VPN's tho. O wait globalists are throttling all VPN's in the US. which is MASSIVE power that no man should be able to do. Thats what convinced me this is an actual invasion of the US
If you use Gab and your password there is the same one you use elsewhere - CHANGE YOUR PASSWORD ELSEWHERE.
The passwords are encrypted, but are now capable of being bruteforced (try every possible combination of letters/numbers) now that they have the hashes.
There are also very sophisticated dictionary attacks out there that can break lots of hashed passwords.
As long as they properly salted and hashed their database, the chances of brute forced and dictionary attacks means that in about 40-80 years, they'll be able to break it.
If however, it's not properly salted and hashed. It'll take all of about 8 seconds to break.
Everyone should be using a password manager. A different password for every account, ideally multiple emails as well all with fake aliases.
I only use my real name on one account that's used for work and shopping considering my address and credit cards could be linked to that account. All other accounts could be anyones.
Best practice is to have a fake identity for each account. Its a stretch to try and speak or type differently, but false information is enough to mask your actual identity. And of course, never post anything that could be used to identify the real you.
When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
I have several dictionaries that I use. Every english word. All common english/french/german/spanish words, and my favorite: 200,000 passwords gleamed from other hacks, sorted by frequency.
But you're right, an individual user can avoid all this pretty easily. However, in large groups of people you will always find lazy and stupid ones. I'm not trying to guess person X's name. I'm just guessing that SOMEONE in the group is named John. Or Sarah. Or Kwame.
Because some people (read: idiots) still think it is an acceptable practice to "Forgot Passwords" and send the password to the email, ya know... Instead of just saying "reset password"
It depends. If your ISP needs the address for another customer and you're offline they'll give your old IP to them. If however, they have plenty of addresses in the pool you're likely to get the same address back.
There's also the cases where you're assigned an internal address(10.x.x.x or 172.16.x.x) for example, those are usually regionally assigned or city assigned if the ISP is small and can't afford to buy large numbers of IPv4 or IPv6 addresses, and in turn use NAT. So you could have 250 or 300 people or more on a single IP address and the NAT device routes the traffic - this was very common here in the west in the early days of the net too. But still very common in very poor or remote places.
Not true. That only happens if your ISP has a large pool of extra addresses. I've had the same IP address for about 6mo now, inc. after two power outages lasting 2+ hours.
If your ISP has fully transitioned to IPv6, you will likely have a static IP forever since they can do IPv4 to IPv6 via NAT in a fully seamless way.
I don't have a dedicated IP address, my provider uses DHCP to allocate addresses, so all anyone would have is a general idea of location. They would have to get a subpoena for my provider to identify me. I live in Cape May County, NJ, I'm not afraid to post it.
Not that I care anyway, I have nothing to hide and I'm totally self sufficient and can't be cancelled.
Never owned a gun in my entire life, in the past year bought 7. Still lacking ammo, but I'm ready to defend my family. Wouldn't hurt a flea unless attacked, then game on.
When you're faced with the prospect that your freedoms might be ripped away at any moment, it's interesting how one can transform from "I don't need a gun" to "I'm willing to fight and die for my family."
"Encrypted password" which is useless because that is the point of encryption. Also, password managers are great. Highly suggest using one. Just got a new device and I could log into everything effortlessly and URL spoofing does not work because the manager only inputs info on the correct URL.
You can figure it out, but it takes some time. Always use good passwords, and it will go a long way. Also, for every breach you hear about, there are plenty more you don't.
A 16 character password randomly consisting of upper and lower case letters and numbers only using bcrypt with a cost factor of 10 would take ~6.046727765959351e+18 years to crack on a single Nvidia 2080Ti.
The Gab passwords are hashed using bcrypt. I don't know what their cost factor was configured as.
Yep. As other guy said, rainbow tables will probably snag a decent percent of real world passwords. The good passwords are safe, but Darth Helmet's luggage code will be easy pickens. And the people using bad passwords tend to reuse them.
Rainbow tables are completely ineffective once you introduce a salt of sufficient length to the password because you've now made the storage requirements exponential.
Since bcrypt uses a salt of 22 characters encoded as base64, this gives you a possibility of:
5444517870735015415413993718908291383296
combinations just for the salt alone. You're not going to be storing rainbow tables for that many salts much less the 31 character password+salt hash that follows.
