A Case Study of Massive API Scrapping: Parler Data Breach After the Capitol Riot

After the United States Capitol Hill Riots, there was a massive API scraping of Parler, an open social media platform, which resulted in 70 terabytes of user data being collected. The data breach, a serious confidential personal data leak, was not performed illegally. This paper analyzes the data breach and its impact in depth. The breach was a result of a hacktivist going with the alias @donk_enby, performing a massive API scraping of Parler's servers. The scraping took metadata from user's public, private, and previously deleted posts, uploaded to Parler's servers. Parler had failed to clear the metadata of these posts. The metadata contained names, dates, locations, and other data about the users who posted content to Parler's site. Over 70,000 GPS locations of Parler's users have been uncovered including users' private properties. These locations have also been used to tie citizens to the Capitol Riots if they uploaded any content about the riot from that day. Forms containing government identification of users were also leaked from Parler's servers that were used for account verification. This paper demonstrate background on the events leading up to, including, and following the Capitol Riots. The paper also examine the hacktivist's methodology for performing the API scraping and discuss possible defensive strategies such as API rate limiting, API request sanitation, and API call authorization.