Gab, the social media alternative attracting far-right users has been hacked. The salvaged data, known as ‘GabLeaks” consists of over 40 million posts, amounting to over 70 gigabytes of data.
The data was breached by a hacktivist by the name of “JaXpArO.” The motivation behind the attack was to expose the alleged controversial content being permitted by the platform.
The breached data included:
- User data
- Private posts
- Private group posts
- Private individual messages
- User passwords
DDoSecrets, a non-profit devoted to the free transmission of data, announced that they had the breached data in a tweet by it’s journalist, Emma Best:
Gab responded to this claim in a public announcement denying that a breach occurred
“Today we received an inquiry from reporters about an alleged data breach. We have searched high and low for chatter on the breach on the Internet and can find nothing.” Gab said in its public statement.
Emma Best revealed that the breach occurred through an SQL injection vulnerability on the Gab website. Such vulnerabilities integrate text field data with backend code, allowing hackers to access and manipulate backend SQL databases.
Since the Capitol Hill riots in January 2021, hacktivists have been targeting right-winged social platforms. The Gab data breach, however, required a little more hacking acuity than the Parler cyber attack.
Parler lacked very basic security measures that could have prevented its mass data scraping incident. Its most embarrassing vulnerability is known as an ‘insecure direct objective reference”.
The chronological order of every Parler post was reflected in its URL. By increasing the order number in the URL by 1, the next post could be loaded. Such rudimentary coding practices made Parler optimal for programmatic scraping.
Gab’s exfiltrated data has not been published yet. Until (and if) this happens, Gab will continue to deny that a data breach occurred.
“ We do not currently have independent confirmation that such a breach has actually taken place and are investigating. Much of this information (in particular Gab public posts and public user profiles) is already public.”