How a Rookie SQL Mistake by a Former Facebook CTO Led to a $500K Gab Breach

Because of a low‑level mistake, 70 GB of data were leaked and the company was extorted for $500 000.

A hacker exploited an SQL injection vulnerability on the Gab website, stealing data of about 15 000 users, including public and private posts, hashed passwords and personal information, and even data related to former US President Donald Trump.

Big‑Company “Graduate” CTO Commits Fatal Rookie Error

The breach originated from a SQL injection that allowed the attacker to retrieve data from the backend database. Investigation of the Git commit history revealed that a user named “Fosco Marotto” altered the backend code, removing critical filtering functions (the reject and filter calls on line 23) that were supposed to block SQL injection attacks.

Instead of using parameterized queries, the code introduced a find_by_sql call in a Rails function, allowing unfiltered input to be executed directly.

Security experts criticized the subsequent deletion of the offending commit, noting that it violated transparency requirements for source code.

Earlier, the same CTO had warned on StackOverflow in 2012 to use parameterized queries to prevent SQL injection.

CTO: First Time Receiving Death Threats

Gab’s CEO Andrew Torba initially denied the intrusion, but later confirmed the breach, stating that the vulnerability had been patched and a full security audit was underway.

The company reported a ransom demand of roughly $500 000 in Bitcoin and informed law‑enforcement.

Fosco Marotto posted on Hacker News, stating that he had no evidence linking his code change to the hack and that he had received a death threat.

CTOs, Take Note!

The incident raises the question of how to avoid repeating such mistakes. A publicly available checklist (5.6 k stars on GitHub) offers guidance for CTOs and VP‑of‑Engineering in startups and fast‑growing companies, covering hiring, management, architecture, and security practices.