I’m writing to update the Gab community with what we know about the breach that occurred this week. As I have already mentioned we are conducting our own internal investigation. We are also working with federal law enforcement to assist with their investigation of the breach, criminal ransom demands and the numerous threats of violence that were directed at our team. Finally, we have hired one of the best rapid response security teams in the world to investigate the breach.
At this time we still have not received a copy of the data that was released by the hackers and as such we cannot independently verify its authenticity until we get a copy of it ourselves to do so.
That being said, several third-parties have received a copy of the data including researchers and journalists. We will share what they have published about the data, but once again we have not yet independently verified it and will continue our own internal and external investigations.
According to Troy Hunt, a researcher who received the data, 43,015 unique email addresses were included along with another 24,017 emails that were shared in public posts on Gab. 7,097 hashed passwords were also included along with 62.4GB of Gab posts that can be accessed on the site right now by nature of Gab being a public forum. While the passwords were hashed and appear to be limited in scope based on Troy’s analysis, we recommend that all Gab users change their passwords for good measure.
Troy also reports that the data includes a small 9.53MB file of DMs (a feature that Gab only had public for a few weeks before removing it.) Troy finishes his analysis by concluding that this is “a minor breach in terms of personal information exposure.”
I want to reiterate that this incident was isolated to our Gab Social product, which is built on the open source Mastodon backend. None of Gab’s other products or services, including the Gab Shop and the GabPRO upgrade system, show any signs of being compromised. These services are built on separate code and infrastructure.
From what we know now: the vast majority of the breached data appears to be Gab posts that are already public on the site anyway. As we learn more we will continue to update you on the progress of our internal and external investigations.
Thank you for your continued support and prayers.
Andrew Torba
CEO, Gab.com
March 6th, 2021
Jesus is King
