author photo
By Bruce Sussman
Thu | Mar 4, 2021 | 5:55 PM PST

If this data breach case was made for TV, it would probably be streaming on Netflix.

Perhaps this storyline finds its way into a "Black Mirror" episode. That series takes viewers through a bizarre, high-tech multiverse where humanity's greatest innovations and darkest instincts collide.

You decide for yourself after reading about this case—which features a right wing social media site CEO and the hack of some 40 million posts; a message from former President Trump that he never actually sent; and a transgender hacktivist on a social justice quest who claims she didn't hack anything in this case.

Trump's unusual post (not actually his) on Gab

Gab bills itself as a "free speech social network," and it made significant membership gains in conservative circles in January 2021 when competing site Parler was pulled offline.

The first I had really looked into Gab was within the past week. Some on Twitter were having a field day with a message from what appeared to be Trump's Gab account. The message suggested gargling urine:


Apparently, this was an account takeover attack against a "placeholder" account that President Trump never activated. So it actually was not an attack against Trump, but against the Gab platform itself. 

And we now know there was something much more significant happening at Gab: a hacktivist attack stole millions of posts and private messages among about 70 gigabytes of data.

First signs of the Gab data breach

When Gab's CEO Andrew Torba was first contacted by reporters at WIRED about a possible breach, he responded like this on the Gab blog:

"Today we received an inquiry from reporters about an alleged data breach. We have searched high and low for chatter on the breach on the Internet and can find nothing. We can only presume the reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users.

The reporter, without providing us with any evidence of the breach or assistance to identify its veracity, alleged that an archive of Gab public posts, private posts, user profiles, hashed passwords for users, DMs, and plaintext passwords for groups have been leaked via a SQL injection attack. We were aware of a vulnerability in this area and patched it last week."

That was on February 26th. 

Gab CEO admits a data breach, calls out hackers who have data

A few days later, on March 1st, Gab's messaging did a complete flip.

Yes, the company had been breached. And the stolen data and documents were being shared by a hacktivist group known as DDoSecrets:

"Over the weekend we received word that we had been subject to a hack that would be published by a third-party nonprofit organization, Distributed Denial of Secrets (DDS), which the Department of Homeland Security has described as 'criminal hackers.'"

The title of that post was, "Gab Does Not Negotiate With Criminal Demons," and the negotiation part of the post was related to this accusation:

"DDS announced that it would only be making the leak available to journalists and researchers for 'ethical' reasons. At the same time, an individual who claimed to be the hacker sent us a ransom demand for nearly $500,000 in Bitcoin. We immediately notified federal law enforcement.

This ransom demand would be worthless if DDS did what it had done with other hacks in the past – i.e., publishing them in full, as it did with leaks from another free speech website, Parler, earlier in the month. DDS made an exception on our case which we cannot currently explain. This exception conveniently assisted a third-party who, at the same time as DDS was preparing to leak our documents, secretly sent us emailed threats and ransom demands."

The same day, Gab's CEO went after DDoSecrets members, calling them "mentally ill tranny demon hackers."


Here is Torba's follow-up post:


The picture is of Beka Valentine, who is part of DDoSecrets. The transgender hacker responded on her Twitter account with a screenshot of Torba's post, highlighting the fact that at one point her post had 666 likes:


And she said the credit Torba was giving her was "stolen valor," as you can read in her tweet:


DDoSecrets explains its 'why' for sharing stolen Gab data

Like beating the Empire, this is a social justice quest. The hacking group explains the motivation on its GabLeaks page:

"The Gab data is an important, but complicated dataset. In addition to being a corpus of the public discourse on Gab, it includes every private post and many private messages, as well.

In a simpler or more ordinary time, it'd be an important sociological resource. In 2021, it's also a record of the culture and the exact statements surrounding not only an increase in extremist views and actions, but an attempted coup.

While the dataset is extremely important to understanding recent and current events, as well as being a valuable historical archive, it also represents privacy concerns. Due to these concerns, along with presence of passwords and other PII, this dataset is currently only being offered to journalists and researchers."

And DDoSecrets claims to be the heroes, trying to lend a hand to a cause:

"Distributed Denial of Secrets had no role in the compromise of Gab or any other service, and did not crack any password hashes, use any of the plaintext group passwords, or otherwise compromise anyone's account. Early in the review process, we made the decision to limit the distribution of the dataset to both protect the privacy of innocent Gab users and the integrity of their accounts and private groups."

Gab hires incident response firm, downplays stolen data 

Gab's Andrew Torba is not buying the social justice argument. In his March 3rd post, he talked of security and personal threats and downplayed the stolen data:

"Over the past few days our team has been working with the top rapid response security firm in the country to fully audit Gab's infrastructure to get a better picture of what happened, what specifically was accessed, and why.

At the same time we were under a 48-hour extortion clock from the criminal hacker while also dealing with numerous threats against our team and families. Gab is the victim of very serious crimes and we are working with federal law enforcement to deal with these criminal acts.

We are also preparing a formal breach notification that will be going out ASAP. In the meantime we recommend that you change your passwords and activate two-factor authentication on your Gab account.

Gab collects as little data as possible because we know how important privacy is for people to speak freely. Gab is an extremely public forum by design. From what has been reported and from what we know thus far, the overwhelming majority of the data in this breach is already public on the website for anyone to see. We will continue to update you as we learn more."

And there will likely be more to learn about this attack and its ramifications. Will hacktivists and others start doxing those in the Gab database?

And what about Gab supporters doxing those involved in DDoSecrets? 

Gab already decided to extend a digital olive branch on Twitter to the Anonymous hacking group, which is clearly watching this situation:


This remains a developing case, with more to be revealed in the days ahead.

So what do you think? Would this case fit into a "Black Mirror" storyline, or should it be some sort of Netflix docudrama instead? 

Regardless, these are the times we live in: where ideals, and those who use technology to carry them out, collide.