If your password is a word or a common word/number combination, and I have the encrypted hash, I can break it in a few hours, maybe a day. (edit: ran the calculations for another post, it takes 25 minutes to crack any common password, even with bcrypt)
If it's not, it might take days-weeks depending on how long it is and which algorithm they used. If it's under 8 characters, there are databases that can break it instantly.
(Edit: As sordifPontification points out, these don't apply to bcrypt, especially if it's salted as it should be)
Gab is based on Mastodon which uses bcrypt to store password hashes. There are no rainbow tables for bcrypt for anything 8 characters or less. For under 8 characters, the rainbow tables would be ~211 296 876 372 480 bytes in size. Plausible given current storage but very unlikely.
Edit: And this calculation is probably off by an order of magnitude as I forgot about the salt and was basing this off the hash length.
Edit edit: Plus a 16 byte salt renders rainbow tables completely useless.
im less worried about hashed passwords than the statements beign made that the site was vulnerable to sql injection that byasses passwords. Its basic security vulnerability 101 and shouldnt have existed.
"Whistleblower" Sure you are.
You want to give fake news a few thousand innocent citizens to dox and attack on their 'news' because orange man still bad.
no the only reason this happened is because Gab has shit security... this is exactly why i haven't signed up...I don't trust that the owners of Gab are competent enough to not put their users at high risk of being Doxxed, and i was right.
I'm shocked it hasn't happened here yet...although I'm just as confident this site is a DHS/NSA honeypot
If you use that same email on another website which is somehow linked to you in other ways is how. A protip for proton users is to use the "+" when creating a username. Example being "[email protected]" fwds the same as "[email protected]". The auto scan matching software probably won't be able to link these two emails if they are doing a simple compare string.
Really, they didn’t clean text on text fields allowing them to be read as code? That is basic stuff.
But, no... the hackers should be sued. It is one thing to expose vulnerabilities and inform the website of those vulnerabilities. It is another to steal customer data and try and sell/give it out to legit everyone. The hackers are evil evil people.
Really, they didn’t clean text on text fields allowing them to be read as code?
Is that really what happened? I would have at least assumed comp'ed cloud or data center people. So tired of our side taking L's due to our own retardation.
"According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database."
“Please select a username could work if it went like this:
A row of alphanumeric drop-downs, like 12 of them with an option to add more by pressing the + button to the right. Then username gets chosen a single letter at a time. This concept would not be too popular for posting content in a forum or sending messages.
You gotta find the people to prosecute too. That's the problem. They all hide behind VPN's and proxy's so it makes it hard to pin them down and you KNOW the Federal Government isn't interested in going after them like they did Wikileaks and Anon. So they're going to try to blackmail Gab's CEO for the data, and regardless of if he pays out or not, they're going to leak it. Because that's what they do.
For some reason, I find 70GB of data hard to believe. Gab seemed to be on top of the breach and I highly doubt they were able to get that much data in that short amount of time. I think a lot of that is bluffing.
Shit, they might not even have data at all. That's the shit part about blackmail. They can just CLAIM they did it and if their demands aren't met, they'll leak the data. But you can't leak what you don't have. And regardless, if they have the data, they're going to leak it anyway. So, at the end of the day, it'd be stupid to cave to their demands. Because if they have it, they're going to leak it. If they don't, they're bluffing and won't leak anything. And no amount of pandering is going to change that.
Fuck them. Leak it. I don't see the problem. The media would need massive databases to cross reference emails addresses that are stored, but most people just post under their real name anyway, so who cares?
Depends on the encryption algorithm. If it's something outdated like MD5, sure. If they used something like AES-256 with a proper-sized (>1024b) key, it wouldn't be worth the effort.
Depends on the salt they used and the number of rounds of AES they used.
If they didn't salt their hashes then it's easy to make a rainbow table of well known passwords and match them to users, regardless of hashing algorithm.
Sue the individual; full lawfare. IANAL, but you either looking at defamation or loss of income. However it has to be classified, you are driving people away from Gab by hacking or pretending to hack to scare people away so it's costing you business.
exactly, pretty much they've done every-single-thing to take them offline and they're running out of options, so they're resorting to this now, it's pathetic. meanwhile gab continnues to grow (8k alexa rank in december, 1.8k now)
"DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab's public posts and profiles—with the exception of any photos or videos uploaded to the site—but also private group and private individual account posts and messages, as well as user passwords and group passwords. "It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content," Best wrote in a text message interview with WIRED. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon and everything surrounding January 6."
