I've been researching the Parler/Twilio hack, and found some disturbing information.
Parler was using WordPress. They (probably) stupidly did not disable the default admin account.
Parler was using Twilio to manage their passwords. (Using a 3rd party service to manage passwords is a lazy idiot move.)
When Twilio disables your account, the default is to ALLOW EVERY LOGIN! This meant hackers could log into WordPress using the default admin account. (If Parler had disabled the default admin account, the hackers would have also needed to guess the admin login username.)
In their announcement banning Parler, Twilio also gave some information that made it easier for the hackers. I couldn't find the original source.
The big tech companies coordinated to mass ban Parler. They also coordinated their attack to cause maximum damage! Think about it. Why did Twilio drop Parler A FEW HOURS BEFORE their AWS account was terminated? If Twilio waited until after Parler's AWS account was terminated, the hack would not have happened!
The big tech companies knew about this flaw in Twilio, so they coordinated their bans so that Parler was exposed for a few hours. As a bonus, the vulnerability happened on Sunday evening, when Parler employees would have been not working or scrambling to deal with the AWS shutdown.
A WordPress Administrator has access to the full database and the ability to execute arbitrary code. I'm afraid this means the hackers got everything. (Some sources said they didn't get driver's licenses and phone numbers. If it was on the server, the hackers got it.)
I don't have a Parler account, because I was put off by the phone number requirement.
Twitter has a "can't share hacked information" policy that was strictly enforced for the Hunter Biden data (which wasn't even a hack). That policy is being conveniently ignored for the Parler hack.
If law enforcement tried to subpoena Parler's entire database, a judge probably wouldn't have allowed it. This hack is a loophole that lets them look at everything.
I know some lawyers read thedonald.win. I hope someone can share this information with them. Any user whose data was exposed should have a claim against Twilio, because of the "allow every login" flaw in their product.
Edit: Sorry, was Okta not Twilio. Every other source was mentioning Twilio.
This reminds me of: And the smoke of their torment rises forever and ever. Day and night there is no rest for those who worship the beast and its image, or for anyone who receives the mark of its name.” Here is a call for the perseverance of the saints who keep the commandments of God and the faith of Jesus.…
They're on archive.org, links are being shared on twitter. They claim it will be a week or two before they start doxxing people.
https://www.newswars.com/parler-users-messages-location-info-drivers-licenses-may-have-been-exposed-in-data-leak/
This post claims the hack got everything. Even raw video data (including geolocation info) really facilitates doxxing.
Of course, I have no idea if they're telling the truth or bluffing.
https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/
I've seen multiple sources claiming the site was hacked.
What do you expect me to do? Download 70tb of data and verify it myself?
There also could be more than one vulnerability, one that lets posts be accessed, and another that got private data.
I've worked on poorly coded WordPress sites before, so it's totally believable if they were using WordPress.
If you're setting up WordPress CORRECTLY, the WordPress process has a database account that only has WordPress data and it's running as a restricted user. If you're lazy, you're running your webserver as a root process and the WordPress database account is a dba account.
Every source I read mentioned Twilio. I didn't realize it was Okta, sorry.
If their security was sloppy, the same database password would be used for the WordPress account as for everything else.
It looks like, because of the way they were using Twilio and Okta, when they were dropped it was allowing all logins. Anyone could generate a password reset email.
I never understood the idea of using a 3rd party service or library for something you could do yourself in a few hours. You're just adding an unnecessary 3rd party dependency that can break.
RICO!!!
That would require an honest judge to hear the lawsuit.
I also assume the big tech companies weren't dumb enough to leave a trail of them coordinating the ban. Even if they were dumb enough to do it by email, they can just delete the records.