How a CTO’s Mistake Exposed Gab’s Data: The SQL Injection Disaster

In the tech world, the competence of a project leader—especially a CTO—often determines a startup’s success or failure.

Gab, a far‑right social media platform, suffered a massive breach when the hacker group DDoSecrets exploited an SQL‑injection vulnerability and downloaded over 70 GB of data, including millions of posts and personal information of high‑profile users.

The root cause was traced to Gab’s newly hired CTO, Fosco Marotto . By reviewing the company’s Git history, investigators found that Marotto had removed the reject and filter API calls that were designed to block SQL‑injection attacks. This deliberate deletion created a “trap” that any static‑analysis tool would flag as insecure.

Rails documentation explicitly shows the correct way to prevent SQL injection, and the code that was removed matched those examples exactly, making the mistake both obvious and avoidable.

Marotto, who previously spent seven years at Facebook working on the Parse backend and contributed to the free voice‑browser Dissenter, was appointed Gab’s CTO in November. Despite his impressive résumé, his actions demonstrate how a CTO must rigorously review security‑critical code, especially in a small team of 26 engineers.

The incident underscores a broader issue: many companies promote leaders based on past titles rather than actual technical ability, leading to dangerous “air‑drop” appointments that can jeopardize both product quality and user safety.