[BreachExchange] Hacker reveals massive Parler data leak: ALL users’ messages, location info and even driver’s licenses may have been exposed
Destry Winant
destry at riskbasedsecurity.com
Mon Jan 11 10:38:36 EST 2021
https://www.rt.com/usa/512152-parler-hacker-data-leak/
Recently shutdown social media app Parler is at the center of a yet
another controversy, after allegations surfaced that the totality of
its users' personal data was leaked in the wake of the network going
offline.
Parler, a social network popular with conservative audiences, was
removed from the internet on Monday, after Amazon kicked the site off
its hosting service, citing"a steady increase in this violent content"
in the wake of Wednesday's riot at the US Capitol. The decision to
pull support came after Apple and Google blocked the social network
from their online marketplaces over the weekend.
Shortly before Amazon's move, a self-described hacker from Austria,
going by 'Donk Enby' on Twitter, claimed to have gained access to all
of the "unprocessed, raw" video files uploaded to Parler "with all
associated metadata." The hacker even included a link to the file
library in order to prove that the data leak was real.
The development agitated the social network's audience, especially
since it occurred around the same time as Parler's shutdown.
News of the apparent leak quickly spread online, leaving some to
wonder how the hacker could have snagged the entirety of one of the
network's file libraries.
A Reddit user named 'BlueMountainDace' claimed to have the answer, and
they posted it in the group 'ParlerWatch,' which appears to have been
created to monitor some of the perceived extreme views of the
platform's users.
According to 'BlueMountainDace', it was not just the videos, but the
entirety of Parler's users' data that was exposed.
In their viral post, the Redditor asserted that one of Parler's
hosting platforms, Twilio, accidentally exposed the app's security
authentications via a press release. This in turn could have allowed
any person to create a blank administrator account and access all of
Parler's private content, which, besides message history and geo data,
might have included users' driver's license photos, which were used to
create a verified account.
Currently it is unclear which press release by Twilio might have led
to the Parler data being exposed.
According to tech writer Matthew Sheffield, the breach was possible
due to Parler's long-criticized lax security standards. Specifically,
Sheffield blames the potential leak on the app "never actually
deleting anything its users posted," while keeping the data accessible
to administrator users.
However, Sheffield notes that it will likely "take a little while" for
such amounts of data to be processed in order for it to end up in an
accessible "WikiLeaks-style data dump."
More information about the BreachExchange
mailing list