Clubhouse has had an SQL database containing 1.3 million user records scraped and linked for free on a “popular hacker forum”, CyberNews reported. Clubhouse claims that this is false, and that it has not been breached. The situation appears to have led to some speculation on Twitter.
According to CyberNews, the leaked database contains a variety of user-related information from Clubhouse profiles including: user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the users, account creation date, and invited by user profile name.
CyberNews speculates that the leaked data could be used by threat actors against Clubhouse. It could be used to carry out targeted phishing or other types of social engineering attacks. CyberNews reported that they did not find sensitive data like credit card details or legal documents in the archive that was posted online.
Business Insider also reported about the leak of the personal data of Clubhouse users. It is not the only social media platform that has had this problem. Business Insider said that LinkedIn confirmed that about two-thirds of the platform’s userbase was scraped and posted publicly online. Previous to that, Facebook had a data leak that included the full names, location, email addresses, and other sensitive pieces of information of 533 million Facebook users. That data was posted in a forum.
Clubhouse responded to the situation by quote-tweeting a tweet from Techmeme about the CyberNews article that reported the scraping of Clubhouse’s user data. Clubhouse tweeted: “This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.”
I do not use Clubhouse, mostly because I personally feel that it lacks proper support for user privacy. There has been at least one situation in which a Clubhouse user recorded a Clubhouse chat and streamed it online. At the time Clubhouse stated that they permanently banned the user and installed new “safeguards”. It is unclear what those “safeguards” are.
Personally, I feel that Clubhouse’s tweet, insisting that the app had not been breached or hacked, is not enough to convince me Clubhouse will protect user’s information. Clubhouse stated that the data obtained is all public profile information, which anyone who has access to the app can see. Just because the profile is public doesn’t mean people are happy to have that information posted online outside of the Clubhouse app.