How a Rookie SQL Injection Mistake Cost Gab’s CTO and Users 70 GB of Data

In early 2021, the hacker collective DDoSecrets exposed a massive data breach at the far‑right social platform Gab. By exploiting a SQL injection vulnerability in Gab’s backend, attackers exfiltrated roughly 70 GB of data, including over 40 million posts, hashed passwords, private messages, and records of high‑profile users such as former U.S. President Donald Trump.

CTO’s Rookie Mistake Leads to Massive Data Leak

The critical flaw originated from a code change committed in February by Gab’s newly hired CTO, former Facebook engineer Fosco Marotto. The commit removed the defensive reject and filter calls that sanitized user input before constructing SQL queries, replacing them with a direct find_by_sql call that accepted raw input. This broke a long‑standing Rails best practice of using parameterized queries to prevent injection attacks.

CEO’s Response and Security Audit

Gab’s CEO Andrew Torba initially denied the intrusion, but after the leak became public he acknowledged the breach, labeled the attackers “devil hackers,” and announced an emergency security audit. He claimed the vulnerability had been patched and promised a thorough investigation.

Code Deletion, License Controversy, and Aftermath

Following the incident, Gab removed the offending commit from its public Git repository and replaced the full history with a password‑protected ZIP archive (password: JesusChristIsKingTrumpWonTheElection). Critics argued this action violated the Affero GPL under which Gab’s code is licensed, reducing transparency for the open‑source community.

Further attempts to fix the vulnerability were visible in the repository, but developers struggled to replace the insecure SQL construction, highlighting a lack of static analysis tools or a deliberate disregard for their warnings.

The episode sparked widespread discussion among Rails developers, who criticized the CTO’s oversight and emphasized that even a senior engineer should adhere to secure coding standards, especially in a small team of 26 employees where the CTO is expected to be the most technically proficient member.