"DDoSecrets says it's not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data, and it does appear to contain Gab users' individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.
"According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database. Despite the hacker's reference to an "Anonymous Revival Project," they're not associated with the loose hacker collective Anonymous, they told Best, but do "want to represent the nameless struggling masses against capitalists and fascists."
You kidding me? Holy Fuck, do you not remember what CNN did to the kid with the wrestling meme? Or the grandma that tracked down in FL and doxxed on national fucking TV?
So whatever journofags that collaborate with them are essentially openly colluding with subversive commies.
Communism deserves that same level of societal scorn as Nazism. So whichever journofags collude, they should be treated as if they were collaborating with Nazis.
I am not sure I understand. Is hacking like this not illegal?
Is the person who did it not a criminal? Are people who receive the stolen information not also accessories or criminals in their own right (knowingly receiving stolen information).
It's totally a crime. Laws only matter if they are enforced, and if you can find the right people to enforce against. It will be difficult to track the hackers and my guess is they won't try very hard.
It's not a crime when those who work for agencies that are supposed to enforce such crimes are participating in such acts. Then it is "for the benefit of the common good". 🙄 Little to most people get that we aren't part of the "common good". Com' mon, man.
The time and resources involved in finding, prosecuting, and convicting a hacker is very large. The damage of a hack is potentially immediate and also requires a lot of time and resources to mitigate. Time and resources are constrained; the correct move is to repair what can be repaired and harden security where possible. Resources are expended to track down criminals - but how would you go after a foreigner working either for their military or a criminal mafia, for example?
Gab wasnt able to stop state level hackers? I am shocked.
Solar Winds, Yahoo!, Iranian nuclear program, etc. etc. etc. w bigger budgets, and more people, have all been hacked. I expected Gab to be hacked from day one. I posted what I believed when I posted it and didnt use it for anything else.
Yes. Sites where people are engaging with one another are still social media sites. Too many people are not thinking critically when they still believe on sites with feeds like Fakebook, Instagram, Twitter, etc are the only social media sites.
I'll have you know I graduated top of my class in the Navy Seals, and I've been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in gorilla warfare and I'm the top sniper in the entire US armed forces. You are nothing to me but just another target.
Who cares, if you aren't taking precautions for privacy, you need to catch up fast. VPN, dummy proton mail account, not sharing personal info, speaking in slightly coded language for plausible deniability, etc
Today we received an inquiry from reporters about an alleged data breach. We have searched high and low for chatter on the breach on the Internet and can find nothing. We can only presume the reporters, who write for a publication that has written many hit pieces on Gab in the past, are in direct contact with the hacker and are essentially assisting the hacker in his efforts to smear our business and hurt you, our users.
The reporter, without providing us with any evidence of the breach or assistance to identify its veracity, alleged that an archive of Gab public posts, private posts, user profiles, hashed passwords for users, DMs, and plaintext passwords for groups have been leaked via a SQL injection attack. We were aware of a vulnerability in this area and patched it last week. We are also proceeding to undertake a full security audit.
Question, how are they able to even get this kind of info? Do most sites use hashes (think that's the word, been a few years since I've done any coding) nowadays to avoid things like this? They were storing the actual passwords?
NSA has all publicly shared encryption master keys.
NSA teams will use them to enter a targeted system from a source spoofed IP address and either deface the public interface to make it look like a hack using the name of some phony "elite" hacker group or grab data and release it elsewhere to make it look like a hack by a phony "elite" hacker group.
And of course, they do this on the behest of the political establishment targeting those sites, individuals or organizations they do not like.
The only safe private communication is that which you keep private between yourself and another private person directly.
Again, for all publicly used encryption - the NSA has the master keys - always.
NSA is def legit but i'm not sure i understand what you mean. they have master encryption keys for like SIM cards but not sure how that applies to servers. imo, this probably wasn't even an sql attack but something much more basic such as employee or datacenter techs with physical access to the server.
Its a good practice not to post anything you want to keep private, regardless of the platform.
There is no privacy on the internet.
Once something goes to the internet, it belongs to the internet forever.
VPN's tho. O wait globalists are throttling all VPN's in the US. which is MASSIVE power that no man should be able to do. Thats what convinced me this is an actual invasion of the US
Public Service Announcement
If you use Gab and your password there is the same one you use elsewhere - CHANGE YOUR PASSWORD ELSEWHERE.
The passwords are encrypted, but are now capable of being bruteforced (try every possible combination of letters/numbers) now that they have the hashes.
