A database containing data on 1.3 million Clubhouse users has appeared on a hacker forum. However, according to Clubhouse, this was not a hack, as the data had always been publicly accessible with an API.
The shared data consists of the user ID, name, URL of the profile picture, user name, Twitter handle, Instagram name, number of followers, number of people the user follows, account creation date and people invited by the user, Cybernews reports.
Data scraped via API
Clubhouse itself says on Twitter that the fuss about the leak is overblown. After all, all this data was public information that anyone could find via the company’s app or API.
Still, it can be called remarkable that a complete database of users can be built so easily. The use of incremental user IDs and the apparent lack of a rate limiter made this clearly very easy for the attacker. Moreover, it is possible that making this data publicly available is enough to violate the GDPR.
No critical data leaked
In practice, however, malicious actors cannot do very much with the shared data. Sensitive data such as email addresses, telephone numbers, passwords and credit card details have not been leaked, which counteracts the usability of the data. However, it is now possible to find out the identity of all Clubhouse users at a glance. This information can be used for targeted phishing attacks.
Similar situations with Facebook and LinkedIn
This situation is overshadowed by the two enormous data leaks that took place in the past few weeks. At both Facebook and LinkedIn, the data of more than half a billion users ended up on the internet. At Facebook, the sensitive data mainly consisted of telephone numbers, but at LinkedIn, email addresses were also leaked. Strikingly enough, for both Facebook and LinkedIn, as with Clubhouse, this was not a direct data leak, but a scraper was used to collect public information.