Social media site Gab hacked, private messages exposed
The online social media site associated with far-right personalities has been compromised by a hacker who has obtained over 40 million posts from the platform, it has been reported.
Fringe social media sites like Gab and Parler have seen their membership numbers surge as mainstream social platforms such as Twitter and Facebook have removed many accounts for breaking their terms of service; something that that had led to criticism of censorship by many on the political right.
Parler suffered its own problems after Amazon refused to continue providing online services for the site in the aftermath of the Capitol Hill riots on January 6th 2021, leading to the site going offline.
And now Gab has been compromised by a content injection attack. This is a type of attack that exploits a common vulnerability found on websites where an attacker can used a text field (for example a text box commonly found on an online form on a website) to inject programming code (instead of text) into the website, which can lead to any number of consequences. Websites should properly validate any inputted text in a text field to make sure nothing dangerous is being entered. But many fail to do so, allowing this type of attack to occur.
Gab also failed to validate text coming in from text fields (they claim to now have patched the vulnerability) and the result is 40 million posts, both private and public, being compromised. Additionally, encrypted passwords and usernames, unencrypted passwords for groups and private messages have also been unearthed.
Sponsored Content. Continued below...
The hacker responsible, known as JaXpArO, passed the data onto a digital group known as Distributed Denial of Secrets, who claim they in turn will pass the leaked data onto journalists, social scientists and researchers. The co-founder of that group says of the leaked data –
It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content
Gab CEO Andrew Torba claimed his social platform was investigating the breach claims, but has claimed to verify if the breach did in fact happen, referring to it as an “alleged breach”. (The breach has been verified by independent researchers.)
What does this mean if you have a Gab account?
For Gab users, we’d recommend changing your password, and if you’ve committed a security faux-pas and reused that password elsewhere, we’d recommend changing it there as well (to something different than your new Gab password!) While it is true that encrypted passwords were potentially leaked in this breach, meaning someone in possession of the information cannot automatically see your password, it’s possible (depending on the encryption strength) that this encryption can be reversed, revealing the original password.
That should hopefully be the limit of a user’s exposure, providing you’ve been using social media responsibly and haven’t published any personal information on the site, in which case you will have to assume that that information may have been leaked as well.