When Twitter banned Donald Trump and a host of other far-right users in January, many of them became digital refugees, migrating to sites like Parler and Gab to find a home that would not moderate their hate speech and misinformation. A few days later, Talking was hacked then abandoned by Amazon web hosting, taking the site offline. Now Gab, who inherited some of Parler’s displaced users, has also been severely hacked. A huge treasure trove of its content has been stolen – including what appear to be passwords and private communications.
On Sunday night, WikiLeaks-style group Distributed Denial of Secrets revealed what it calls “GabLeaks,” a collection of over 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says that a hacktivist who identifies himself as “JaXpArO and My Little Anonymous Revival Project” siphoned this data out of Gab’s backend databases in an effort to expose the platform’s broadly right-wing users. These Gab patrons, whose numbers increased after Talking was taken offline, include a slew of Qanon conspiracy theorists, white nationalists, and promoters of former President Donald Trump’s election-stealing plots who culminated in the January 6 riot at the Capitol.
DDoSecrets co-founder Emma Best says the hacked data includes not only all of Gab’s public posts and profiles except photos or videos uploaded to the site, but also posts and messages from private groups and private individual accounts, as well as user passwords. and group passwords. “It has pretty much everything about Gab including user data and private posts, everything someone needs to do a near-complete analysis of Gab’s users and content,” Best wrote in an interview. by SMS with WIRED. “This is another gold mine of research for people interested in militias, neo-Nazis, far right, QAnon and all that surrounds January 6.”
DDoSecrets says it does not publicly release the data due to its sensitivity and the vast amounts of private information it contains. Instead, the group says it will share it selectively with journalists, social scientists and researchers. WIRED viewed a sample of the data, and it appears to contain the individual and group profiles of Gab users – their descriptions and privacy settings – public and private messages and passwords. Gab CEO Andrew Torba admitted the breach in a brief statement on Sunday.
Passwords for private groups are not encrypted, which Torba says the platform discloses to users when they create one. Passwords for individual user accounts appear to be cryptographically hashed.a backup that can help prevent them from being compromised– but the level of security depends on the hash scheme used and the strength of the underlying password.
Among the users whose hashed passwords appeared to be included in the data were those of Donald Trump, QAnon MP and conspiracy theorist Marjorie Taylor Greene, MyPillow CEO and electoral conspiracy theorist Mike Lindell, and by radio host Alex Jones.
The hacked data also includes a chatlogs.txt file which appears to contain private conversations between site users. The content of this file begins with an additional note from JaXpArO: “FUCK TRUMP. FUCK COLONIZERS & CAPITALISTS. DEATH TO AMERIKKKA.”
According to Best of DDoSecrets, the hacker says he extracted Gab’s data via an SQL injection vulnerability in the site – a common web bug in which a text field on a site does not differentiate between input from a user and commands in the site code, allowing a hacker to access and meddle with their main SQL database. Despite the hacker’s reference to an “anonymous renaissance project,” they are not associated with the bulk hacker collective Anonymous, they told Best, but “want to represent the unnamed masses fighting the capitalists and the fascists. “.
WIRED reached out to Gab for comment on Friday, offering to share what we learned about the nature of the site’s data breach. Company CEO Andrew Torba responded in a public statement on the company blog that “the reporters, who write for a publication that has written many successful articles on Gab in the past, are in direct contact with the hacker and essentially assist the hacker in their efforts to smear our business and hurt you, our users . ” (WIRED has had no direct contact with hackers, to our knowledge, only DDoSecrets.)
Responding to WIRED’s mention of an SQL injection vulnerability, Torba’s initial statement noted that “we were aware of a vulnerability in this area and fixed it last week. We are also auditing. full safety. ” The post went on to state that Gab does not collect personally identifiable information from its users, such as phone numbers, social security numbers, dates of birth, or health and financial information. “DMs have only been active for a few weeks and are currently not a supported feature of the site, so if a breach has indeed occurred in this area we would expect the number of affected accounts to be affected. be weak, ”Torba added. “As we learn more about this alleged violation, we will publicly notify the community of our findings, in accordance with the law.”