So, the @getongab data breach situation: Let's start the bizarreness with their CEO's ridiculous statement tweeted yesterday:
https://twitter.com/getongab/status/1366123617847828483
This came a couple of days after their post about an "alleged data breach" which is full of pretty bizarre statements: news.gab.com/2021/02/26/all…
For example, because they couldn't find any public discussion about the breach they assumed that @WIRED reporters were "essentially assisting the hacker in his efforts to smear our business". There are *always* discussions held in private about a breach before it's made public.
"It is standard practice for passwords to be hashed. If the alleged breach has taken place as described, your passwords have not been revealed." This is misleading and ignores the simplicity of hash cracking. If your password is "maga2020!" (or similar), it has been revealed.
"It is entirely possible for a user of the site to be unidentifiable based on the information they provide at login." You login with your email address. This (almost always) identifies you, it's literally how people communicate with *you*! 
"In our subscriber records we do not collect health or financial information; we do not collect dates of birth; we do not collect [blah blah]." When you've just had your neo-Nazi hate speech associated to your email address leaked, DoB is the least of your worries!
"Every major tech company – from Facebook to Twitter – has been the target of multiple and continued data breaches." AFAIK, neither of these companies have ever had their entire DB dumped in the style @getongab appears to have, nor would that be an excuse if they had.
Then there's the @WIRED piece from @a_greenberg, a top-notch journo I've got a lot of respect for based on previous pieces he's written and many discussions I've had with him personally: wired.com/story/gab-hack…
DDoSecrets has a @getongab page saying: "Due to these concerns, along with presence of passwords and other PII, this dataset is currently only being offered to journalists and researchers." I'd love to get this into @haveibeenpwned, if anyone knows anyone there, ping them for me.
And lastly, @getongab's atrociously unprofessional and derogatory references to @beka_valentine are matched only by her grace and humour in response
https://twitter.com/getongab/status/1366575774627692554?s=20
Just one more thing: my random @getongab password stored in @1Password begins with "t9q@" (created an account when I was doing commentary on them and Parler). If someone has my password hash, they're welcome to publicly share it and I'll verify then share the original password.
Looking into the (alleged) @getongab data breach, many records don't have an email address or a password hash (mine has the former, but not the latter). But for verification, don't those dates and times look... similar. Coincidence? Or real breach? (Aus time in @1Password)
Although it does appear that @getongab is no longer denying there was a breach, although I’m yet to see a formal disclosure notice (and yes, I know that’s not the most noteworthy thing about the embedded tweet below...)
https://twitter.com/getongab/status/1366954798524887042
• • •
Missing some Tweet in this thread? You can try to
force a refresh
