In late February, somebody hacked Gab, an online safe space for white supremacists and other extremists. The hacker, who self-identifies as “JaXpArO and My Little Anonymous Revival Project,” exfiltrated roughly 65 gigabytes of data, including 4 million Gab accounts, 31,000 groups, and 39 million posts (over 100,000 of which were posted to private groups).
The hacker then leaked this data, which spans the site’s launch in August 2016 until February 19, to the transparency collective Distributed Denial of Secrets. In a Gab post, the hate site’s CEO Andrew Torba falsely accused DDoSecrets of hacking Gab, using an anti-trans slur while he was at it.
Due to privacy concerns, DDoSecrets is only offering GabLeaks to journalists and researchers who request access rather than publishing the full leak on the internet. (For the record, I’m a member of the DDoSecrets advisory board.)
For everyone else, here’s a broad overview of the GabLeaks data. Some of it is fairly technical, so bear with me. I’ll try to explain what I mean when I use unfamiliar terms.
JaXpArO provided DDoSecrets with data exported from a PostgreSQL database containing accounts, groups, and posts as well as a text file containing thousands of chat messages.
Out of the over 4 million accounts, 38,175 include email addresses (though not all of them appear to be valid email addresses) and 7,110 include password hashes, which are basically scrambled representations of passwords, from which in some cases the original password can be recovered (more on this below).
For example, here is the data associated with QAnon-believing, school-shooting-survivor-harassing Rep. Marjorie Taylor Greene’s Gab account:
Her account was created with the email address [email protected] on January 11, and at the time Gab was hacked in late February, she had 217,544 followers, a verified account, and had 72 posts. It also includes her password hash but not the password itself.
The chat logs are all contained in a single 9.5-megabyte text file. In addition to chat logs showing Torba courting prominent anti-Semites for his site, the text file includes more than 70,000 messages from over 15,000 users. For example, here’s a snippet of the chatter going on during the January 6 insurrection at the U.S. Capitol:
@666666: Just so you know, I’m going to terrorize and burn some Democrats places. Come bail me out
@666666: If you ever want info on someone, let me know. I [can] hunt anyone down. I’m using my skip tracing skills to “give back” to the democratic community. It’s only fair
By January 6, the day that Donald Trump supporters tried to violently prevent Congress from certifying Joe Biden’s electoral victory, Gab had 1.6 million accounts. After the insurrection, Amazon’s cloud hosting business kicked the extremist social network Parler off its platform, a decision that prompted a flood of exiled Parler users to flee to Gab. Between January 6 and February 19, an additional 2.4 million Gab accounts were created.
The vast majority of these over 4 million accounts aren’t actually active. Only 1.5 million of them have posted any content to the site at all, and only 400,000 of those have posted more than 10 times. Just over 100,000 accounts have posted more than 10 times since December 1, 2020, making that number much closer to Gab’s actual active user base.
The post-insurrection spike in Gab accounts also holds true for Gab groups. However, there’s also a spike in private groups that were created before the insurrection. The night of December 22, someone created 46 private groups for chapters of the Oath Keepers, a far-right anti-government militia that helped storm the Capitol weeks later, but the groups were either never used or their members deleted all of the posts in them and left the groups before Gab was hacked in late February.
Here are the 20 most popular public groups on Gab:
And here are the 20 most popular private groups on Gab (though some of them, like Internet Censorship, appear to be public now):
Here are the Gab users with the most followers:
The Gab post with the most engagement on the whole platform is this post from @realdonaldtrump (which, again, isn’t actually run by the real Donald Trump).
The Gab post that ranks ninth in engagement is from the major QAnon account @StormIsUponUs.
Needless to say, his predictions did not come to pass.
Like most websites, instead of storing passwords itself, Gab scrambles the passwords using a “hash function” and stores the scrambled versions instead, called a “password hash.” For example, if someone used the password “Trump2020,” GabLeaks would only contain the scrambled version of that. The only way to confirm if that’s their password is to try running it through the same hash function Gab uses and see if any accounts are using that hash.
It turns out that at least three Gab users are using the password “Trump2020,” at least one is using “Trump2024,” and at least one is using “trump2024” (with a lowercase “t”). A few Gab users are using typical insecure passwords like “123456,” “asdf1234,” “letmein,” and “password1.” And at least one user is using an anti-Black racial slur as their password.
Armed with the 7,710 password hashes from GabLeaks, a list of nearly 9,000 password guesses that I created, and my gaming PC, which has a graphics processing unit, or GPU — hardware that can quickly do the math required for 3D graphics as well as things like cracking passwords — I used a tool called hashcat to see which passwords were weak. It took about three days to crunch the numbers, and at the end I successfully cracked 88 passwords, 49 of which were unique.
Among the Gab accounts I found using incredibly weak passwords was an account with the username “OneManAuschwitz” that shares Nazi propaganda used a weak password, as did an account belonging to a “Proud White Man” that shares racist and anti-Semitic memes. Several accounts devoted to QAnon had weak passwords, and so did several accounts that share run-of-the-mill conspiracy theories about the Covid-19 vaccine and the 2020 election.
Thirty-one of the cracked passwords used the same extremely weak password, and nearly all of them used email addresses from the disposable email service sharklasers.com. These are all Gab “fan” accounts that repost tweets from popular extremist Twitter accounts. For example, the Candace Owens fan account has 10,200 followers on Gab, the Dinesh D’Souza fan account has 7,800 followers, and the Breitbart News fan account has 7,100 followers. None of these accounts have posted since November 2018 and are now abandoned.
Correction: March 16, 2021
A previous version of this article stated that one of the Gab accounts with weak passwords belonged to Spencer Brown, the spokesperson for the Young America’s Foundation, a conservative youth organization with alumni that include former Trump senior policy adviser Stephen Miller and former Attorney General Jeff Sessions. Brown did not respond to a request for comment prior to publication but an attorney for the Young America’s Foundation contacted The Intercept after publication and stated that the Gab account was not associated with Brown.