the person trying to do you harm calling the police while impersonating you, announcing that they/you plan on killing people/blowing up a bomb/etc., which forces the police to respond with force, usually ending with a SWAT team (hence the name) storming your home. Doxxing is a prerequisite for this, as no threats can be called in if the other person doesn't know where you live.

• self-destruction: I use this term to describe unfortunate events like accidentally broadcasting compromising things about yourself without planning to do so. Examples would be showing your browser history, your porn preferences, illegal material on your computer, controversial opinions not meant to be heard by your audience, etc. It can also be information about yourself that is released, which would result in you basically doxxing yourself.

2. TL;DR: How do I keep myself safe?

Most dangers boil down to this: for one reason or another people learn things about you that you don't want them to know.

The solution to this is rather obvious when you think about it, but a lot harder to actually implement in reality than one would expect: only give out as much information as you need.

3. How do these people even gather information about me?

If I was an attacker, the first thing I would do when doxxing you would be to create a list of all the information that I already do know about you.

That would be:

• Your username on Twitch

Depending on how careless you are on your stream, it could also include even more information.

Here's information I would most likely find rather easily:

• Your steam/origin/uplay/gog/gamingplatformofyourchoice username (shown on screen when playing a game)

• Your nickname (what your friends call you or how you introduce yourself, in case that's not identical with your username)

• The country you live in (most of the time mentioned by the streamer themselves, written in their stream info, or by educated guess via the time they stream at)

• The usernames of your friends (if you are streaming with other people)

Here's information that I won't find from every streamer, but there's a good chance I'll find at least one of those in your stream:

• Your age or even birthdate (mentioned how you are older/younger than someone else, you uploaded a birthday-special, you always tend to upgrade your PC every year in the same month)

• Your real first name (variations of a nickname are used by your friends, you told your audience your first name)

• Your level of education (you told a story from your time in school, in which you most likely will tell what type of school you visited)

• your email address (if you have contact information in your description or if you accept paypal donations).

4. How they get the 'juicy' information

Once I have some of this information, as an attacker I would then try to connect your online identity to your offline identity. To hurt or intimidate you, I'll need a way to interfere with your real life, something you can't just ignore by blocking me online.

This usually works by searching for information I already know about you, and then finding the same information on other pages.

Example scenario: I know your Twitch username, I know that you use the same username on steam, and I know that you live in the US (but not where).

First I'd search through the accounts I already know about for additional information. Maybe you didn't reveal your real name on twitch, but for some reason added it to steam.

Other information that can often be found on steam are:

• your country (which in this scenario I already know though)

• other usernames (steam allows username changes, but makes previous usernames public to combat scammers)

• your friendlist (extremely helpful, as your friends might be less paranoid about security than you are)

After adding all information I found to my 'things I know'-list, I'll simply search for your username via google, hoping that you've used the same username elsewhere.

Most likely I'll be successful - if you already use the username on twitch and steam, using it on a third or even more sites isn't that far-fetched.

Then I'll look through these other sites in a similar manner to what I already did on steam.

My next step would be to somehow find your personal facebook account. The easiest way would obviously be if you were foolish enough to use your username as custom URL on facebook, because then I'm already done.
If you haven't however, there's a good chance that you (like so many others) kept many facebook settings on default, which allows me to find you if I find out your email address.

For this I can obviously simply try yourusername@ and try different big mail providers (gmail, yahoo, etc. - if I knew you weren't from the US, I could also try the biggest mail providers in those countries), and have a chance of finding you.

If you were smart enough to use a different email address for facebook however, I'll have to get a bit more creative.

I could hangle myself along all information I can find, connecting one piece of information to another, hoping to find a line that connects your path through the internet (e.g. you created your first email address and username, later wanted username@emailprovider, then signed up to a site using this new email, but under a different username, then later signed up somewhere else with this new username and a completely new email, etc.)
If I follow this path backwards for long enough, I might find something that allows me to identify you as you.

If all that doesn't work, then you are already better protected against doxxing than 90% of the other users out there.

