So far, it seems like it’s been the worst week of the year for social media platforms in terms of data leaks, with Clubhouse seemingly joining the fray.

Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

What was leaked?

The leaked database contains a variety of user-related information from Clubhouse profiles, including:

  • User ID
  • Name
  • Photo URL
  • Username
  • Twitter handle
  • Instagram handle
  • Number of followers
  • Number of people followed by the user
  • Account creation date
  • Invited by user profile name

Example of leaked data:

Clubhouse API allows anyone to carry out mass scrapes of user data?

Updated on 11/04: Clubhouse has issued a statement about the incident on social media, saying they have not experienced a breach of their systems. The company said that the data is already publicly available and that it can be accessed by “anyone” via their API.

In addition to sparking a heated debate under the company’s statement on Twitter, this raises some questions about the privacy stance of the company: allowing everyone to gather and download even public profile information on a mass scale can have severe negative consequences for user privacy.

Updated on 12/04: According to CyberNews senior information security researcher Mantas Sasnauskas, the posting of scraped Clubhouse user data reveals a potential privacy issue within the social media platform itself: “The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire.”

Sasnauskas argues that even though the Clubhouse privacy policy does not allow unauthorized data mining and data scraping, the platform should go beyond simply stating it in the rules. “This should not only be reflected in the ToS, but also in the technical implementation of the app, making it harder for anyone to scrape user data. Having no anti-scraping measures in place can be seen as a privacy issue.”

We reached out to Clubhouse regarding their API policy and will update the story as soon as we have more information.

Read more: “Not ideal” from a privacy standpoint: Clubhouse API lets “anyone” scrape public user data

What’s the impact?

The data from the leaked files can be used by threat actors against Clubhouse users by carrying out targeted phishing or other types of social engineering attacks.

The SQL database posted on the hacker forum only contains Clubhouse profile information – we did not find any deeply sensitive data like credit card details or legal documents in the archive posted by the threat actor. With that said, even a profile name, with connections to the user’s other social media profiles identified and established, can be enough for a competent cybercriminal to cause real damage.

Particularly determined attackers can combine information found in the leaked SQL database with other data breaches in order to create detailed profiles of their potential victims. With such information in hand, they can stage much more convincing phishing and social engineering attacks or even commit identity theft against the people whose information has been exposed on the hacker forum.

Next steps

If you suspect that your Clubhouse profile data might have been leaked by threat actors, we recommend you:

  • Beware of suspicious Clubhouse messages and connection requests from strangers.
  • Consider using a password manager to create strong passwords and store them securely.
  • Enable two-factor authentication (2FA) on all your online accounts.

Also, watch out for potential phishing emails and text messages. Again, don’t click on anything suspicious or respond to anyone you don’t know.

Stay tuned for more information

Our investigation of the Clubhouse data dump is ongoing, and we will update the story as it unfolds. 

In the meantime, consider using our personal data leak checker with a library of 15+ billion breached accounts to find out if any of your online accounts have been leaked in previous breaches.

 

https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/