Major Tea Party Group Was Backed by Salsa Billionaire and Other Wealthy Donors, Hacked Documents Reveal

Tea Party Patriots' web database contained only a small fraction of the "3 million patriots" it heralds on its site.

About 100 demonstrators rallied along with Patriot Prayer, Three Percenters, and pro-Trump groups to support early reopening of PetBiz, a pet-grooming salon, in Vancouver, Washington on May 16, 2020. (Photo by John Rudoff/Sipa USA)(Sipa via AP Images)
Photo illustration: Soohee Cho/The Intercept, AP

Tea Party Patriots, a major conservative organization that bills itself as one of the largest grassroots groups on the right, was in fact heavily backed by three ultra-wealthy individuals in recent years, according to internal data reviewed by The Intercept.

The largest donor was Texas billionaire Christopher Goldsbury, who made his fortune selling the salsa company Pace Foods to Campbell Soup in 1994. On September 11, 2019, Goldsbury donated $1 million to the TPP Foundation via wire transfer. According to tax documents, the TPP Foundation took in $1.2 million in revenue that year. Goldsbury had been a TPP member since 2014 and had already donated $20,000 to TPP’s three separate organizations in previous years. Goldsbury did not respond to a request for comment.

Meanwhile, activity by the group’s members appears to have waned. The Intercept found just 144,000 members marked “active” in the online data, versus claims on the TPP website of a “network of 3 million activists,” of “more than 3 million supporters,” and of “over 3 million patriots.” Data from local chapters show members are clustered in fast-growing areas like Colorado and all along the Sun Belt, from California through Arizona, Texas, Georgia, and Florida.

The 327 gigabytes of TPP data were provided to The Intercept anonymously by a source who claimed to have hacked the group’s web back end. In January, The Intercept obtained documents that exposed the identity of a handful of wealthy TPP donors, but the new data fleshes out the understanding of the group’s big-money backing.

The data includes a trove of information about people who are members of Tea Party Patriots local chapters, have signed petitions, or have donated: their names, phone numbers, home addresses, and a detailed activity history for each user. The Intercept is not naming or otherwise exposing information on individual members of the organization other than the group’s three biggest donors (at least two of whom were reported billionaires).

Because the data obtained by the hacker comes only from the group’s web infrastructure, there could be important records missing. For example, there might be TPP supporters who signed up at a live event or made in-person donations but are not tracked by the web database. Some of the data provided by the hacker was corroborated with publicly available information, including some donations and TPP petitions. Still, it’s impossible to authenticate all of the data, and after The Intercept obtained the data a hacker altered pages on TPP’s website.

TPP did not answer specific questions about the breach but instead provided The Intercept an email sent to members from co-founder Jenny Beth Martin, notifying them of the hack and adding that the group had contacted law enforcement and worked “to ensure that our systems are not compromised and are secured even further to ensure that an event of this type does not happen again.” The email continued, “And you can be certain that we will take every step possible to find and help prosecute these criminals who have broken into our electronic home and stolen proprietary and confidential information.”

users-created

New users created in TPP’s web database each year.

Graphic: The Intercept

“Over 3 Million Patriots”

TPP was founded in 2009, shortly after the inauguration of President Barack Obama. The group, according to numerous accounts, was inspired by an on-air rant by CNBC editor Rick Santelli against an Obama administration proposal to help homeowners avoid foreclosure in the early days of the financial crisis. TPP spent its first years organizing against the Affordable Care Act and government spending in general; today, reining in federal expenditures remains central to the group’s stated priorities. But racial and anti-immigrant animus has regularly appeared within the group, which was also involved in organizing the “March to Save America” rally culminating in the deadly January 6, 2021, storming of the U.S. Capitol, aimed at preventing Congress from certifying Joe Biden’s electoral victory. (TPP has said it did not fund the rally and stated it was “shocked, outraged, and saddened at the turn of events on January 6,” condemning the violence.)

Related

Rebekah Mercer Raised Specter of “Armed Conflict” in 2019 Book

Records from the hacked database shed light on its major backers. Now-deceased California real estate mogul Sanford Diller was another billionaire who provided major funding to TPP. According to tax documents, the TPP Foundation took in $106,318 in revenue in 2015. And according to the hacked data, they only took in two donations that year, and one of them was a $100,000 check from Diller. Diller donated another $100,000 in 2016, and $50,000 more in 2017, to the foundation. In 2016 he also donated $150,000 to TPP’s super PAC. The Intercept reported on some of Diller’s foundation donations earlier this year, and late last year ABC News said Justice Department documents implicated Diller in a secret lobbying scheme to trade political donations to entities associated with former President Donald Trump for a pardon.

Another major funder of TPP is David Gore, an Oregon libertarian whose family owns the Gore-Tex fabric company. Between 2018 and January 2021 he donated $50,000 to TPP Action, $275,000 to TPP’s super PAC, and $124,000 to TPP Foundation, according to the internal data obtained by The Intercept. Gore could not be reached for comment.

Tea Party Patriots has three separate organizations: a 501(c)(3) public charity called TPP Foundation; a 501(c)(4) social welfare organization, which is allowed to engage in more extensive lobbying than a 501(c)(3), called TPP Action; and a super political action committee, which can spend unlimited amounts of dark money to support political candidates, called TPP Citizens Fund.

The hacked data includes information about individual donations to these three organizations, but it doesn’t include money raised from interest groups and corporations. For example, TPP’s super PAC raised a total of $2.9 million to support Trump’s 2020 election campaign, but individual donor records from the hacked data only add up to $460,000 that election cycle.

The hacked records also indicate that while TPP has cultivated the image of a mass movement, less than half a million people have either joined a local chapter or even just signed an online petition starting in 2013 or earlier. Of those members, roughly a third are marked “active.”