There are also very sophisticated dictionary attacks out there that can break lots of hashed passwords.
As long as they properly salted and hashed their database, the chances of brute forced and dictionary attacks means that in about 40-80 years, they'll be able to break it.
If however, it's not properly salted and hashed. It'll take all of about 8 seconds to break.
Everyone should be using a password manager. A different password for every account, ideally multiple emails as well all with fake aliases.
I only use my real name on one account that's used for work and shopping considering my address and credit cards could be linked to that account. All other accounts could be anyones.
Best practice is to have a fake identity for each account. Its a stretch to try and speak or type differently, but false information is enough to mask your actual identity. And of course, never post anything that could be used to identify the real you.
VPNs have no effect against stored data.
Truth.
ProtonMail, when used correctly, can be perfectly safe.
Anybody sending even slightly sensitive material over any method, on any social media site, is a moron.
Good thing I didn't.
Still I find it VERY strange that GAB stores passwords etc. as plain text.
Who does that nowadays, when everything needs to be encrypted?
The headline literally says encrypted passwords
Information elsewhere suggest not encrypted:
https://redpilled.ca/breaking-demonic-tranny-hacks-into-gab-servers-and-steals-all-users-personal-data-threatening-to-release-the-70gb-file-including-every-single-users-unencrypted-password-private-posts-private-gr/
Would be good with a definite answer by Torba to clear up the confusion.
The passwords are definitely hashed.
UNTIL THE "HACKER" produces the goods this is fake fuckin' news people.
We get people fishing for ransom money reporting false breeches all the time at work.
https://news.gab.com/2021/02/26/alleged-data-breach-26-february-2021/
Really a sql injection hack? Do they have imbecilic software developers????
Do they have Twitter money? I don't think so ... Seems like the hack is still unproven, unless you have seen the leaked data ?
Literally any WAF worth its salt should prevent SQL injections.
That's not the software engineers job. That's a penetration testers job.
Security is everyones job.
That is dumb. Speaking as a software engineer you do not allow sql injection when writing software.
Thanks, fren! 🙂👍
When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
I have several dictionaries that I use. Every english word. All common english/french/german/spanish words, and my favorite: 200,000 passwords gleamed from other hacks, sorted by frequency.
But you're right, an individual user can avoid all this pretty easily. However, in large groups of people you will always find lazy and stupid ones. I'm not trying to guess person X's name. I'm just guessing that SOMEONE in the group is named John. Or Sarah. Or Kwame.
Because some people (read: idiots) still think it is an acceptable practice to "Forgot Passwords" and send the password to the email, ya know... Instead of just saying "reset password"
No it doesn't.
Gab Social is based on Mastodon which stores passwords as a bcrypt hash.
Stop spreading this. It's bullshit.
Facebook and Twitter have a history of storing passwords as plain text.
The only thing they get from me is my password that is easily changed, my public post history and my fake e-mail account created to join Gab.
They get absolutely nothing of any value from me at all.
What about your IP? Did you VPN?
I certainly don't. But I live in a country where our public IP changes every so often.
Your IP changes every time you disconnect your modem unless you have a static IP.
That is not usually true. IP changes when the dhcp lease expires
Does the DHCP lease not expire when you disconnect your modem?
It depends. If your ISP needs the address for another customer and you're offline they'll give your old IP to them. If however, they have plenty of addresses in the pool you're likely to get the same address back.
There's also the cases where you're assigned an internal address(10.x.x.x or 172.16.x.x) for example, those are usually regionally assigned or city assigned if the ISP is small and can't afford to buy large numbers of IPv4 or IPv6 addresses, and in turn use NAT. So you could have 250 or 300 people or more on a single IP address and the NAT device routes the traffic - this was very common here in the west in the early days of the net too. But still very common in very poor or remote places.
Not true. That only happens if your ISP has a large pool of extra addresses. I've had the same IP address for about 6mo now, inc. after two power outages lasting 2+ hours.
If your ISP has fully transitioned to IPv6, you will likely have a static IP forever since they can do IPv4 to IPv6 via NAT in a fully seamless way.
I don't have a dedicated IP address, my provider uses DHCP to allocate addresses, so all anyone would have is a general idea of location. They would have to get a subpoena for my provider to identify me. I live in Cape May County, NJ, I'm not afraid to post it.
Not that I care anyway, I have nothing to hide and I'm totally self sufficient and can't be cancelled.
