Right, I did some reading and here’s what likely happened with Parler. Lots of crossed wires here.

First up: someone noticed that Parler uses sequential integers in the API endpoint to get content.

An API endpoint is just a URL with a value added onto the end that tells the system what you want to get back.

Using sequential integers means that a hacker can set up an automated script to start at 1 and count up, trying API calls over and over again, to get back content from Parler.

Parler apparently had no restrictions on this API endpoint, which frankly blows my mind as a web dev.

If you had a working URL, it just spat out whatever it had whether you were logged in or not.

It seems that EVERYTHING that had been uploaded - video, photos, text posts - was accessible whether it had been deleted or restricted in the app itself. Even uploaded photos of licenses etc etc.

I cannot describe how amateur hour this is, if true.