BestHub
Sign in
Information Security 8 min read

How a Rookie SQL Mistake by a Former Facebook CTO Led to a $500K Gab Data Breach

A former Facebook engineer, newly hired as CTO of the social platform Gab, introduced a simple SQL injection vulnerability by removing critical reject and filter calls, allowing hackers to steal 70 GB of user data, demand a $500,000 Bitcoin ransom, and expose the company's lax security practices.

ITPUB
ITPUB
ITPUB
How a Rookie SQL Mistake by a Former Facebook CTO Led to a $500K Gab Data Breach

Technical Overview

In early 2021 a hacker exploited an SQL injection vulnerability in Gab’s backend, exfiltrating approximately 70 GB of data from about 15 000 users, including public posts, private messages, hashed passwords and personal details.

Vulnerability Origin

The vulnerable code was introduced by CTO Fosco Marotto in a Ruby on Rails controller. A previous defensive implementation that called reject and filter (custom sanitisation functions) was removed. The new code used find_by_sql with a raw string that concatenated user‑supplied input directly into the SQL statement, eliminating parameterisation and input sanitisation.

Commit History and Evidence

Git commit analysis shows a commit authored by “Fosco Marotto” that removed the sanitisation calls. The commit was later deleted, but archived web snapshots reveal the exact line changes (removal of reject and filter at line 23).

Security Practices Lacking

Absence of parameterised queries or prepared statements.

No static application security testing (SAST) in the CI pipeline; a typical SAST tool would flag the raw find_by_sql usage.

Insufficient code‑review safeguards; the change passed without detection.

Response and Aftermath

Gab initially denied the breach, later confirmed it, and reported a ransom demand of roughly $500 000 in Bitcoin to law‑enforcement. The vulnerable commit was removed from the repository, but the change was recoverable via web archives.

Expert Commentary

Dmitry Borodaenko, former Facebook product engineer, noted that any developer familiar with SQL should be aware of injection risks and that the omission of static analysis likely allowed the flaw to slip through.

References

https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/

https://www.wired.com/story/gab-hack-data-breach-ddosecrets/

https://news.ycombinator.com/item?id=26319649

https://news.gab.com/2021/02/26/alleged-data-breach-26-february-2021/

https://github.com/kuchin/awesome-cto

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

software engineeringSQL InjectionInformation SecurityCTOGabGit commit
ITPUB
Written by

ITPUB

Official ITPUB account sharing technical insights, community news, and exciting events.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment