iPhone with Gab social media site showing hacktivist releasing hacked data

Hacktivists Attack Controversial Christian Conservative Social Media Site Gab, Leak 70 Gigabytes of Hacked Data Including Private Messages and Passwords

When Donald Trump was banned from major social media platforms and conservative personalities cried foul over censorship measures earlier this year, a number migrated to Parler. When Parler suffered hosting difficulties and data breaches, some opted to move on to Gab instead. A hacktivist group calling itself “Distributed Denial of Secrets” has taken it upon itself to expose the sites users, dumping some 70 gigabytes of hacked data that includes highly sensitive personal information, messages and passwords.

The hacktivist group calls the breach “GabLeaks,” and it includes all (some 40 million) of Gab’s public and private posts minus any attached pictures or video. It also includes an unknown amount of both user and group passwords. The hacktivist group is not making the hacked data available to the general public, instead promising to share it selectively with journalists and academics  who have characterized the data as a gold mine of research material regarding ” … everything surrounding January 6.”

Hackers attack heavily criticized platform, but ethical questions abound

Critics of Gab would likely take issue with the simple description of it as a “Christian conservative” platform. The first incident they would undoubtedly point to is the Pittsburgh synagogue shooting massacre in 2018. Gab was a favored hangout of the shooter, who posted neo-Nazi and anti-Semitic messages there prior to the attack. The service has also welcomed figures banned from other social media platforms, some of them open white supremacists.

Gab is unusual even among the sometimes fringe milieu of sites oriented to right-wing politics. The site itself does not openly promote extremist values, but is explicit about being an organization with religious values. However, its central selling point is that it rarely moderates content. The company spins this as a principled stand for free speech, but the practical result is that extremist ideologies banned from other platforms have tended to gather there.

Critics among extremism research communities say that this position has provided a unique opportunity for neo-Nazi and terrorist groups to publish content to and recruit from a more mainstream audience than they are usually limited to, and that situation was only exacerbated with the flood of new users in the wake of the Trump suspensions and Parler’s monthlong struggle to find hosting. The site has run into a number of problems in the past due to its permissiveness. Apple refused to host the Gab app in 2016 due to the presence of pornography and hate speech, and Google removed it from the Android app store after a few months for similar reasons. Stripe has banned it from its payment services due to adult content, and PayPal has done so due to hate speech.

Though there is ample evidence that the site is a hotbed for extremism, not all of its users are necessarily extremists or involved in matters “surrounding January 6” (referring to the storming of the US Capitol by protesters). The hacktivist group, which itself expresses some extremist sentiments, does not seem to be bothered by that possibility. Distributed Denial of Secrets added a note to the top of a chatlogs.txt file that contains the private conversations of all of the sites users that reads “F*** TRUMP. F*** COLONIZERS & CAPITALISTS. DEATH TO AMERIKKKA.” Founded in 2018, the group styles itself as a successor to WikiLeaks and was also recently behind the breach of law firm Jones Day (which represents the Chicago Police Department among other clients) and the mass scraping of Parler’s public posts. In January it published a terabyte of hacked data from ransomware victims collected from the dark web, and it was behind the 2020 BlueLeaks dump that shared 269 gigabytes of hacked law enforcement agency data (something that prompted the Department of Homeland Security to label it a “criminal hacker group”).

The lead hacktivist behind the action refers to themselves as “JaXpArO and My Little Anonymous Revival Project.” The username can be found as a poster on various hardware forums and discussion sites such as MacRumors making references to hacking, but it is unclear if there is a connection with the person responsible for the hacked data.

Andrew Barratt, Managing Principal of Solutions and Investigations at Coalfire, notes that wide-ranging document dumps such as this are becoming the new normal in hacktivist circles and that organizations should expect more free and immediate circulation of hacked data: “Hacktivism has been around since the birth of the internet with attacks on political parties around the world, as well as corporations that have fallen foul of their own transparency goals. In the old days a webpage would be defaced, or made to be self satire. Now denial of service attacks and data drops are the preferred weapon to get the attention of those in charge. It is definitely here to stay, in one evolved form or another.”

Gab hacked data appears to be almost complete compromise of the platform

It is unclear exactly how many of the platform’s personal and private group passwords were leaked by the hacktivists, but it appears that the personal account passwords were cryptographically hashed. Without knowing what hashing method was used, it is impossible to say how secure they are; the difficulty of breaking the encryption could range from trivial to nearly impossible. The hacked data includes hashed passwords for the accounts of Donald Trump, MyPillow founder Mike Lindell and talk radio host Alex Jones. It is known that the private group passwords are not encrypted and were leaked in plaintext, something that is disclosed to Gab users before they create a new group.

'GabLeaks' includes all (some 40 million) of Gab's public and private posts minus any attached pictures or video, along with some amount of both user and group passwords. #cybersecurity #respectdataClick to Tweet

In a public blog post and comments to Wired magazine and other media outlets, a spokesperson for the controversial social media site confirmed that the breach was the result of an SQL injection that has since been patched and downplayed the amount of personal information among the hacked data. The spokesperson said that Gab does not collect highly sensitive pieces of personal information such as birth dates or telephone numbers. In a statement on Twitter confirming the breach, Gab CEO Andrew Torba referred to the hacktivists as “mentally ill demon hackers” and used a transphobic slur to describe them.


Senior Correspondent at CPO Magazine