Cyber Incident Victim: Gab
Date:
Feb 2021
Location:
United States of America
Summary
A far-right social media platform suffered a significant data breach when hackers exploited a SQL injection vulnerability to access its backend databases, extracting over 70 gigabytes of user data including public and private posts, profiles, hashed account passwords, unencrypted group passwords, and private messages. The compromised information involved high-profile users and contained extremist content linked to conspiracy theories and events surrounding the Capitol riot. Distributed Denial of Secrets (DDoSecrets) obtained the dataset, dubbed GabLeaks, and restricted access to journalists and researchers to minimize privacy violations while enabling analysis of hate speech and disinformation patterns. The platform's CEO confirmed the intrusion, acknowledged prior patching of the vulnerability, and initiated a security audit, though disputed claims about direct messaging exposure. This incident followed a similar breach of another right-wing platform weeks earlier, highlighting recurring security weaknesses in such services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late February 2021, the far-right social media platform Gab suffered a significant data breach when a hacktivist operating under the alias "JaXpArO and My Little Anonymous Revival Project" exploited a SQL injection vulnerability in Gab's backend databases. The attacker exfiltrated over 70 gigabytes of data, comprising more than 40 million posts, which was subsequently shared with the transparency group Distributed Denial of Secrets (DDoSecrets). The stolen dataset, dubbed "GabLeaks," included all public posts and profiles (excluding uploaded media), private group and individual account posts, private messages, user passwords, and group passwords. While individual account passwords were cryptographically hashed, private group passwords were stored in unencrypted plaintext—a practice Gab CEO Andrew Torba stated was disclosed to users during group creation. High-profile accounts affected included those of Donald Trump, Congresswoman Marjorie Taylor Greene, MyPillow CEO Mike Lindell, and radio host Alex Jones, whose hashed passwords appeared in the dataset. The breach also contained a chatlogs.txt file with private user conversations, prefaced by a message from the hacker expressing anti-establishment sentiments. DDoSecrets confirmed the hacker claimed no affiliation with the Anonymous collective despite referencing an "Anonymous Revival Project," and described the intrusion as motivated by opposition to "capitalists and fascists."
Gab's leadership acknowledged security issues after WIRED contacted them for comment on February 26. Torba initially stated the company had patched a vulnerability in the affected area the prior week and was undertaking a full security audit, while denying Gab collected personally identifiable information like Social Security numbers or financial data. He downplayed potential exposure of direct messages (DMs), noting the feature had only been active briefly and was unsupported at the time of the breach. By February 28, Torba confirmed his and Trump's accounts were compromised, using derogatory language against the attackers while mobilizing company resources to investigate. DDoSecrets opted against public release of the data due to its sensitivity, instead sharing it selectively with journalists and researchers like NYU's Max Aliapoulios, who cited Gab's technical instability as previously hindering systematic analysis of its content. The breach enabled unprecedented access to Gab's ecosystem, including migration patterns of users displaced from platforms like Parler—which had itself been hacked in January—and provided material for studying extremist rhetoric linked to the January 6 Capitol riot. Researchers emphasized the dataset's potential to develop automated tools for detecting hate speech and disinformation, though DDoSecrets restricted distribution to mitigate privacy violations against non-political users.