Thats basically how i feel. Go ahead and send the faggots and trannys after me. I have enough 5.56 for all of them.
On the bright side, they will never be women.
Never owned a gun in my entire life, in the past year bought 7. Still lacking ammo, but I'm ready to defend my family. Wouldn't hurt a flea unless attacked, then game on.
When you're faced with the prospect that your freedoms might be ripped away at any moment, it's interesting how one can transform from "I don't need a gun" to "I'm willing to fight and die for my family."
Thanks to DHCP, knowing someone's naked IP addy will, in most cases, only tell you what ISP they use (unless they specifically pay for a static one).
I'm on a rural ISP, which means that even if I didn't use a VPN, the potential dox'er would have parts of five counties across two states to search.
Source IP wasn't mentioned in the breach but that doesn't mean that data doesn't exist.
Cloudflare owned by prominent Dems
"Encrypted password" which is useless because that is the point of encryption. Also, password managers are great. Highly suggest using one. Just got a new device and I could log into everything effortlessly and URL spoofing does not work because the manager only inputs info on the correct URL.
You can figure it out, but it takes some time. Always use good passwords, and it will go a long way. Also, for every breach you hear about, there are plenty more you don't.
A 16 character password randomly consisting of upper and lower case letters and numbers only using bcrypt with a cost factor of 10 would take ~6.046727765959351e+18 years to crack on a single Nvidia 2080Ti.
The Gab passwords are hashed using bcrypt. I don't know what their cost factor was configured as.
Yep. As other guy said, rainbow tables will probably snag a decent percent of real world passwords. The good passwords are safe, but Darth Helmet's luggage code will be easy pickens. And the people using bad passwords tend to reuse them.
They won't.
Rainbow tables are completely ineffective once you introduce a salt of sufficient length to the password because you've now made the storage requirements exponential.
Since bcrypt uses a salt of 22 characters encoded as base64, this gives you a possibility of:
5444517870735015415413993718908291383296
combinations just for the salt alone. You're not going to be storing rainbow tables for that many salts much less the 31 character password+salt hash that follows.
Read this response on SO for an explanation why.
Rainbow tables are only effective for something like MD5 without salting.
Read this on rainbow table defenses and on bcrypt specifically.
Cool. Thanks for the info. I have a cyber security cert, but salting was only covered briefly in the course and not mentioned in the test.
If your password is a word or a common word/number combination, and I have the encrypted hash, I can break it in a few hours, maybe a day. (edit: ran the calculations for another post, it takes 25 minutes to crack any common password, even with bcrypt)
If it's not, it might take days-weeks depending on how long it is and which algorithm they used. If it's under 8 characters, there are databases that can break it instantly. (Edit: As sordifPontification points out, these don't apply to bcrypt, especially if it's salted as it should be)
No.
Gab is based on Mastodon which uses bcrypt to store password hashes. There are no rainbow tables for bcrypt for anything 8 characters or less. For under 8 characters, the rainbow tables would be ~211 296 876 372 480 bytes in size. Plausible given current storage but very unlikely.
Edit: And this calculation is probably off by an order of magnitude as I forgot about the salt and was basing this off the hash length.
Edit edit: Plus a 16 byte salt renders rainbow tables completely useless.
Good points on the bcrypt part. Editing my post above
It's been a long time since I've done anything in that world, How are passwords that consist of several real words with no numbers or symbols?
Several real words (3+) are very safe. Easy to remember and it just takes exponentially long for any algorithm to work it's way up to that point.
Yep. Another reason for password manager. Have 20+ character passwords that are random and use all possible characters.
im less worried about hashed passwords than the statements beign made that the site was vulnerable to sql injection that byasses passwords. Its basic security vulnerability 101 and shouldnt have existed.
Having different passwords for email, for each bank, from whatever, from social media is the way to prevent being harmed by hacks.
It is usually the lower security sites that get compromised then they use that information to target the valuable stuff
"Whistleblower" Sure you are.
You want to give fake news a few thousand innocent citizens to dox and attack on their 'news' because orange man still bad.
they want a big fat sum of money
The journalists, SS's, and researchers are going to get red-pilled.
The only reason this happened is to scare people from getting on Gab.
Now do Parler.
I hear it's nothing but controlled opposition.
Wouldn't surprise me seeing who paid for it.
