Connect with us

NEWS

GTFOICE.org Leak Exposes 17,662 Anti-ICE Activists On Open API

Published

1 month ago

on

A former U.S. Department of Homeland Security chief of staff who later ran national security policy at Google built an anti-ICE organizing site, plugged it into a public database with no password, and shipped it to nearly 18,000 immigration activists. The data sat exposed on a Replit-hosted REST API with no authentication and no rate limiting, according to the researcher who found it. Anyone who knew the endpoint could pull every name, email, phone number, ZIP code and signup timestamp in seconds.

That site is GTFOICE.org, launched April 23, 2026 with a splashy slot on The Rachel Maddow Show. The man behind it is Miles Taylor, the former “Anonymous” op-ed writer turned Trump-administration whistleblower. By May 4, the platform was wiped to a generic Replit “this app isn’t live” placeholder and 17,662 activists were left to find out from news reports that their personal details had been sitting in the open for days.

Some of them, including actor Mark Ruffalo, learned their data was scraped only after a viral X thread put the leak on blast. Others got an unsolicited text claiming their information had already been forwarded to ICE, HSI and the FBI.

The Single Bug That Broke Everything

The failure was not exotic. It was a textbook OWASP error from the API security top ten, applied to a database holding names of people organizing against federal immigration enforcement.

According to the X researcher who goes by DataRepublican’s archived disclosure thread, the GTFOICE backend exposed a public REST endpoint that returned the full user table on request. There was no API key. No session check. No rate limit to slow a script pulling thousands of records. The site was hosted on Replit, a browser-based development platform aimed at solo builders and prototypers, not at projects holding political-organizing data on immigrant communities.

The technical posture meant a single curl command could enumerate every signup. Hagerstown Rapid Response, the local Maryland watchdog group that publicly flagged the issue, said it tested the platform with phone numbers across Maryland and Utah and got no signup confirmation, only a later text claiming federal agencies already had the records.

Replit boilerplate replacing the live site after the takedown made the hosting choice public. The error code visible to visitors read: “This app isn’t live yet. We couldn’t find a Replit app at this address.”

GTFOICE anti-ICE activist signup database leak through unsecured Replit REST API.
GTFOICE anti-ICE activist signup database leak through unsecured Replit REST API.

17,662 Names, Phones and ZIPs

The exposed dataset was small by breach standards and devastating in context. Every record tied a real person to opposition against ICE detention buildouts in their own ZIP code.

Here is what was sitting in the open API, per Hackread’s technical rundown of the unprotected REST endpoint:

  • 17,662 user records pulled from a single signup form
  • Five fields per record: full name, email, phone number, ZIP code, signup timestamp
  • Zero authentication on the database-facing API
  • Zero rate limiting, meaning the entire table could be paginated out in one script run
  • At least 12 hours the endpoint reportedly stayed open after Taylor was pinged about it

Why The Field Set Stings

Email plus phone plus ZIP is the trifecta for SIM-swap targeting, doxing and physical canvassing. For an activist in a small Maryland or Utah town who signed up to oppose a planned ICE facility, the ZIP narrows them to a precinct. The phone connects to messaging apps. The full name closes the loop with public records and voter rolls.

Many of the people who signed up are immigrants themselves, the Hagerstown group noted in its initial alert. They trusted Taylor’s national security résumé. The pitch was that a former DHS insider would know how to keep their data safe from the agency he used to staff.

How A Right-Wing Researcher Caught A Former DHS Insider

The disclosure did not come from a major newsroom or a security firm with a press team. It came from a single X thread.

On May 2, 2026, the account @DataRepublican published a viral technical thread laying out the open REST API, the missing rate limits and the irony that Taylor had run “the third-largest federal department, 250,000 employees, $60 billion budget,” then “can’t secure a sign-up form.” The thread is preserved on Thread Reader.

DataRepublican said she notified Taylor before publishing. She also said the endpoint stayed open for at least 12 hours after that ping. Only then did GTFOICE post a notice that signups were paused for a security review. About 20 minutes after the pause notice went up, it was swapped for a generic “under construction” page, and shortly after that, the site reverted to the Replit error.

That sequence is the heart of the controversy. The team behind GTFOICE built itself on a national security pedigree. The first published response to a documented vulnerability was to take the site dark without a public statement, without a breach notification email and without an estimate of how many records had already been pulled.

The sign-up data is exposed on a public REST API. No true authentication. No rate limiting. Full records: names, emails, phone numbers, zip codes, timestamps.

That description, posted by DataRepublican on X on May 2, is the cleanest summary of the failure on record. No Taylor representative has publicly disputed the technical claim.

The Coalition And The Money Behind It

GTFOICE is not a one-person project. Three organizations were named in the joint DEFIANCE.org launch announcement on PRWeb.

Organization Principal Role In GTFOICE
DEFIANCE.org Miles Taylor, Xander Schultz Lead build and platform
Save America Movement Steve Schmidt (Lincoln Project) Political and media reach
Project Salt Box Independent volunteer researchers ICE facility tracker dataset

Project Salt Box describes itself as a volunteer team of independent researchers and data journalists tracking how DHS spends its budget. Its tracker of planned ICE facilities was the public-facing draw on the GTFOICE homepage. The tracker survives. The signup database, which is what users actually handed over their personal information to, was the part that broke.

The political wiring is part of why activists trusted the platform. Schmidt is a familiar Lincoln Project name. Taylor went on Maddow to launch it. The signup pitch was credibility laundered through cable news.