The data describes roughly 800 local chapters, including a list of members for each chapter. Local TPP chapters have a total of 15,000 users who are marked active, meaning that only about 10 percent of active users in TPP’s database are members of a local chapter — everyone else are people who have signed petitions, donated, or subscribed to mailing lists.

Tea Party Patriots active users by city, July 2021

This map, based on the hacked data, shows how many active Tea Party Patriots users live in which cities, for cities that have at least 10 users.
Map: The Intercept

The chapters with the most users are in Arapahoe County, Colorado, and Atlanta, Georgia, as well as a geographically dispersed chapter called United and Standing, which have between 130 and 190 members each. Groups have 20 members on average, though some have not been active for many years. Of the 144,000 active users, nearly 1,000 of them live in Houston, Texas, the largest city concentration, and hundreds more in San Antonio, Dallas, and Fort Worth. Other top hubs of active users include Las Vegas, Nevada; Phoenix and Tucson, Arizona; Jacksonville and Tampa, Florida; San Diego, California; Colorado Springs and Denver, Colorado; among others.

There are 148 petitions in the database, with dates from 2014 to 2021, and information about everyone who signed a petition and whether they also sent a message to Congress or donated.

The most recent petition, entitled “Stop Critical Race Theory,” had only garnered 34 signatures in the two weeks between June 23, when it was created, and July 7, when the site was hacked. Over 70,000 people signed the most popular petition on the site, entitled “Make Adam Schiff Resign,” during Trump’s first impeachment inquiry; Schiff, a California Democrat and chair of the House Intelligence Committee, was a lead investigator into allegations that Trump withheld funds from Ukraine in exchange for investigations into the Bidens.

petitions-signed

TPP petitions signed each year, according to the hacked web back-end data.

Graphic: The Intercept

From mid-2015 through mid-2017, TPP routinely had petitions reach over 20,000 signatures with names like “No Funding for Illegals,” “Save Our Constitution,” “Support Senator Jeff Sessions,” and “Trump Won, Get Over It,” but the number of signatures on their petitions has significantly dwindled in recent years.

In 2018, a petition to confirm Brett Kavanaugh to the Supreme Court got 16,000 signatures. Since then, only two petitions have breached 8,000 signatures, and they were both during Trump’s first impeachment inquiry: the aforementioned Schiff petition and another, addressed to the Office of Congressional Ethics demanding they conduct an ethics inquiry into House Speaker Nancy Pelosi, which received 14,000 signatures.

Also exposed in the TPP breach were password hashes, or encrypted representations of passwords that members use to login to the teapartypatriots.org website, for over 13,000 users. The password hashes appear to use an algorithm called “salted MD5.” MD5 is a hash function that was proven to be insecure in 2010. Anyone with this hacked data could likely recover most of the original passwords using off-the-shelf hardware.

A Trivial Vulnerability

The hacker who obtained all this data told The Intercept they were motivated by the Tea Party Patriots’ role in helping advocate for the use of hydroxychloroquine as a treatment for Covid-19. The vast bulk of evidence indicates the anti-malaria drug, pushed by former President Donald Trump, does not work for that use. A video advocating for hydroxychloroquine, featuring a group called America’s Frontline Doctors, was reportedly funded by and promoted at an event organized by TPP. The video was later blocked by Facebook, YouTube, and Twitter for containing false statements or otherwise violating their standards.

“Since [Tea Party Patriots] were responsible for a large part of the misinformation in the early stages of the COVID-19 pandemic by promoting hydroxychloroquine with the America Frontline Doctors stunt, I’m sharing the data in hopes that it can shed some light on the people involved and where their funding comes from,” the hacker told The Intercept in an encrypted text message. “I read some articles about the America’s Frontline Doctors stunt, took a look at their website, and one thing led to another.”

The identity of the hacker is not known to The Intercept. They said they identified with the decentralized hacktivist collective Anonymous. Law enforcement in Georgia is now investigating the cyber break-in, and a detective at the Cherokee County Sheriff’s Office contacted The Intercept about the case.

The person said they discovered a trivial, but fatal, security flaw in the database that powered teapartypatriots.org. Examining one of the group’s petitions, “Wear Red on Trump’s Birthday” in which people could pledge to wear red on June 14 to support Trump, they discovered the page’s source code contained an administrator API key — essentially, a secret password that grants access to TPP’s database.

vuln-petition

The Tea Party Patriots petition where the hacker found the administrator API key.

Screenshot: Anonymous

It’s common for web applications like this one to use an API, or application programming interface, and to embed API keys in the code of web pages, allowing the browser to access the data that it needs. However, API keys are supposed to have limited permissions: For example, an API key on a petition page should only have permission to access data related to the petition.

But the API key that TPP included was not limited at all. It had administrator access. It allowed anyone who had it (by viewing the source of the web page, for example) to access all the information in TPP’s massive database. The Intercept confirmed that this administrator API key was not only on the “Wear Red on Trump’s Birthday” petition, but also on all other petitions as well.

vuln-petition-source

Source code for a vulnerable web page, with the API key.

Screenshot: Anonymous

Armed with the API key, the hacker was then able to load addresses at api.teapartypatriots.org over 800,000 times, exfiltrating hundreds of gigabytes of data from the conservative activist group’s database.

With an administrator API key, hackers not only are able to access information from the database, but they can also change that information. This appears to have happened with TPP’s web pages: For a few weeks in July, after The Intercept obtained the hacked database, all the featured petitions on TPP’s website had been renamed to “Stop Computer Fraud and Abuse Act.”

cfaa-petitions

Screenshot from July 23, 2021.

Screenshot: The Intercept

At the time of writing, the petitions on TPP’s website have all been taken down.

Join The Conversation