On Sunday, before Donald J. Trump’s address to CPAC, GAB.com CEO Andrew Torba acknowledged on Twitter and on WIRED.com (credits to writer Andy Greenberg) that the company had been hacked following the announcement from “DDoSecrets” (Distributed Denial of Secrets, a non-profit internet advocacy group) that the organization would be making the data available that was obtained from a hacktivist who identifies as “JaXpArO and My Little Anonymous Revival Project” which siphoned that data out of Gab’s backend databases using an SQL injection attack. The data from the compromised databases will be over 70GB worth of user data, including passwords and private posts.
However, due to the sensitivity of the data: DDoSecrets will only make the data available to selected journalists, scientists, researchers, etc. who will then be able to independently verify its authenticity. There is no indication from the hacker if the data has or is planned to be leaked to the public, which can happen through mediums such as dark net hacker forums; and there is a possibility this could happen via one or more of the recipients of the DDoSecrets data, if they choose to divulged it. For best practices, we should assume that it already has or will be available “out in the wild”.
What does this mean for users?
1) Gab Group Passwords: The passwords for Gab Groups are stored in plain-text on Gab’s system, meaning that if the database is compromised – the passwords used for groups are now also exposed. If Gab does not force you to change the Group password, you should change it immediately, and change any other services that are using that password on or off of Gab.
2) Gab Account Passwords: Unlike the passwords for Gab Groups, account passwords are stored in an encrypted format, meaning that if the database is compromised – the passwords for user accounts are still “scrambled up” and would need to be decrypted first, in order for the actual password value itself to be exposed.
Example: You create an account with the password as “Password123” and the system stores it in the database in an encrypted format as “fe0a6b239100aab301dc77d1”.
Hackers, with enough time and computing resources can decrypt the encrypted value to return the actual password value OR an effective equivalent (some passwords when encrypted produce the same encryption value, meaning that Password123 and LetMeIn321 when encrypted could have the same encryption value result – meaning the system would technically authenticate using either of the passwords).
The same advice that was given for Gab Group Passwords, is also applicable here: you should change your GAB.com account password (if you have not already) and also change any other service (on or off of Gab.com) that also uses that same password.
2) Gab Private Posts/Messages: We have to assume the worst: that this data (Gab user’s private posts and messages) will become public knowledge (or obtainable by the public) at some point. This is a stark reminder that information put onto internet platforms is only as safe as the systems and mechanisms in place protecting it. If you have a need to communicate certain information securely, you should do so using an encrypted messaging service or by sending pre-encrypted messages over normal means.
How can I secure my passwords?
Using a Password Manager is a great way to generate and store strong random passwords, which you can easily access by keeping one master password (and further secured by multi-factor authentication). There are paid online tools, and there are also free open-source tools like PasswordSafe (an installable computer program) and Passbolt (a hostable tool).
Check your credentials on HaveiBeenPwned and IntelX to see if any of your previously used account credentials have been compromised in any database hacks.
Password Management for Personal or Business (Very Affordable or even Free!)
Got a lot of passwords to remember? Do you have a need to securely manage and share these credentials with others? You are probably needing a password manager! Contact us today on our website, by phone/email, or on social media to get a free consultation on a password management solution! We can help you determine what password manager solution you need for personal or business environments! Our clients have reported the success they have had with the open-source self-hosted password manager tool we have set up for them – which you can try in a free demo: just contact us to get started!