The Parler hack

[kabayiri]

There's currently a class action ongoing against British Airways for loss of mass personal data.
Could non-political users of Parler bring a similar action against the theft of their data?

Fundamentally, do you believe that your data - the information about you, is not yours to own?

 

[Sue Pertwee-Tyr]

Theft by who?

 

[kabayiri]

The hacker who downloaded the whole site.
Or are you saying this person had official sanction to do so?

 

[Seeker_UK]

I see from Teh Twitters that Parler is back up and being hosted in Russia by an organisation called DDOS-GUARD LTD. Not at all suspicious, nothing to see here, move along please..,

And has been for a while, it would seem.

https://krebsonsecurity.com/tag/ddos-guard/

In October 2020, KrebsOnSecurity looked at how a web of sites connected to conspiracy theory movements QAnon and 8chan were being kept online by DDoS-Guard, a dodgy Russian firm that also hosts the official site for the terrorist group Hamas.

 

[Sue Pertwee-Tyr]

The hacker who downloaded the whole site.
Or are you saying this person had official sanction to do so?

Ah, ISWYM, and yes, Parler’s, er, parlous security was a definite factor in that. I thought you were referring to the authorities’ access to the data as theft, my bad.

 

[Tony L]

Could non-political users of Parler bring a similar action against the theft of their data?

The whole thing sounds quite extraordinarily dodgy to me. The idea folk needed to register using personal information was dubious to start with (I’ve heard claims of it asking for driving licenses, social security data etc). If that is true and they have now moved that data to a foreign power, arguably one with a remarkable history of data-harvesting and cyber-criminality, I’d expect some members to be a tad irked. Let’s just say this falls somewhat short of GDPR compliance!

PS If anyone gets an email from James Cleverly, Steve Baker or Michael Gove stating they’ve inherited a fortune and now need you to cash a cheque....

 

[kabayiri]

The whole thing sounds quite extraordinarily dodgy to me. The idea folk needed to register using personal information was dubious to start with (I’ve heard claims of it asking for driving licenses, social security data etc). If that is true and they have now moved that data to a foreign power, arguably one with a remarkable history of data-harvesting and cyber-criminality, I’d expect some members to be a tad irked. Let’s just say this falls somewhat short of GDPR compliance!

PS If anyone gets an email from James Cleverly, Steve Baker or Michael Gove stating they’ve inherited a fortune and now need you to cash a cheque....

This is very tricky. Cloud developers will know that Microsoft has multiple hosting sites scattered around the world, including some in China.
Crucially, the latter are organized through an intermediary entity. Same goes for AWS.

If you choose to operate from one of these sites, for commercial reasons, you have to comply with Chinese regulations which are pretty onerous in some areas.

 

[kabayiri]

Ah, ISWYM, and yes, Parler’s, er, parlous security was a definite factor in that. I thought you were referring to the authorities’ access to the data as theft, my bad.

It's unlikely that poor security is a mitigating factor to any investigation.

I relate it back to the serious data loss which occurred with Theranos and their medical testing database.
Part of the defense of this loss seems to centre on incompetence, but I doubt it will hold up to the federal investigation.

 

[Tony L]

This is very tricky. Cloud developers will know that Microsoft has multiple hosting sites scattered around the world, including some in China.
Crucially, the latter are organized through an intermediary entity. Same goes for AWS.

Agreed. I looked into this all quite carefully as I wanted to be certain pfm was 100% GDPR compliant. Initially there was a grey area/complexity as since the site’s creation it was hosted in California. This site is very simple, there is negligible confidential information beyond a registration email and a log of recent IP data (this is one reason I don’t host images too, that is a level of personal data I just don’t need to deal with, or pay to host). Nothing is ever used for marketing, the only emails a user ever receives are the initial registration confirmation and beyond that only if they have specifically requested notifications for PMs or watched threads. Even so I decided to move to an independent UK based host just to simply things further. To be honest I just don’t want to have to spend the time thinking about this sort of thing so keeping it all as simple and transparent as possible makes sense. I briefly looked at AWS, but it appeared neither cheap nor simple!

 

[wacko]

The hacker who downloaded the whole site.
Or are you saying this person had official sanction to do so?

The hackers were smart: created millions of IDs before continuing the hack.

 

[Seanm]

The Putin angle is the cherry on the cake here.

 

[TalYWaun]

Theft by who?

Is it really theft (in the legal sense)? I don’t see how copying public data voluntarily published by the individuals concerned can be.

From what I have read either something went wrong at some point or their security had always been nonexistent. You signed up for an account without any form of authentication. Once you had an account you could see who had admin privileges and then reset the password to those accounts, again without any form of authentication. A master class of how not to run a website.