The Reason Why Parler’s Data Breach Is a Giant Information Security Failure
The Parler data breach opened up sensitive private data to millions of users, some potentially part of the groups of rioters who stormed Capitol Hill.
After Amazon suspended the platform's Webhosting, Parler went dark on Monday. Apple and Google said Parler was removed from app stores because the operators have failed to moderate posts which encouraged violence and crime.
Hackers tried to rescue as much data as possible. This may have led to millions of records being released.
Important correction: data was accessed but there was some misinformation that was repeated by some OSINT contacts, which turned out to be false:
The Reddit rumor that hackers gained access to more private data on the site — due to SMS provider Twilio cutting ties with Parler and disabling its two-factor authentication — was “bullshit,” @donk_enby told WIRED.
Parler failed to install the most basic security measures that would have prevented the automated scraping of the site’s data, now other reports confirmed. ‘It even ordered its posts by number in the site’s URLs, so that anyone could have easily, programmatically downloaded the site’s millions of posts’, WIRED confirmed.
People then did archive the entire site. As far as I can confirm, geolocation data was left on videos. The data was used to create maps of Capitol Hill rioters at the scene.
The video data:
Kyle Mcdonald, a computer developer leaked geolocation data for Parler videos online in the form of a 3.4MB CSV file. The GPS metadata for 68,000 videos uploaded to the Parler platform is still available on filesharing platform GitHub.
We can upload the leaked data into open source geo-location system QGIS and then check also on Google Earth Pro to see where people took videos in the heat of the Capitol Hill incident.
As Parler was a popular social network among conservatives and extremists actors, as Atlantic Council says, some of its users may have belonged to the rioters who stormed the Capitol Hill building. After all, this was the reason why Amazon decided to squash the service in the first place.
Below, we match the video location data to the Capitol Hill geolocation.
Other concerned citizens found flaws in how companies, including Parler, deals with private data.
“It looks like potentially a huge InfoSec failure”, Mark Richards, a developer and privacy advocate says: “One that should send alarm bells about the extent to which governments are ensuring that social media companies are keeping data secure”.
In the greater scale of things, there is a question of how platforms need to cater for potential discontinuation of their service and the private data it holds. “It’s important. What happens if Facebook goes bust tomorrow?”, Richards adds
The first effort to archive data from Parler was made by Twitter handle @donk_enby, who began gathering posts from the day of the Capitol Hill incident, Gizmodo and other sources reported yesterday.
The news spread quickly across Hacker News by ycombinator.com. The now-deleted content on the URL ‘Donk.sh’, archived on WaybackMachine (here), which gives some details on an unofficial Parler API.
Richards adds that he hopes the hackers or those who downloaded the content know what they’re doing, “because I’d be surprised if their actions aren’t criminal if they’re knowingly accessing private/deleted content”.
