Parler’s user data is leaking but no one’s really sure how

The downfall of extremist social network Parler has been swift and all-encompassing. The app has now gone completely dark, thanks to Amazon dumping it from its Web Services hosting platform, but still the website is somehow creating a mess.

Large swaths of Parler user data are being retrieved by hackers and posted publicly on the internet, according to a Reddit thread in r/ParlerWatch. The thread has received a great deal of attention on Reddit since its posting Sunday afternoon, and Twitter user @BirdRespecter’s tweet about the hack has garnered tens of thousands of likes and retweets since early this morning.

The methodology of the supposed hack — as well as its extent — is not entirely understood. A top comment on the Reddit thread points to a WordPress add-on called Twilio, a cloud communications platform, as the culprit for the wide-open vulnerability that led to the hack.

However, other experts have quickly refuted this claim, obscuring the hack’s extent. Here's what we do know for sure: Parler was never secure.

The Twilio argument — Essentially nothing about the hack has been confirmed, so we’re left to dwell on potentialities: who did this and how they did so is very much up in the air. The most popular theory right now revolves around a website integration called Twilio, which can be used for email and text message authentication.

Twilio cut ties with Parler yesterday in the hours leading up to the Amazon Web Services ban; the company said Parler had violated Twilio’s terms of service, which prohibits the spread of disinformation and the encouragement of violence. This left Parler without a method by which to validate user accounts — so anyone could create as many accounts as they wanted without waiting for verification.

It seems that access was then used to set up bots that scraped Parler’s backend services for any and all information left on the website.

Going down with the ship — Though the Twilio theory sounds credible enough, some industry experts say it sounds a little too good to be true.

Parler losing its new user authentication wouldn’t likely be enough to access anything other than public posts — which pokes a pretty large hole in the Twilio theory. We also haven’t seen any actual artifacts from the leak; the state IDs referenced in @BirdRespecter’s Twitter thread haven’t turned up yet, for example.

It will likely be a while before we know the full scope of this hack — but it’s obvious, at least, that Parler was never exactly the pinnacle of cybersecurity.

UPDATE (6:15 p.m. ET): A Twilio spokesperson reached out and offered the following comment:

“With regards to reports of cybersecurity issues Parler experienced and have been attributed to Twilio, our security team investigated the claims and found no evidence indicating their security issues were related to Twilio or our products. Per our website, Twilio has not issued any press releases pertaining to or referencing Parler. Furthermore, Parler was using Twilio to send out identity verification codes for new downloads or password resets. Once a user was verified, security protocols were independently handled by Parler and did not involve Twilio or its products. On Friday, January 8th, we sent Parler a letter informing them they were in violation of our Acceptable Use Policy and notifying them that we would suspend their account if they did not make efforts to remediate multiple calls for violence on their platform. Shortly after receiving our letter, Parler informed us they had already turned off their integration with Twilio. Any cybersecurity issues experienced by Parler were completely unrelated to Twilio or any of its products."