Database with Clubhouse users’ details found being offered on a hacker website
A SQL database containing the personal information of 1.3 million Clubhouse users has been found being offered for free on a popular hacker forum according to news reports online.
Clubhouse is an audio-only app that hosts virtual rooms for live discussions, with opportunities for individuals to participate through speaking and listening.
The database reportedly held information like user names, social media profile names, personal photos, and other details. According to the report, this information was enough to leave the user vulnerable to targeted phishing or other types of social engineering attacks.
Clubhouse has come out to deny the hack with the company posting on Twitter that, “This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.”
This seems to have been corroborated by Intelligence X who posted some of the database online.
Clement Lee, Security Architect, APAC, at Check Point Software Technologies agreed that it wasn’t a breach, however, it could still be considered a loss of data as the information is probably considered proprietary to the platform owner. He said that this situation with Clubhouse is similar to what happened with LinkedIn recently — an errant user who might have access to data decided to collect it and make a sale of it.
The development comes after some other data breaches we’ve had recently. LinkedIn, Facebook, along with e2i in Singapore have all had users’ data stolen.
Just prior to this, Twitter had reportedly been interested in acquiring Clubhouse for US$4 billion despite having already launched their own alternative Twitter Spaces.
This isn’t the first time that Clubhouse has been in the news for loss of data. In February, an unidentified user was able to stream Clubhouse audio feeds from several different chatrooms onto their own third-party website. So while Clubhouse maintains that conversations disappear from its app as soon as they are finished, the same cannot be said of audio that has been extracted from the app and hosted elsewhere. Clubhouse says that this hole has since been fixed.
With regards to this data loss, Lee said that although the information wasn’t sensitive and was publicly available, one should be prepared that any data provided to an online platform is no longer your own.
Users should still take caution and watch out for potential phishing scams and social engineering attacks. It is good practice to be mindful of what private information you put out — always ask the validity of the information requested from the applications and the information they have presented.
Dr Sharat Sinha, Vice President and General Manager, Asia Pacific & Japan, Check Point Software Technologies says it is worth remembering these security tips to protect yourself against malicious apps and mobile scams:
- Only install apps from trusted sources such as official app stores (remember, Clubhouse is currently available only in the Apple App Store).
- Carefully review the app permissions for accessing contacts and data on your device: do not just click ‘Accept All.’
- Do not automatically trust an app recommendation or invitation, even from someone you think you know.
- Consider deploying a mobile security solution on your device to protect against potentially malicious downloads.