Gab Has Been Breached

If you just want to know how the breach[1] happened: it was SQL injection, where string interpolation was used to construct a query, rather than use parametrized queries.<p>[1] <a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2021&#x2F;03&#x2F;rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2021&#x2F;03&#x2F;rookie-coding-mistak...</a>

Not only that but their CTO has violated the license of Mastadon <a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2021&#x2F;03&#x2F;rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;gadgets&#x2F;2021&#x2F;03&#x2F;rookie-coding-mistak...</a>

Wow, it is actually shocking how disgusting the CEO&#x27;s comments are.

Troy has a fair take. Ultimately the Gab breach is interesting, good material for an analysis like this one, and won&#x27;t matter particularly in the future.<p>At a guess, the people on Gab are there because they feel like they are under sustained political attack. This breach will be interpreted as further evidence that they are under sustained political attack. It won&#x27;t make anyone behave differently - although I hope Gab hires a security expert.

Recent threads on this:<p><i>Gab has been hacked and 70GB of data leaked</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26309925" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26309925</a> - March 2021 (744 comments)<p><i>Rookie coding mistake prior to Gab hack came from site’s CTO</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26319649" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26319649</a> - March 2021 (312 comments)

This is a pretty non-political rundown from Troy, and a great read as always. It&#x27;s not always easy to find trustworthy people, but he&#x27;s one of them.<p>If anyone is offended by supposed political leanings in this article, I&#x27;d suggest separating Torba&#x27;s political views from his words. Blaming a data breach on &quot;mentally ill tranny demon hackers&quot; (his words, not mine) is not a sane or rational thought. The most realistic scenario is that he knows exactly what he&#x27;s saying and is doing so simply to rile up fanatics, because otherwise he actually believes that and should be in an institution. I&#x27;m not sure which one is worse.

There&#x27;s been lots of previous discussion, such as: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26319649" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26319649</a><p>I&#x27;m not surprised. Parler and Gab were just thrown together, and made themselves hugely attractive sites to attack.

I&#x27;m very tired and for a moment I read it as:<p>&quot;God Has Been Breached&quot;<p>First RSA falls, now god, what&#x27;s next.

&gt; There&#x27;s also the risk of incorrectly assuming that a presence in the breach implies your views have some degree of alignment with those regularly expressed on the site, yet clearly based on the presence of my own email address, that assumption is incorrect.<p>I&#x27;ve seen comments elsewhere saying something to the effect of &quot;Gab is just a bunch of right-wing terrorists, who cares if their personal info gets hacked&quot;<p>There are plenty of everyday people who have Gab accounts, some just wanted to reserve their username, others (like Troy Hunt) don&#x27;t post about politics, others were just checking it out and haven&#x27;t posted anything. It would suck if their info was leaked and they started getting spammed even though they have no connection to illegal activity.<p>Fortunately Troy took steps to limit searching for email addresses, I hope others with full access are just as cautious.

Some bit of gossip about the CTO of Gab, seeing as how I&#x27;ve got a bit of context. (Throwaway, for obvious reasons.)<p>The CTO was never a software engineer. They were a developer advocate so had some interaction with code, but was more of a &quot;talk to developers using things and make sure the requirements were passed along to the dev team&quot; sort of guy, rather than someone that knew his technical details (beyond say, the thing he was actively working on) inside and out.<p>Fosco started out pretty reasonable. When Trump was first elected, he did a &quot;talk to a conservative&quot; series, and while there was the expected disagreement, it was a pretty, civil, positive, well-received olive branch overall. However, like a lot of right-leaning folks in the Trump era, he became more extreme as time went on.<p>I had some reasonably close interactions with Fosco (not going to go into details with how), but it was being kind of clear that he had started to buy into the &quot;Fox News caricature of what someone on the left is like&quot; — to the point of putting words into the very people&#x27;s mouths he&#x27;d so civilly made a point of talking to prior — and surrounding himself with like-minded folks. For all the talk of &quot;diversity&quot; that he had (and indeed, initially fostered!) he became pretty much the sort of caricature, albeit one of the opposite side of the spectrum, that he was deriding.<p>In that sense, while there&#x27;s a lot of holier-than-thou and disgust that the whole Gab situation prompts, I feel pity and sadness more than anything else. Fosco <i>was</i> a decent guy at one point, but even decent people can end up in their own echo chambers. It&#x27;s unfortunate to see the state that he&#x27;s in now.

Seems like the author is implying but not directly saying the hashed passwords were not salted. Am I reading that right, and does anyone know if they were salted?

Welp, time to change my passwords I guess.

It really couldn&#x27;t have happened to a nicer web site. I wouldn&#x27;t care if the anonymous crowd declared open warfare on it.

So what was Trump&#x27;s password? (Or at least a hash of it.)

Gab is a joke. I got banned for making a post asking how are all the domestic terrorists Trump supporters doing after the capitol riot. I guess that is ban-worthy on their free speech network while advocating for assassinating public officials is a-ok.

I use gab quite frequently but mainly for the memes and jokes. The vast majority of people on there use pseudonymous aliases anyways so no one cares if the site gets hacked. People on the right-wing have also been subject to extensive persecution (harassment, doxing etc.) from the left-wing so we&#x27;re all quite used to it by now.<p>I&#x27;m been trying to teach as many people as possible about how to stay anonymous online, how to use high-privacy tools and why using technologies like monero is extremely important.

It doesn&#x27;t seem right that the big players like Facebook and Twitter enjoy much better security. Is there really no open source offering that just gets this stuff right? A Twitter-in-a-box, like WordPress is a blog-in-a-box, but secure this time?<p>Apparently Gab used Mastodon. Is Mastodon intrinsically hard to secure?

For someone who opens with &quot;I only care about the data&quot;, at least half of the &quot;analysis&quot; is about politics, including the links tweets which range from his opinions on whether you can change your gender, to categorizing gab users as &quot;neo-nazis&quot;.<p>All I see are a bunch of people allying with big tech to crush their competitors while using absurdly hypocritical morals as their reason. This is the same big tech that uses slave labour while plastering their websites with BLM slogans.

It seems like the author cares about the politics and religion of the Gab founder quite a lot, despite his assertions to the contrary.<p>If you strip away all that it is still a very embarrassing breach. Having a data exfiltration of that magnitude is simply devastating.