The hacktivist collective Distributed Denial of Secrets—which recently came under fire for leaking one of the largest repositories of law enforcement documents ever recorded—is back with another high profile data-dump. This time, the group claims to have gotten its hands on a whopping 70-gigabyte dataset from Gab, the far-right social network that became one of the last online havens willing to host far-right personalities following Parler’s recent deplatforming.
According to a blog post from DDOSecrets, the dataset doesn’t only contain tens of millions of public posts from the site, it also includes private posts, user profiles, and in some instances, what appear to be plaintext passwords. Whether or not one of those accounts belonged to former president Donald Trump or was merely using his name is unclear, and made more so by conflicting statements by Gab’s CEO.
Per WIRED, which first covered the news, DDoSecrets was approached by a third-party hacktivist that siphoned the data from one of Gab’s backend in an attempt to expose the ranks of goons, bigots, and extreme nationalists currently teeming on the platform. The way this third party was able to siphon off this data, according to DDoSecrets cofounder Emma Best, was using what’s known as an SQL injection vulnerability—a relatively common bug that allows hackers (or hacktivists) pry into a site’s databases.
Best explained that the group won’t be releasing this data publicly because of the sensitive information it contains—i.e. private chats, passwords, etc. Instead, the group has been sharing data with parties that have a “proven track record of doing research in the public interest,” including journalists and social scientists with a focus on the far-right.
If you’re wondering how Gab reacted to this news, the answer is: pretty badly. After being contacted by WIRED on Friday in advance of the database’s publication, CEO Andrew Torba put up a statement on Gab’s corporate blog not only refuting the hack, but implying that the hacker and journalist were colluding in an effort to “smear our business and hurt you, our users.” (For what it’s worth, DDoSecret has called these accusations “entirely false,” adding that “the Wired reporter has had no contact with the DDoSecrets source.”)