Press "Enter" to skip to content

Alleged Data Breach – 26 February 2021

Today we received an inquiry from reporters about an alleged data breach. We have searched high and low for chatter on the breach on the Internet and can find nothing. We can only presume the reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users.

The reporter, without providing us with any evidence of the breach or assistance to identify its veracity, alleged that an archive of Gab public posts, private posts, user profiles, hashed passwords for users, DMs, and plaintext passwords for groups have been leaked via a SQL injection attack. We were aware of a vulnerability in this area and patched it last week. We are also proceeding to undertake a full security audit.

We do not currently have independent confirmation that such a breach has actually taken place and are investigating. Much of this information (in particular Gab public posts and public user profiles) is already public.

It is standard practice for passwords to be hashed. If the alleged breach has taken place as described, your passwords have not been revealed. For groups, where passwords are meant to be shared for users to join with, we do not encrypt this information as is noted in our group creation interface. DMs were only live for a few weeks and are not currently a feature supported by the site, so if a breach has in fact occurred in that domain we expect the number of affected accounts to be low.

Gab collects very little from our users in terms of personal information. It is entirely possible for a user of the site to be unidentifiable based on the information they provide at login.

In our subscriber records we do not collect health or financial information; we do not collect dates of birth; we do not collect social security numbers; we do not collect telephone numbers; we do not track user searches, queries or browsing history; we do not check who owns an e-mail address before setting up an account (and, in this instance, we have no indication that e-mail addresses were compromised.)

Every major tech company – from Facebook to Twitter – has been the target of multiple and continued data breaches. We collect very little personal data so that, in the event of a data breach, the effect on our users will be minimized. As we learn more about this alleged breach, we will notify the community publicly with our findings as required by law.

Andrew Torba
Jesus is King