When Twitter was banned Donald Trump and a host of other far-right users in January, many of them became digital refugees, migrating to sites such as Parler and Gab to find a home that would not moderate their hate speech and misinformation. Days later, Parler was hacked and then abandoned by Amazon web hosting, hitting the site offline. Now, Gab, who inherited some of Parler’s displaced users, has also been severely hacked. A huge amount of content has been stolen – including what appear to be passwords and private communications.
On Sunday night, the WikiLeaks Distributed Denial of Secrets-style group unveils what it calls “GabLeaks,” a collection of more than 70 gigabytes of Gab data, representing more than 40 million posts. DDoSecrets says a hacktivist who identifies himself as “JaXpArO and My Little Anonymous Revival Project” has siphoned that data from Gab’s backend databases in an effort to expose users to much of the platform. Those Gab bosses, whose numbers have risen after Parler went offline, include a large number of Qanon conspiracy theorists, white nationalists and promoters of the conspiracies to steal the election of former President Donald Trump, which led to the January 6 riot. on Capitol Hill.
DDoSecrets co-founder Emma Best says pirated data includes not only all of Gab’s public posts and profiles – except for any photos or videos uploaded to the site – but also posts and messages from private and private group accounts, as well as users’ passwords. and group passwords. “It contains almost everything about Gab, including user data and private posts, everything anyone needs to perform an almost complete analysis of Gab users and content,” Best wrote in a text message interview with WIRED. “It’s another gold mine for people looking at militias, neo-Nazis, the far right, QAnon and everything around January 6.”
DDoSecrets says it does not release data publicly because of its sensitivity and the large amounts of private information it contains. Instead, the group says it will selectively share it with journalists, social scientists and researchers. WIRED has viewed a sample of data and appears to contain individual and group profiles of Gab users – descriptions and privacy settings – public and private posts and passwords. Gab CEO Andrew Torba admitted the breach on Sunday in a brief statement.
Passwords for private groups are unencrypted, which Torba says the platform reveals to users when creating one. The individual passwords of the user account appear to be cryptographic hash – a protection that can help prevent their compromise – but the level of security depends on the hash scheme used and the strength of the basic password.
Users whose hash passwords appeared to be included in the data included Donald Trump, Republican Congresswoman and QAnon conspiracy theorist Marjorie Taylor Greene, MyPillow CEO and election conspiracy theorist Mike Lindell and radio host Alex Jones.
The hacked data also includes a chatlogs.txt file that appears to contain private conversations between users of the site. The contents of that file begin with a note added from JaXpArO: “FUCK TRUMP. FUCK COLONIZERS & CAPITALISTS. DEATH TO AMERIKKKA”.
According to DDoSecrets’ Best, the hacker says they extracted Gab data through a SQL injection vulnerability on the site – a common web error in which a text field on a site does not differentiate between a user’s entry and commands in the site code . , allowing a hacker to enter and merge into the SQL backend database. Despite the hackers’ reference to an “Anonymous Revival Project”, they are not associated with the Anonymous hacker collective, they told Best, but “they want to represent the masses who are fighting namelessly against capitalists and fascists.”
WIRED addressed Gab on Friday for comments, offering to share what we had learned about the nature of the site’s data breach. The company’s CEO, Andrew Torba, responded in a public statement on the company’s blog that “reporters, who write for a publication that has written many successful songs on Gab in the past, are in direct contact with the hacker and, in essence, assists the hacker in our efforts to tarnish our business and hurt you, our users. “(WIRED had no direct contact with the hackers, as far as we know, only DDoSecrets.)
Responding to WIRED’s mention of an SQL injection vulnerability, Torba’s initial statement stated that “we were aware of a vulnerability in this area and fixed it last week. We are also conducting a full security audit. ” The station went on to say that Gab does not collect personally identifiable information from its users, such as telephone numbers, social security numbers, birth dates or health and financial information. “DMs have only been running for a few weeks and are not currently an accepted feature of the site, so if there has actually been a breach in that area, we expect the number of affected accounts to be low,” he added. Peat. “As we learn more about this alleged violation, we will publicly inform the community of our findings, according to the law.”