“I think what’s noteworthy here is that they never knew this data was obtained, at least not based on their reporting,” Troy Hunt, owner of the breach notification service Have I been Pwned?, said, referring to this notification that Gab posted on Saturday. Hunt said he was also surprised that Gab has yet to enforce a mandatory password reset for all users. Such resets are standard practice after sites experience breaches that compromise user data.
The first breach came to light last Monday, when DDoSecrets said that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, DDoSecrets co-founder Emma Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in Gab’s website code.
Trying to stay afloat
Shortly after the first breach was discovered, someone at Gab patched a critical SQL-injection vulnerability that was introduced into the website code by site CTO Fosco Marotto. Marotto declined to say if that vulnerability was the one hackers exploited to take over the site, but the bug’s introduction early this year and its removal so soon after the site compromise stoked speculation that it was indeed the one used in the hack.
Marotto didn’t immediately respond to an email seeking comment for this post.
Gab has been struggling to stay afloat for more than two years as it continues to provide a haven for hate speech and conspiracy theories. In 2017, Google removed the Gab app from the Play store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.
The revelation that the earlier hack exposed OAuth 2 bearer tokens leaves open the possibility that those responsible obtained other types of sensitive user data. And if that’s the case, Gab’s security woes may not yet be over.
Post updated to remove second-to-last paragraph, which contained incorrect information about Gab’s relationship with Amazon.