The personal information of thousands of Parler users was obtained by hackers just before the social media website went offline Monday.
Among a trove of personal data is said to be driver’s licenses that Parler users uploaded to the website as part of a verification feature on the social media service.
The disclosure was made in a Reddit post on Monday a few hours after Amazon’s decision to pull cloud computer services for Parler forced the website offline.
According to Reddit users /u/BlueMountainDace, hackers were tipped off to the data after the communications firm Twilio announced it was cutting off its services to Parler.
Twilio’s statement on suspending Parler indefinitely: pic.twitter.com/EX1zTtl2kh
— James Titcomb (@jamestitcomb) January 10, 2021
Computer experts quickly learned that Twilio was used by Parler to authenticate new user accounts as well as provide a security mechanism for existing accounts.
“Because of that access, it gave [hackers] access to the behind-the-login box API that is used to deliver content — ALL CONTENT,” BlueMountainDace wrote. “It also…revealed which users had administration rights, moderation rights.”
BlueMountainDace said hackers were able to retrieve the credentials of Parler’s actual administrators by using the site’s password reset tool. Since Twilio was no longer being used to authenticate these requests, it gave hackers unfettered access to administration accounts used to maintain Parler’s website.
“This group of [hackers] then used that account to create a handful of other administration accounts, and then created a script that ended up creating millions of fake administration accounts,” BlueMountainDace said.
The story posted to Reddit couldn’t be thoroughly verified, but at least one move made by Parler in the hours before it went offline suggests it may be credible: On Sunday, the website stopped allowing new account creations, and existing users reported serious problems accessing their accounts and making changes throughout the day.
A test account created by The Desk to lurk around Parler leading up to Monday also experienced problems: The account would randomly log off, and profile and account changes weren’t being saved.
NEW: Parler has suspended new account sign-ups mere hours before Amazon is expected to pull server support for the social media platform.
— Matthew Keys (@MatthewKeysLive) January 10, 2021
On Tuesday, a Twilio spokesperson denied the company’s decision to pull its support for Parler was linked to efforts by hackers to obtain administrative access to the website.
“Our security team investigated the claims [posted online] and found no evidence indicating their security issues were related to Twilio or our products,” Cris Paden, a communications officer with Twilio, said in an email to The Desk on Tuesday. “Twilio has not issued any press releases pertaining to or referencing Parler. Furthermore, Parler was using Twilio to send out identity verification codes for new downloads or password resets. Once a user was verified, security protocols were independently handled by Parler and did not involve Twilio or its products.”
Twilio sent a letter to Parler last week saying it was in violation of the company’s acceptable use policy after discovering incendiary posts that remained available to the public. Paden said Twilio was informed a short time later that Parler would disconnect its platform from Twilio’s services.
“Any cyber security issues experienced by Parler were completely unrelated to Twilio or any of its products,” Paden said.
However it was facilitated, the issue was reportedly worse than just a few login issues: Continuing on Reddit, BlueMountainDace wrote that once hackers were able to gain administrative privileges into Parler, they had access to a trove of data uploaded by its users, including personal-identifying information.
That data included geo-location information, which could be used to discover the precise locations of some Parler users. It also included the front and back of state-issued identification cards like driver’s licenses, which users were required to provide to the company if they wanted a “verified” badge on their Parler profile.
That data could ultimately be used to identify some of the Parler users who are suspected of instigating an insurrection against the U.S. Capitol last Wednesday. The attack, which came as lawmakers were working to certify the results of the 2020 presidential election, resulted in the deaths of four people, including a police officer.
BlueMountainDace said the data is being uploaded to various cloud storage services “for later retrieval by law enforcement, by the public [and] by open source intelligence communities.”
Representatives from Parler have not yet responded to an e-mail request for comment.
Parler has faced criticism in the days since the attack on the Capitol for providing a digital safe haven for misleading, violent and incendiary rhetoric related to the presidential election. Parler’s executives have denied the social network was linked to last Wednesday’s attack, but posts retrieved before the website went offline revealed its users did promote the rally at the Capitol in the days leading up to the siege.
Facing intense pressure from lawmakers and members of the public, both Google and Apple announced they were removing Parler’s official app from their official stores, effectively cutting off Parler from smartphone and tablet users. The website was still available through web browsers until Amazon said it would stop providing server and cloud computing services to Parler.
Though Parler’s CEO John Matze initially said the website had drawn interest from other server providers, he eventually acknowledged that other companies were unwilling to work with them, which effectively left Parler without the ability to come back online.
On Monday, Parler sued Amazon in federal court, saying the company’s decision to pull its tech support for the website could eventually force Parler to shut down for good.