When Twitter was banned Donald Trump and a host of other far-right users in January, many of whom became digital refugees, migrating to sites like Parler and Gab to find a home that would not moderate their hate speech and misinformation. Days later, Parler was hacked and then abandoned by Amazon’s web hosting, taking the site offline. Now Gab, who inherited some of Parler’s displaced users, has also been heavily hacked. A huge treasure trove of its content has been stolen – including what appear to be passwords and private communications.
On Sunday night, WikiLeaks-style Distributed Denial of Secrets is revealing what it calls “GabLeaks,” a collection of more than 70 gigabytes of Gab data, representing more than 40 million posts. DDoSecrets says a hacktivist who identifies himself as “JaXpArO and My Little Anonymous Revival Project” extracted that data from Gab’s back-end databases in an effort to expose the platform’s right-wing users. These patrons of Gab, whose numbers increased after Parler went offline, include a large number of Qanon conspiracy theorists, white nationalists and promoters of former President Donald Trump’s election theft conspiracies that resulted in the January 6 riot in the Capitol.
Emma Best, co-founder of DDoSecrets, says the hacked data includes not only all of Gab’s public posts and profiles – with the exception of any photos or videos uploaded to the site – but also posts and messages from private groups and private individual accounts, as well such as user passwords and group passwords. “It contains almost everything about Gab, including user data and private posts, everything one needs to perform an almost complete analysis of Gab’s users and content,” Best wrote in a text message interview to WIRED. “It is another gold mine of research for people looking for militias, neo-Nazis, the far right, QAnon and everything around 6 January.”
DDoSecrets says it is not publicly disclosing the data due to its sensitivity and the large amount of private information it contains. Instead, the group says it will selectively share it with journalists, social scientists and researchers. WIRED visualized a sample of the data and appears to contain the individual and group profiles of Gab users – their descriptions and privacy settings – public and private posts and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement on Sunday.
Passwords for private groups are not encrypted, which Torba says the platform discloses to users when they create one. Passwords for individual user accounts appear to have a cryptographic hash – a protection that can help prevent them from being compromised – but the level of security depends on the hashing scheme used and the strength of the underlying password.
Among the users whose hashed passwords appeared to be included in the data were Donald Trump, Republican congressman and conspiracy theorist QAnon Marjorie Taylor Greene, MyPillow CEO and electoral conspiracy theorist Mike Lindell and radio presenter Alex Jones.
The hacked data also includes a chatlogs.txt file that appears to contain private conversations between users of the site. The contents of this file begin with an added note from JaXpArO: “FUCK TRUMP. FUCK COLONIZERS & CAPITALISTS. DEATH FOR AMERIKKKA.”
According to DDoSecrets’ Best, the hacker says he removed Gab’s data via an SQL injection vulnerability on the website – a common web bug where a text field on a website does not differentiate between a user’s input and commands in the site code, allowing a hacker to enter and interfere with your backend SQL database. Despite the hacker’s reference to an “Anonymous Renaissance Project”, they are not associated with the hacker collective Anonymous, they told Best, but “want to represent the anonymous masses in the fight against capitalists and fascists”.
WIRED contacted Gab for comment on Friday, offering to share what we learned about the nature of the site’s data breach. The company’s CEO, Andrew Torba, responded in a public statement on the company’s blog that “reporters, who write for a publication that has written many hits on Gab in the past, are in direct contact with the hacker and are essentially helping the hacker in his efforts to taint our business and harm you, our users. “(WIRED had no direct contact with hackers, as far as we know, only DDoSecrets.)
In response to WIRED’s mention of an SQL injection vulnerability, Torba’s initial statement noted that “we were aware of a vulnerability in this area and fixed it last week. We are also conducting a full security audit.” The post went on to state that Gab does not collect personally identifiable information from its users, such as phone numbers, social security numbers, dates of birth or financial and health information. “DMs were active for only a few weeks and are not currently a supported feature on the site, so if a breach actually occurred in that domain, we expect the number of accounts affected to be low,” added Torba. “As we learn more about this alleged violation, we will notify the community publicly of our findings, as required by law.”