Last night, Twitter lit up with claims that Parler, a social media platform surging in popularity among Trump supporters — especially since the election — was hacked. Parler’s CEO John Matze did damage control today, strongly denying the claim, but the rumours continue circulating online. Some say the leak has been dubunked (Snopes has labelled the accusations false), while others are adamant more damning information will be disclosed soon. As the confusion lingers, we’re left asking: was Parler actually hacked?
Based on the evidence so far, probably not, but there are still security concerns we need to address.
Let’s start with the alleged hack.
The rumour originated in a now-deleted tweet from conceptual artist Kevin Abosch. Abosch has used Tweets as part of art projects in the past, and this appears to be another one.
Before it was clear who Abosch is and that the tweet was likely a stunt, Twitter users quickly circulated it through retweets and screenshots. As it spread, several journalists and cybersecurity professionals dug into the hack claims and the “evidence” supporting them. They confirmed that the database said to have been targeted is linked to Parler, but that it is actually a WordPress log for Parler’s official blog, which was hacked in July, but is no longer compromised. This blog did not contain user data.
However, parallel to the debunked WordPress log are claims of a separate security flaw that compromised over 6.3GBs of Parler user data culled from one of its advertising partners. These claims come from several security researchers on Twitter, including the head of cybersecurity for Joe Biden’s presidential campaign, Jackie Singh, and Shutterstock’s Application Security Engineer John Jackson, among others. These claims come with an announcement of plan to disclose their findings within the next 1-2 weeks. They are also clear to note the issue at hand is still not a hack; the security researchers merely found and investigated an alleged vulnerability. Still, it nonetheless added fuel to the hacking claims.
But I would caution people to remain calm and level headed. There are a bunch of bad guys hooked into this situation who are desperate for a cover story and I scape hatch.
Someone will undoubtedly start shouting “hack”. Don’t take the bait. Treason weasels just got sloppy.
— Chris Vickery (@VickerySec) November 25, 2020
So, to summarise: there’s no proof Parler was hacked, but there does appear to be serious issues with how Parler handles its user data — and highlights how a Parler data breach could be much more devastating than your average leak.
Parler’s whole schtick is that it is a “free speech” social media platform, and it aggressively courts users with right-wing views (who often go there to peddle far-right conspiracies sites like Twitter and Facebook have taken to labelling false or misleading). These users like Parler because there, they can express their opinion “without fear of deplatforming” (as long as it doesn’t overstep Parler’s terms of service).
Oddly, that freedom means anyone can impersonate another user on Parler without facing much in the way of repercussions. To head off the possibility of this problem, you can sign up for an “influencer” account — Parler’s version of verified users — that will help you stand out from the crowd (and the potential lookalikes accounts). But earning this status requires you to fork over your social security number, which allows Parler to confirm your identity.
Parler says its user data is stored securely, and that it deletes social security numbers and other identifying information once users are verified. But even if Parler is honest about its data policies and keeps your information safe, the mere act of giving your social security number is a major risk.
Companies mishandle user data all the time, and that information could easily slip out somewhere — such as via a third-party company’s improperly secured server, for example.
It also opens users up to possible scams and identity theft in other ways.
Phishing campaigns utilise fake social media login pages or misleading verification emails to trick users into handing over passwords and high-value data. If someone assumes giving Parler your social security number is standard procedure, they’re more likely to unwittingly share it with the wrong people.
I know I won’t convince Parler any users strongly convinced of the platform’s ideals that using it is a bad idea, but if you’re at all concerned about data privacy and identity theft, definitely don’t give the service your social security number or any other personal data. If you’re merely curious about the platform, I suggest staying away.