Tag Archives: Clubhouse

Clubhouse’s Database of User Records was Scraped



Clubhouse has had an SQL database containing 1.3 million user records scraped and linked for free on a “popular hacker forum”, CyberNews reported. Clubhouse claims that this is false, and that it has not been breached. The situation appears to have led to some speculation on Twitter.

According to CyberNews, the leaked database contains a variety of user-related information from Clubhouse profiles including: user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the users, account creation date, and invited by user profile name.

CyberNews speculates that the leaked data could be used by threat actors against Clubhouse. It could be used to carry out targeted phishing or other types of social engineering attacks. CyberNews reported that they did not find sensitive data like credit card details or legal documents in the archive that was posted online.

Business Insider also reported about the leak of the personal data of Clubhouse users. It is not the only social media platform that has had this problem. Business Insider said that LinkedIn confirmed that about two-thirds of the platform’s userbase was scraped and posted publicly online. Previous to that, Facebook had a data leak that included the full names, location, email addresses, and other sensitive pieces of information of 533 million Facebook users. That data was posted in a forum.

Clubhouse responded to the situation by quote-tweeting a tweet from Techmeme about the CyberNews article that reported the scraping of Clubhouse’s user data. Clubhouse tweeted: “This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.”

I do not use Clubhouse, mostly because I personally feel that it lacks proper support for user privacy. There has been at least one situation in which a Clubhouse user recorded a Clubhouse chat and streamed it online. At the time Clubhouse stated that they permanently banned the user and installed new “safeguards”. It is unclear what those “safeguards” are.

Personally, I feel that Clubhouse’s tweet, insisting that the app had not been breached or hacked, is not enough to convince me Clubhouse will protect user’s information. Clubhouse stated that the data obtained is all public profile information, which anyone who has access to the app can see. Just because the profile is public doesn’t mean people are happy to have that information posted online outside of the Clubhouse app.


Clubhouse Introduces Payments



Clubhouse, a new social media thing that allows people to have live audio-chats with friends and strangers, has introduced “Payments”. This does not mean that people who use Clubhouse will have to pay a fee in order to keep using it. Instead, it gives users the ability to send money to someone else through Clubhouse.

Today, we’re thrilled to begin rolling out Payments – our first monetization feature for creators on Clubhouse. All users will be able to send payments today, and we’ll be rolling out the ability to receive payments in waves, starting with a small test group today. Our hope is to collect feedback, fine-tune the feature, and roll it out to everyone soon.


Here is how Clubhouse payments will work:

  • To send a payment in Clubhouse, just tap the profile of a creator (who has the feature enabled) and tap “Send Money.”
  • Enter the amount you would like to send them. The first time you do this, you’ll be asked to register a credit card or debit card.
  • 100% of the payment will go to the creator. The person sending the money will also be charged a small card processing fee, which will go directly to our payment processing partner, Stripe. Clubhouse will take nothing.

Clubhouse makes it clear that this is the “first of many features that allow creators to get paid directly on Clubhouse”. In other words, if this works, Clubhouse might add more payment features. What will people pay for? I suppose Clubhouse is hoping to find that out.

Stripe is a well known payment provider. Creators who post their work on Medium, and make money from doing so, are paid through Stripe. Substack also uses it. I have no problem with Clubhouse’s choice of payment provider.

My concern is that Clubhouse has a history of not respecting user’s privacy. Users are pushed to upload their entire contact list from their phone.

Doing so gives Clubhouse information about who you are connected to. It will use that information to try and connect you to your contacts that are on Clubhouse. Will Ormus pointed out on Medium that if you have an ex or harasser, who has you in their contacts, Clubhouse will know you are connected to that person and make recommendations on that basis.

What will Clubhouse do with your credit card information? Users will be giving it to Stripe – but they have to go through Clubhouse to do that.


Clubhouse Chats have been Breached and Streamed Online



A Clubhouse user was able to find a way to share Clubhouse chats outside of the iOS app. According to Bloomberg, Clubhouse “permanently banned” that user, and has installed new “safeguards”. It is unclear what those safeguards are, or how effective they will be, given what is known about Clubhouse.

Stanford Internet Observatory reported that Agora, a Shanghai-based startup, with U.S. headquarters in Silicon Valley, created a platform for other software companies to build upon. Clubhouse is one of the apps using Agora’s platform. According to the Stanford Internet Observatory, “If an app operates on Agora’s infrastructure, the end-user might have no idea.” In short, Agora hosts Clubhouse’s traffic.

Stanford Internet Observatory’s analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark. Their analysis revealed that outgoing web traffic is directed to servers operated by Agora. Joining a channel generates a packet directed to Agora’s back-end infrastructure.

The packet contains metadata about each user, including their unique Clubhouse ID number and the room ID they are joining. That metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it. In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel.

Stanford Internet Observatory made it clear why Agora’s hosting of Clubhouse matters:

Because Agora is based jointly in the U.S. and China, it is subject to People’s Republic of China (PRC) cybersecurity law. In a filing to the U.S. Security and Exchange Commission, the company acknowledged that it would be required to “provide assistance and support in accordance with [PRC] law,” including protecting national security and criminal investigations. If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing it.

Chief Executive Officer of Internet 2.0, Robert Potter, posted an interesting thread about the Clubhouse situation on Twitter. He points out that it was not a “hack”. “A user set up a way to remotely share his login with the rest of the world. The real problem was that folks thought these conversations were ever private.”

In that thread. Robert Potter tweeted: “The end result of this whole clubhouse experience is that folks have put a lot of data online without considering the privacy implications. I’d strongly recommend people to build more encryption fenced communities for these sorts of conversations in the future.”

The more I learn about Clubhouse the more I think it is a bad idea. I am aware that there are people who enjoy checking out the newest apps, especially if there is a social aspect to them. In my opinion, joining this Clubhouse comes at too high a cost to people’s privacy.


Clubhouse Does Not Respect Your Privacy



Those of you who have started using Clubhouse may want to reconsider that decision. It turns out that Clubhouse does not respect your privacy at all. It also appears to be grabbing up people’s contact lists, which not only is intrusive on a person’s privacy but also could put some people in danger.

The Guardian reported that the live audio-chats had in conversation rooms disappear. That said, Clubhouse doesn’t have any features that would prevent someone from live-blogging the conversation or recording it and uploading it to YouTube.

Will Oremus posted on Medium about his experience with Clubhouse: “When I granted the app access to my contacts, within hours it was nudging me to invite my former pediatrician, barber, and a health worker who once cared for my dying father to join Clubhouse – and sending me push notifications every time someone from my contacts signed up so I could welcome them via a private chat and “walk them in”.

He pointed out that the contact list in your phone can include “old acquaintances, business associates, doctors, bosses, and people you went on a bad date with.”:

“…When you upload those numbers, not only are you telling the app developer that you are connected to those people, but you’re also telling it that those people are connected to you – which they might or might not have wanted the app to know. For example, say you have an ex or even a harasser you’ve tried to block from your life, but they still have your number in their phone; if they upload their contacts, Clubhouse will know you’re connected to them and make recommendations on that basis…”

Mashable reported that it is difficult to delete a Clubhouse account. To do it, you have to send Clubhouse an email in order to request a delete. It is unclear how long Clubhouse takes to process account deletion requests. Mashable also reported that Clubhouse requires access to your entire contact list for the purpose of sending invites.

Personally, I’m going to stay far away from Clubhouse. To me, it feels very sketchy to push users to give Clubhouse access to the contact list on their phone. I find it impossible to trust an app that demands to use the information on something that, for many, is extremely personal.