But I've never actually used Parlor... Just like everyone else.
no the only reason this happened is because Gab has shit security... this is exactly why i haven't signed up...I don't trust that the owners of Gab are competent enough to not put their users at high risk of being Doxxed, and i was right.
I'm shocked it hasn't happened here yet...although I'm just as confident this site is a DHS/NSA honeypot
If you use that same email on another website which is somehow linked to you in other ways is how. A protip for proton users is to use the "+" when creating a username. Example being "[email protected]" fwds the same as "[email protected]". The auto scan matching software probably won't be able to link these two emails if they are doing a simple compare string.
compared to what? if you don't use social media at all fine, but there hasn't been a single sm company that hasn't been hacked before
Really, they didn’t clean text on text fields allowing them to be read as code? That is basic stuff.
But, no... the hackers should be sued. It is one thing to expose vulnerabilities and inform the website of those vulnerabilities. It is another to steal customer data and try and sell/give it out to legit everyone. The hackers are evil evil people.
Is that really what happened? I would have at least assumed comp'ed cloud or data center people. So tired of our side taking L's due to our own retardation.
This has happened to many leftists companies too. They can learn from this and improve.
That's crazy. Salting passwords and shit is literally some of the easiest shit you can do that makes shit like this impossible
Looks like it was just that. From OP's comment:
"According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database."
WTF year is it? 2000? Did they write this shit in PHP?
PHP runs most websites. It's easy to sanitize user input. Whoever wrote gab is an idiot.
Maybe they dropped a garage door pull while committing the crime.
Pretty sure they sanitize their inputs - that's base 101-level stuff these days.
Wouldn't it be a better catch-all solution to use prepared statements, rather than trying to think of the ways in which you need to clean the text?
"Please select a username from this list" "Please select a comment from this list" would be a pretty terrible social network.
“Please select a username could work if it went like this: A row of alphanumeric drop-downs, like 12 of them with an option to add more by pressing the + button to the right. Then username gets chosen a single letter at a time. This concept would not be too popular for posting content in a forum or sending messages.
Totally not an op at all guys.
either Parler is off the hook now or gab can't be trusted either I guess.
Or maybe, just maybe, it actually was simply a hack and the only malice was on the part of the hacker?
which is covered by "either parler is off the hook", because the same might be true for Parler.
didn't know that, but I did just remember that parler required a phone number to sign up, very suspicious,
No it doesn't. It's phone or email. And you can make the latter easily.
Apples to oranges
No, it's not. That assumes they were both the same thing, which they ain't.
Parler is a honeypot. Gab has been an independent thorn in the swamp's side since its inception.
I wonder how this would play out in court for copyright infringement? © 2021 Gab AI, Inc. It should be a criminal offense, however, we all know our justice system is completely infiltrated and broken. The thing is that all the posts are available to the public, regardless of whether you are a member on the site or not. I don't know about group posts, because I'm not in any of those. But the main feed posts are public. You don't have to be 'logged in' to see them.
You gotta find the people to prosecute too. That's the problem. They all hide behind VPN's and proxy's so it makes it hard to pin them down and you KNOW the Federal Government isn't interested in going after them like they did Wikileaks and Anon. So they're going to try to blackmail Gab's CEO for the data, and regardless of if he pays out or not, they're going to leak it. Because that's what they do.
For some reason, I find 70GB of data hard to believe. Gab seemed to be on top of the breach and I highly doubt they were able to get that much data in that short amount of time. I think a lot of that is bluffing.
Shit, they might not even have data at all. That's the shit part about blackmail. They can just CLAIM they did it and if their demands aren't met, they'll leak the data. But you can't leak what you don't have. And regardless, if they have the data, they're going to leak it anyway. So, at the end of the day, it'd be stupid to cave to their demands. Because if they have it, they're going to leak it. If they don't, they're bluffing and won't leak anything. And no amount of pandering is going to change that.
Fuck them. Leak it. I don't see the problem. The media would need massive databases to cross reference emails addresses that are stored, but most people just post under their real name anyway, so who cares?
Should just call the bluff.
The 'hackers' only have encrypted passwords, which are useless. If they had the actual passwords, they would have threatened to release those.
DMs are mostly worthless, and I bet a lot of them are fabricated.
They are probably hashed passwords, 95% of which could be very easily cracked. Most people use the same password for multiple sites, too.
Depends on the encryption algorithm. If it's something outdated like MD5, sure. If they used something like AES-256 with a proper-sized (>1024b) key, it wouldn't be worth the effort.