A Second Leaky Site On The Same Server

The GTFOICE failure was not isolated. DataRepublican’s follow-up thread on May 4 reported a second DEFIANCE-linked site, UndoTrump.org, sitting on the same infrastructure with the same vulnerability.

UndoTrump.org launched April 1, 2026 as what its operators called an “April Fools’ joke,” inviting users to sign up for fictional “Removal Parties” at federal buildings including the White House Ballroom, the Kennedy Center, the Department of Justice and U.S. Navy battleships. The signup form collected names, emails and free-text political messages. According to DataRepublican, the same unauthenticated REST pattern returned 4,000-plus records from roughly 3,300 unique users, including messages whose tone she characterized as death threats against a sitting president, with several appearing to come from people identifying themselves as government employees. Twitchy summarized that follow-up in its May 4 recap of the UndoTrump disclosure.

The Privacy Promise Versus The Code

What turns this from a stumble into something harder to wave away is what the GTFOICE site told users on the way in.

The signup page carried specific commitments. Privacy was taken seriously. Information was “secure and encrypted.” In the event of a breach, users would be “notified immediately.” Those promises are documented in the archived snapshot of the GTFOICE signup flow on archive.is.

None of that happened on the timeline visible to outsiders. The endpoint sat open for hours after the warning. The site was pulled without a public notification email. Affected users learned about the exposure from screenshots circulating on X and Bluesky, and from reporters writing the story.

The local Maryland group that broke the story put it bluntly. Hagerstown Rapid Response said it tested the platform from multiple ZIP codes, never received a signup confirmation, and then watched a phone number used during testing receive a message claiming the data had already been forwarded to FBI, HSI and ICE. The group could not verify whether the text was authentic agency outreach, a malicious spoof, or a third party with access to the leaked records. It wrote that the timing alone “raises serious questions” about how the data was handled.

That uncertainty is the worst part of the story for the people who signed up. They cannot tell whether their information went to a curious researcher, a hostile scraper or actual federal investigators. The platform itself has not given them a number.

What This Means If You Signed Up

If your name is in the GTFOICE database, the operational facts as of May 9 are limited but specific. The site is offline. There has been no formal breach notification to users. There has been no published estimate of how many copies of the dataset are now in private hands.

Treat the email and phone you used as compromised. Assume the ZIP and full name are searchable in any future doxing campaign tied to anti-ICE organizing. If the email address you used is also tied to your Bluesky, X or Signal account, rotate the account or migrate to a fresh inbox with two-factor authentication on a hardware key, not SMS.

The wider lesson the wire coverage has not stated cleanly is this: credentialing is not a substitute for a code review. A founder’s prior title at DHS or Google does not patch an open API. Activist platforms that collect names and locations need the same security audit a fintech would get before launch, and the same breach notification discipline a healthcare app is forced to follow.

Frequently Asked Questions

How Do I Find Out If My Data Was In The GTFOICE Leak?

Assume yes if you signed up at GTFOICE.org between April 23 and May 4, 2026. There is no official lookup tool and Taylor’s team has not emailed users. The exposed dataset reportedly contained 17,662 records covering everyone who completed the signup form during that window. Treat your email and phone number as compromised, change passwords on accounts using that email, and turn on hardware-key two-factor where supported.

Was The Data Actually Sent To ICE Or The FBI?

Unconfirmed. Hagerstown Rapid Response received a text claiming the data was forwarded to FBI, HSI and ICE, but could not verify whether the message was an authentic agency contact, a spoof from a third party who scraped the records, or a hostile actor trying to scare activists. No federal agency has publicly confirmed receipt. What is confirmed is that the API was open and anyone could have pulled the table.

Should I Still Sign Up For Anti-ICE Organizing Lists?

Yes, but vet the platform. Look for an HTTPS lock, a clearly named privacy officer, and a public statement on what happens to your data if the site shuts down. Use a dedicated email alias from a service like SimpleLogin or Apple’s Hide My Email. Use a Google Voice or burner number, not your main line. Never give a ZIP plus full name plus phone to a site that has been live for less than a few weeks.

Is Replit Safe To Host A Real User Database On?

Replit is a legitimate platform, but it is built for prototyping and rapid deployment, not for hardened production apps holding sensitive personal data. The platform itself did not cause the GTFOICE failure. The operators did, by exposing a database-facing REST endpoint with no authentication. A serious activist platform should sit behind WAF protection, API gateways and rate limiting, on infrastructure with a real security team in front of it.

What Should Miles Taylor Do Now Under U.S. Breach Law?

State breach-notification laws cover this. California, New York, Texas and others require written notice to affected residents when unencrypted personal data is exposed, often within 60 days. With 17,662 records spanning every U.S. state, GTFOICE almost certainly triggers multiple state thresholds. The site has not yet sent a notification. Affected users in California can also file a complaint with the state Attorney General’s office under the CCPA framework.

The story is still moving. The site remains down. No criminal complaint has been filed publicly, and no class-action notice has surfaced as of May 9. What is already locked in is a case study every activist group will study for a long time, the kind that proves a national security résumé and a working REST API are not the same thing.

Disclaimer: This article is for informational purposes only and does not constitute legal or cybersecurity advice. Breach response steps depend on your jurisdiction, the data fields involved, and the platforms tied to the exposed email or phone. Affected individuals should consult a qualified attorney about state breach-notification rights and a credentialed security professional before taking account-recovery action. Details cited are accurate as of publication on May 9, 2026 and may change as the investigation develops.

Related Topics:

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending