Parler, a social network used to plan the storming of the U.S. Capitol last week, has been hit by a massive data scrape. Security researchers collected swaths of user data before the network went dark Monday morning after Amazon, Google, and Apple booted the platform. 

The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken. 

“These are original, unprocessed, raw files as uploaded to Parler with all associated metadata,” claims one of the authors. 

Security researchers claim that the scrapped posts are linked to accounts that posted them, and some of the video and image data have geolocation information. That is said also to include data from Parler’s “Verified Citizens,” users of the network who verified their identity by uploading photographs of government-issued IDs, such as a driver’s license. 

Your privacy is important and you cannot take it for granted. Unfortunately, the last line of defense is you, so you have to make sure you’re protected whenever you’re online. One of the best ways to do that is with a VPN.
Find out more

The data might prove valuable to law enforcement since many who participated in the riots deleted their posts and videos afterward. The data scrape includes deleted posts, meaning that Parler stored user data after users deleted it.

Parler, a far-right friendly site, was among the key candidates to host President Donald Trump’s social media presence as Twitter and Facebook suspended his accounts for instigating violence. 

Parler, which claims to have over 10 million users, has lax rules over content, making the platform very attractive to far-right groups. Google and Apple removed Parler’s smartphone app from their app stores, claiming that the platform allowed posting that seeks to “incite ongoing violence in the U.S..” Amazon took similar measures, removing Parler from its hosting service.

Reddit users claim that the scrape was made possible due Twilio, an American cloud communications platform that provided the platform with phone number verification services, cutting ties with Parler.

In a press release announcing the decision, Twilio revealed which services Parler was using. This information allowed hackers to deduct that it was possible to create users and verified accounts without actual verification.

With this type of access, newly minted users were able to get behind the login box API used for content delivery. That allowed them to see which users had moderator rights and this in turn allowed them to reset passwords of existing users with simple “forgot password” function. Since Twilio no longer authenticated emails, hackers were able to access admin accounts with ease.

A question of ethics

Even though the stated purpose of the data scrape is to keep proof of wrongdoing, a question remains: do the ends justify the means?

On the one hand, some of the people whose data got scraped actively planned acts of violence. On the other, some people joined Parler only out of curiosity or professional obligation, such as journalists. However, the data scrape was universal, without hackers paying attention to the real intentions of account holders.

“From what I‘m reading, these weren‘t hacking in a sense we think about state-sponsored hacking, involving phishing or active deception, or anything like that. There was a glaring gap in the security of the platform, and @don_enby and a few others noticed it and used it,” Ali Alkhatib, data ethicist and a research fellow at the Center for Applied Data Ethics, explained to CyberNews.

Since @don_enby did not carry out the data scrape secretively, there’s little to worry about from an ethics perspective. However, Alkhatib agrees that if the data scrape was targeted towards minority groups, there’d be a lot more to worry about.

“To me, this is a little more like the Ashley Madison debacle, but for white supremacists,” he explained.

Afraid your online presence was compromised? Check if your data has been leaked.