Depends on the salt they used and the number of rounds of AES they used.
If they didn't salt their hashes then it's easy to make a rainbow table of well known passwords and match them to users, regardless of hashing algorithm.
He's correct. The variable is whether or not the person who does this gets caught. If they're smart, highly unlikely.
Assuming they aren't a government entity
Sue the individual; full lawfare. IANAL, but you either looking at defamation or loss of income. However it has to be classified, you are driving people away from Gab by hacking or pretending to hack to scare people away so it's costing you business.
Court? Lol anything goes at this point
You're not a whistleblower when you're doxxing innocent civilians for using a social media service. You're just an asshole.
Folks, I would not be too hard on Gab over this....they are the focus of SO MUCH unpatriotic energy right now.
EVERY EVIL FORCE ON THE PLANET WANTS GAB TO FAIL.
That is enough, all by itself, to convince me that I need to support Gab.
Will post there. Will not be posting things I cannot stand up for!
exactly, pretty much they've done every-single-thing to take them offline and they're running out of options, so they're resorting to this now, it's pathetic. meanwhile gab continnues to grow (8k alexa rank in december, 1.8k now)
I don't know that it really matters. we are at war , is it not to be expected?
Why do we want to collect millions of ccp shill farm emails?
Far-Right Platform Gab Has Been Hacked—Including Private Data
https://www.wired.com/story/gab-hack-data-breach-ddosecrets/
"DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab's public posts and profiles—with the exception of any photos or videos uploaded to the site—but also private group and private individual account posts and messages, as well as user passwords and group passwords. "It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content," Best wrote in a text message interview with WIRED. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon and everything surrounding January 6."
"DDoSecrets says it's not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data, and it does appear to contain Gab users' individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.
"According to DDoSecrets' Best, the hacker says that they pulled out Gab's data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn't differentiate between a user's input and commands in the site's code, allowing a hacker to reach in and meddle with its backend SQL database. Despite the hacker's reference to an "Anonymous Revival Project," they're not associated with the loose hacker collective Anonymous, they told Best, but do "want to represent the nameless struggling masses against capitalists and fascists."
Torba post yesterday: https://gab.com/a/posts/105810767975703321
And what will the journalists do with it, dumbasses?
You kidding me? Holy Fuck, do you not remember what CNN did to the kid with the wrestling meme? Or the grandma that tracked down in FL and doxxed on national fucking TV?
"against capitalists"
So whatever journofags that collaborate with them are essentially openly colluding with subversive commies.
Communism deserves that same level of societal scorn as Nazism. So whichever journofags collude, they should be treated as if they were collaborating with Nazis.
Looks like Bobby Tables is still around.
(There's a BLM link at the top of that page, by the way, which is why I linked only the image and not the whole page.)
Wtf. DDosSecrets can be sued or no? This is beyond fucked and honestly looks like an op
DDoSecrets can hack these nuts.
Frustrating that these mentally ill degenerates seem to be pretty proficient at hacking. Wish I was good at computers.
"Individual user account passwords appear to be cryptographically hashed"
Oh noooo! Look at all the fucks I don't give
I am not sure I understand. Is hacking like this not illegal?
Is the person who did it not a criminal? Are people who receive the stolen information not also accessories or criminals in their own right (knowingly receiving stolen information).
wtf?
I guess I am confused.
I'm confused as well. How is this not a crime???
It's totally a crime. Laws only matter if they are enforced, and if you can find the right people to enforce against. It will be difficult to track the hackers and my guess is they won't try very hard.
It's not a crime when those who work for agencies that are supposed to enforce such crimes are participating in such acts. Then it is "for the benefit of the common good". 🙄 Little to most people get that we aren't part of the "common good". Com' mon, man.
The time and resources involved in finding, prosecuting, and convicting a hacker is very large. The damage of a hack is potentially immediate and also requires a lot of time and resources to mitigate. Time and resources are constrained; the correct move is to repair what can be repaired and harden security where possible. Resources are expended to track down criminals - but how would you go after a foreigner working either for their military or a criminal mafia, for example?
Oh no! What a surprise.
Gab wasnt able to stop state level hackers? I am shocked.
Solar Winds, Yahoo!, Iranian nuclear program, etc. etc. etc. w bigger budgets, and more people, have all been hacked. I expected Gab to be hacked from day one. I posted what I believed when I posted it and didnt use it for anything else.
C U in summer COVID Camp yall!
