Troy Hunt: Gab Has Been Breached
Gab Has Been Breached
04 MARCH 2021
I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics.
A couple of days ago, I posted a thread about their alleged breach. I want to go back through that thread here, explain the thinking further and then provide some commentary on the actual data that was exposed. It all began here:
Much of the problem with objectively discussing this breach is that it's impossible to escape the transphobic slurs and religious rhetoric being dished out from the guy at the top. I don't care which god (or demon) you've picked, nor what gender you were born with (or if you decided to change it at some time), nor do I care whose politics you like and whose you don't, I only care about the data. More specifically, I care about the data that's been exposed in the breach, especially when that data may include my own (I'm very serious).
It's pretty standard practice for an organisation to post a public statement following a breach or even, as the opening sentence of that page suggest, an "alleged" breach. Most organisation begin with "we take the security of your data seriously", layer on lawyer speak, talk about credit cards not being exposed and then promise to provide further updates as they come to hand. Gab's approach... differs:
Because Gab "searched high and low for chatter on the breach on the Internet and found nothing", they've drawn the conclusion that reporters are maliciously working with hackers. I've had dozens of occasions where I've known about a breach, there's been no public discussion on it, and I've worked with reporters to help get to the bottom of what's happened. This is normal. It's so normal that the last time I did this was earlier this week with Lawrence Abrams from Bleeping Computer on the Dutch Ticketcounter breach.
If you're not familiar with hashing, how it's not the same as encryption and how it can still leave passwords vulnerable, read this primer from September first. As it relates to passwords being revealed, you can't "unhash" a hash in the same way as you can decrypt an encrypted piece of text, however, you can always guess passwords, hash them with the same algorithm (and salt if present) and see if the output matches what was stored. For example, when I wrote about the Dropbox hack in 2016, I was able to verify my own record simply by hashing the password I had stored in 1Password and comparing the output to the one in the breach. It matched, therefore verifying the legitimacy of the breach. The following year I showed how even though CloudPets had chosen the very robust bcrypt algorithm for password storage, I was still able to crack a bunch of them courtesy of their extremely weak password rules:
I do actually agree with the quoted sentence insofar as someone could create an email address completely disassociated with them, register for Gab and then login with that account. But that almost never happens because Gab is used by normal humans just wanting to interact with other normal humans and it's not a platform where people are likely to take extra precautions to conceal their true identity. When faced with a registration form that requests an email address, the vast majority of people will simply provide the same email address they use everywhere else, hence my "almost always" comment.
04 MARCH 2021
I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics.
A couple of days ago, I posted a thread about their alleged breach. I want to go back through that thread here, explain the thinking further and then provide some commentary on the actual data that was exposed. It all began here:
Much of the problem with objectively discussing this breach is that it's impossible to escape the transphobic slurs and religious rhetoric being dished out from the guy at the top. I don't care which god (or demon) you've picked, nor what gender you were born with (or if you decided to change it at some time), nor do I care whose politics you like and whose you don't, I only care about the data. More specifically, I care about the data that's been exposed in the breach, especially when that data may include my own (I'm very serious).
It's pretty standard practice for an organisation to post a public statement following a breach or even, as the opening sentence of that page suggest, an "alleged" breach. Most organisation begin with "we take the security of your data seriously", layer on lawyer speak, talk about credit cards not being exposed and then promise to provide further updates as they come to hand. Gab's approach... differs:
Because Gab "searched high and low for chatter on the breach on the Internet and found nothing", they've drawn the conclusion that reporters are maliciously working with hackers. I've had dozens of occasions where I've known about a breach, there's been no public discussion on it, and I've worked with reporters to help get to the bottom of what's happened. This is normal. It's so normal that the last time I did this was earlier this week with Lawrence Abrams from Bleeping Computer on the Dutch Ticketcounter breach.
If you're not familiar with hashing, how it's not the same as encryption and how it can still leave passwords vulnerable, read this primer from September first. As it relates to passwords being revealed, you can't "unhash" a hash in the same way as you can decrypt an encrypted piece of text, however, you can always guess passwords, hash them with the same algorithm (and salt if present) and see if the output matches what was stored. For example, when I wrote about the Dropbox hack in 2016, I was able to verify my own record simply by hashing the password I had stored in 1Password and comparing the output to the one in the breach. It matched, therefore verifying the legitimacy of the breach. The following year I showed how even though CloudPets had chosen the very robust bcrypt algorithm for password storage, I was still able to crack a bunch of them courtesy of their extremely weak password rules:
I do actually agree with the quoted sentence insofar as someone could create an email address completely disassociated with them, register for Gab and then login with that account. But that almost never happens because Gab is used by normal humans just wanting to interact with other normal humans and it's not a platform where people are likely to take extra precautions to conceal their true identity. When faced with a registration form that requests an email address, the vast majority of people will simply provide the same email address they use everywhere else, hence my "almost always" comment.
