It sounds like Parler is responsible for the leaking, if they truly had no authentication requirements on their API endpoints.