But better than 90% is still not 100% secure, and as such as someone with too much freetime and the proper motivation, I could still find you, if I only get creative enough.

I could insert the username I know into a database that was released as the result of a hack (e.g. from when yahoo, adobe, teamviewer or many other sites were hacked), and get the password you used back then (or your encrypted password from back then). Then I search within this and other databases for accounts that share the same password (or encrypted password), and with a bit of luck you are someone who uses the same password on different sites.

This way I could connect two accounts, which share neither email address or username, simply because they have the same password.

If I find multiple accounts, it might be because your password is very easy to guess and was also used by other people - in which case I might abandon the doxxing approach and might switch directly to taking over your twitch account and deleting it.

From the accounts I find I'll then try to filter out all false positives by comparing all info I already know with new info, and get rid of those with conflicting information (e.g. one account was registered in France, but I know you are from the US -> not you).

With this new information I'll likely have enough information to find your facebook account.

If your facebook account isn't properly set up, this is already pretty much game over from you: knowing your real friends, the school you visited (or still visit), private pictures and other information make it really easy to find your general location, and one google streetview-drive later (comparing the view to pictures on facebook, things I might have seen on your stream or similar) and I'll probably even know the street you live in.

From there on I simply have to compare the addresses in the street with a telephone book, and I'll probably have found out your address, your phone number and your real family name.

5. This scenario doesn't reflect my situation - do I have to worry?

As you saw, my scenario assumed very few information about you - I only started with your username on twitch, that you have the same name on steam and your general location (the country you live in), and two of those things (location and that you have the same name on steam) aren't even all that helpful, as those are things I would've probably found during my search anyway.

What you should take away from this story (if nothing else) is this:

The most dangerous and revealing information about you most likely isn't on Twitch, but on other sites you use.

Doxxing, at the end of the day, boils down to making educated guesses and assumptions about your surfing behaviour, and connecting breadcrumbs of information to form a larger picture, to make even more accurate guesses.

To keep yourself safe while streaming, what you want to do is to minimize the amount of connections between your streaming identity to your other online identity to your real-life identity.

Simply not using the internet is not a practicable solution for most people, and as such there will always be information on the web that can be tracked back to you.

But as long as you make it extremely hard to find this information, you effectively decrease the amount of people that are both capable enough to find these connections and that would bother to invest the amount of time needed to do so.

6. Enough abstract talk, give me some real tips on what to do!

The following things are ways that can allow me as an attacker to connect information about you. Not all of these things are obvious at first glance, so I'll include a one sentence summary of how it could harm you if I deem it necessary.

• email address used on multiple sites:
  allows me to connect all accounts that use this email to one identity.
  Solution against it: If you are just getting started with streaming, use different email addresses for every service (steam, origin, twitch, youtube, facebook, etc.) you sign up to, and make sure those different addresses aren't obviously connectable (usernameonyoutube@something for youtube and usernameonfacebook@something for facebook are better than using the same address, but worse than asdfasdfasdfasdf12345@something for youtube hjklhjlhjklhjkl54321@something for facebook)

• username used on multiple sites:
  allows me to connect all accounts that use this username to one identity.
  Solution against it: a different username for every service.

• use a VPN if possible to prevent your IP from leaking:
  IPs can be used to connect multiple accounts via location-searches.

These two things above are obviously something that just aren't possible to retroactively do if you have already used the same username and email for many many years. If completely separating all accounts isn't possible, you will want to do the following instead:

• create one email address for facebook and other social networking things

• create one email address and username for your general internet usage

• create one email address and username for your streaming persona

• change the password of every single account you own to a unique one that you only use on that account (not just to make hacking you harder, but as explained, also to prevent connecting identities via leaked password hashes). You can use a password manager like keepass to keep track of them.

• change the old email addresses of your existing accounts to fit these categories

• make sure that none of these email addresses use one another as recovery-email!

