Oh, it is good.
https://twitter.com/hashtag/ParlerLeaks
https://twitter.com/hashtag/parlerhack
Post any good finds.
Best explanation I've seen why this is a big deal.
WordPress Config file being accessible is a big yikes. Gives you the destination for the DB as well as the username and password to sign into it. MySQL export and anything not using MD5 Hash is visible right away - the rest? Decrypt.
Soon as the DB has been exported, game over.
https://twitter.com/IckleIzu/status/1331401417186299909
Chapo: Use protonmail to sign up, browse using a VPN, assume everyone is a fed including the admins
Parler: Give us your SSN and driver's license photo lmao
Remembering a password is lib. If I log-out, I have to make a new account.
The admins were admonishing people to use a proton mail email to setup 2fa on here and I don’t really understand the benefit. This single-use email just becomes the SPOF instead of chapo chat so what’s the difference? I don’t use an email.
Also: let’s say my profile gets hacked. What are they going to do? Post? Comment? It’s not like they can send themselves money or buy things in my name.
I was thinking about this too and it’s like unless you’re using the same username/password on here as your bank, the worst that could happen is they hijack a power poster’s reputation on here and use it to influence people in some kind of negative way, which is a lot of effort for what actual benefit and also why we shouldn’t have power posters.
Some people get attached to their online identity. But I'm all for changing your account at the same time you change your toothbrush. In the future when it comes time to vote in mods and things like that you might need to keep an account to be a part of those decisions but that's an opt in thing.
A user's account got "hacked" by people that were able to guess/find their password somewhere. That's why 2fa was pushed heavily, to try prevent that from happening if you have 2fa enabled
So essentially the benefit is that a hypothetical attacker who wants to take control of my chapo chat account would have to guess my proton mail email? Is that the benefit?
Well you can use any email service, not just proton mail. The admins just recommend proton mail. They would have to take control of your email account as well I guess
Sure, so they’d have to guess my email account. But they wouldn’t have to take control of both my chapo chat account AND my email account, they’d have to take control of my email only. Then they could reset my chapo password. So that’s why I said the email becomes the single point of failure - if that’s compromised, then everything’s compromised. So I shouldn’t use ChapoBapo@protonmail.com, but if I use a random unrelated email address and the attacker was specifically targeting getting access to my chapo chat account for ... some unknown reason then I can see how having the email would be an additional layer of protection.
If you forget your password, just make another account.
If your new account isn't as popular as your old one, git gud, poster
This is what my dad does as well, uses his work email for fucking everything and has no clue about anonymity online.
Just :agony-turbo: stuff
I used slickdeals to find my latest VPN. They are always having crazy deals for yearlies.
Cost the same amount as 3 months of my old VPN.
Used stacksocial to get a legit lifetime subscription key for AdGuard for 20 bucks. I bet they have some nice and cheap Vpn keys as well.
Didn't you need a SSN to make an account? Does that get leaked too? :party-sicko:
They hardcoded the salted passwords next to the key. It would be like posting a physical key on a locked door.
My friend teaches C+ at a community college and he would fail whatever monkey wrote this code.
lmaoooooo why would anyone ever give their ssn to a social media website
Apparently it was only for their eqv to blue check accounts.
They needed the SSN to make payments for ad revenue sharing as well.
So if the SSNs do get leaked it is going to be grifter ahoy.
- hardcoded credentials
- hardcoding the salt right next to the key
- running the database as localhost in the same machine/container as the web server
- having a "/1" API endpoint
https://twitter.com/jxxf/status/1331368747488206848
it's a WP frontend and possibly an older hack but something definitely got hacked today?
Nothing released so far that I can find. Might just be their blog.
there are ALSO reports of thousands of DMs getting leaked but I can't find them yet.
Best technical analysis I've seen, and it is trending towards being bunk:
deleted
https://twitter.com/Osinttechnical/status/1331365533866987520Sorry folks :(Yep, screenshot is from 6 months ago. The original account on Twitter was just pulling the fire alarm to see how folks would react.
https://twitter.com/JaneLytv/status/1331382801984319488
New Noise about the Parler hack (unverified):
All y'all freaking out about Parler having a WordPress config file lying around are going to lose your god damn minds once I drop details on their user data leakage containing personal information of Washington Examiner readers dating back to 2015.
https://twitter.com/Kirtaner/status/1331375753158594565
Ⓐubrey Cottle 🖥🏴☠️ @Kirtaner
I don't know how programing works, but if chapo ever gets hacked there better be an ASCII art of pig poo balls in the code
Might just be a WP blog site that is ancillary to the main site.
https://twitter.com/jxxf/status/1331373856938975232
Non American here: wtf is Parler and why the fuck are they using WordPress and PHP?
Critical support to comrade Parler admins for gathering the real identities of a ton of fascists and then putting it behind a "please don't look in here" sign
:crab-party: :crab-party: :crab-party:
:crab-party: :crab-party: :crab-party:
Lol doesn't parked require you to give them your ssn just to dm people? Feels like only a few days ago someone was saying that and that it is a massive liability if it got hacked lol
one of you nerds explain this to me...aren't backend engineers supposed to keep shit like db passwords as environment variables? would that have prevented this hack? are right wing coders dumb as shit?
Yes it is extremely possible to make things secure. Not 100% secure because math is complicated, but functionally so.
It's just not trivial to do so. Which is why this happened.