This story needs to go up front.
The last time it logged me out I never signed back in.
“Whistleblower” stealing private citizens information lmao. Stahp
Here's a thought.
Get off social media... for good.
Is this site considered social media?
Yes. Sites where people are engaging with one another are still social media sites. Too many people are not thinking critically when they still believe on sites with feeds like Fakebook, Instagram, Twitter, etc are the only social media sites.
That's what I always thought. It's not "big tech" social media, but it's still being social on the internet.
No, at least not primarily.
Social media is about the promotion of you and doesn't have the ability for you to have discourse and elaborate.
Its basically like radio vs tv news.
This is the real answer
Everything is hacked. Never trust anything online.
I work in the financial tech industry and I can assure you NOTHING is safe.
You're lucky if your banking app/portal 'works' when you log in, let alone protects anything.
I'll have you know I graduated top of my class in the Navy Seals, and I've been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in gorilla warfare and I'm the top sniper in the entire US armed forces. You are nothing to me but just another target.
🤣🤣🤣🤣
70gb is not a lot of data.
Liberals are the terrorists. Not the conservatives.
I am not even a little bit scared. We won the election, we are the majority. Stop f****** hiding.
I've tried to get on since yesterday but it keeps saying Error. Yes, I belong to Gab too.
That's weird. I haven't had a problem getting on.
No problems here, password changed. Has Gorba mentioned whether the attack vector is eliminated yet?
I'm sure it has been, I don't know why they would admit to the breach if they hadn't already fixed the issue.
Hmm...okay media. The repairman that came forward to the FBI with Hunter's laptop is a hacker, but these guys are whistleblowers. Sure.
Who cares, if you aren't taking precautions for privacy, you need to catch up fast. VPN, dummy proton mail account, not sharing personal info, speaking in slightly coded language for plausible deniability, etc
Cool. Share encrypted info all day.
Good luck decrypting it. See ya in a few thousand years.
That can have my name and address for all I care. They will find it is the Trump OPPOSITION that has to hide their face where I am from.
Come by and have some covfefe.
Not like they don't have everything on us anyway. We all basically have keystroke loggers set in place by them.
Oh no, everyone I know will know I'm a weeb who doesn't wear a mask
DDoSecrets is a whistleblower? Can we say the name at all like with Caramello boy? Or will the CIA come down like a brick on anyone who does?
"selectively share" lol
Sounds like a law suit.
https://news.gab.com/2021/02/26/alleged-data-breach-26-february-2021/#more-2715
I can't wait for twitter to mass ban the journalists for sharing data from hacked sources like they did for H laptop.
FBI ? Lol why even ask
Question, how are they able to even get this kind of info? Do most sites use hashes (think that's the word, been a few years since I've done any coding) nowadays to avoid things like this? They were storing the actual passwords?
I’m sure the FBLie will get ri-
Never mind, they’re too busy looking for ppl who merely attended Geotus’s DC rally while BLM rioted for months straight.
Sounds like Gab is over the target. The evil left is trying to destroy them.
Make sure you change your passwords if you used that password for anything else.
Yet robinhood hasn't been hacked 🤔
I wonder if Hillary will want to drone strike them?
Glad I never signed up for that
Use a throwaway protonmail account for registrations
I think dapps involving nucypher could be a great solution to this problem. Decentralized proxy re-encryption
Way worse than what happened to Parler.
Have yis read Andrew Torba's message? Pretty direct. Sounds ticked off.
The "mentally ill tranny demon hackers" post? If that's what you're referring to, yeah, he's pretty pissed! As he should be.
That's the one. Glad he was proactive and didn't try to be apologetic. Lay the blame at the door of the creeps.
Lawsuit
Gab was not hacked.
NSA has all publicly shared encryption master keys.
NSA teams will use them to enter a targeted system from a source spoofed IP address and either deface the public interface to make it look like a hack using the name of some phony "elite" hacker group or grab data and release it elsewhere to make it look like a hack by a phony "elite" hacker group.
And of course, they do this on the behest of the political establishment targeting those sites, individuals or organizations they do not like.
The only safe private communication is that which you keep private between yourself and another private person directly.
Again, for all publicly used encryption - the NSA has the master keys - always.
NSA is def legit but i'm not sure i understand what you mean. they have master encryption keys for like SIM cards but not sure how that applies to servers. imo, this probably wasn't even an sql attack but something much more basic such as employee or datacenter techs with physical access to the server.