• go through your facebook account and delete all mentions of your internet username and your streaming username

• set all your facebook privacy settings to maximum, make your friendlist invisible to the public, disallow search for your facebook account using your email address, disallow people tagging you in their photos, etc.

• go to all internet forums where you used your old username, go through your post history and delete everything that connects this username to the streaming username or your real identity (this will take forever, I tell you)

• go through your past videos and streams and write down which are the ones that mention too much information about you. Delete or set them to private all at once, so there's as little time as possible for someone to mirror them.

• In all accounts you have, delete all non-essential information from the optional biography.

• Create new profile pictures (and signature pictures where needed) for all your accounts, to prevent reverse-image-searches. If you have used the same profile picture on multiple accounts, delete the images or set them to private.

• If you own a domain, make sure it is registered with a webguard, otherwise your identity is public anyway and can be seen by everyone using whois-lookup (the information available to the public when registering your domain includes your full name, address, telephone number and IP address)

And if you are done with all that, use the google cache refresh tool to prevent your old information still showing up using google search: https://www.google.com/webmasters/tools/removals?pli=1

That's pretty much all I can think of in regards to keeping your identities separate, but there's still more general tips to prevent you from doxxing yourself during your stream, or general tips on how to keep you safe:

• Inform your friends to minimize the amount of data being released by them

• Make sure your Skype client (if you have and need one) is up to date, as older versions of Skype leak your IP address, allowing attackers to find your general location if you aren't using a VPN

• if accepting donations, do not use a paypal account that is registered to your home address and real name, as attackers can simply find your name by donating you money.

• do not click on links sent to you by your audience. If it is absolutely necessary, open them inside a virtual machine and using a VPN, to prevent attackers from finding out your real IP address or infecting your computer with malware

• do not film out of your window or outside your house. If you do need to film something outside, don't film your car and licence plates, only start filming atleast half an hour away from your house, if possible do not film the sky to prevent triangulating your location via flight-paths and star positions, do always film at the same location to prevent people from finding several locations you've filmed at, which if they are all about the same distance from your house would again allow for triangulation

• do not accept steamkeys from fans, or if you do so, do not activate them on your main steam account

• If you feel comfortable doing so: lie to your audience about unimportant things. If you say that your birthday is in august, when in reality you were born in september, if you claim your name is Henrik if it in reality is Henry or even Stephen: all of those are things that will not decrease the amount of entertainment your audience receives from watching you, but will drastically increase the amount of effort needed to find your real identity

• do not like or favourite things on your main accounts, which only your streamer account should know about

• create false leads: create accounts with the username of random people you found on the internet using your email addresses (but be consistent with who is connected to what strange identity, unless you accidentally want to create new connections between your own accounts), create accounts with your own username but throwaway mails which include false information about you (or real information of other people), etc.

But most importantly: don't offer information that you don't have to give away.

7. Closing thoughts I know that I've dumped quite a lot of stuff on you here, and I don't expect everyone to follow all of these. But even attempting to follow some of my suggestions will ultimatively drastically increase the effort needed by attackers to find useful information about you - and at the end of the day, that is all that security on the internet is about: make attacking you just complicated enough that they will grow bored and go for an easier target instead.

You can probably tell that I do know a bit about this type of thing, and I could even tell you why, but I won't.
Because after you've read all of this, you should probably have learned a thing or two, none of which are a single detail that could lead to my identity. Am I a big twitch star or youtuber? Do I even use twitch or youtube? Am I male, female or something else, do I come from the US, the EU, Asia or somewhere else, and is my style of typing how I really type, or did I write this advice in a different language and simply corrected glaring mistakes from the google translated result?

Privacy is not sharing the information that no one else has any business of knowing, and I live by that rule - and I think you should too (within the boundaries of still wanting to perform your hobby of livestreaming obviously).

If you have any suggestions on things that I might have missed, simply write them below. If you want to share this guide somewhere else, translate it or create a video-tutorial based on it, feel free to, as I declare this whole text to be public domain without the need of giving credit.

I hope you enjoyed what I had to tell you, stay safe

• TwitchThroaway