Many of us have become aware that the social media site Parler was essentially shut down after a number of service providers refused it further service. Without cloud services and hosting, the site simply lost the ability to function. Possibly less known, however, is that just before this happened a massive information leak occurred.
As the site began to shut down, a security researcher began archiving every post made on the site. This is not hyperbole; this individual was able to get a copy of every single public post made on the site. This was possible because two-factor authentication and other security measures were not in place.
Making matters worse, posts were organized numerically. This means I could download post #1, then post #2, and so on. This makes it very easy for an individual looking to scrape data to simply set a program to download each post sequentially. Measures such as randomizing post numbers or replace some of them with letters could have prevented this issue. But that still isn’t the end of it.
Finally, each post contained geolocation data. This means users could easily be tracked based on their posts. Especially with events such as the recent riot at the United States capital, individuals posting on Parler at the time may have unknowingly provided evidence of possible wrongdoing.
There were also claims that driver’s license numbers were leaked, however, security researchers familiar with this situation said this was unfounded.
The takeaway here is that privacy concerns are an important part of security programs. Organizations should consider the possible effects of particular practices and how information used may affect users. Clearly, a Privacy by Design mindset would have been beneficial here, but lacking security, it would still be too little. Where there is no security, privacy will not be effective.