In case you're just catching up, Parler:

- made users submit gov IDs and SS# to verify accounts
- retained that info
- retained all "deleted" info, actually
- their 2FA verifier dropped them
- people used "forgot password" on Admin accounts
- it worked
- They got Admin
- Oh shit

Like, imagine if EquiFax had been a social media company, and that's the level of "oh shit" Parler is at.

No, but all the information needed to access someone's bank account - phone, birthdate, driver's license, SS number - is now freely available.

All they have to do is figure out where someone banks (not hard) and walk away with their money. https://twitter.com/scientist_iam/status/1348667044644990979

This is massive legal jeopardy.

Parler was supposed to delete the SS# and driver's license and everything once someone was verified.

They didn't. And they retained all info users "deleted" as well.

This is "we have to flee the country" level of lawsuit.

Aside from identity theft, retaining this information was a violation of the stated terms.

They didn't protect that information, and the result is every single verified Parler user has been effectively doxed.

Lawyers across the country just started drooling and don't know why.

Right. They were using a 2FA plugin. (A plugin, what?!) It got yanked.

What should have happened - what a competent sysadmin would do - is for password resets to be disabled entirely if the plugin failed.

They didn't do that.

Whoops. https://twitter.com/ThyGreatGoddess/status/1348668187060166660