Skip to main content

Clubhouse user data gets exposed; CEO claims it wasn’t a leak

Clubhouse continues to make headlines around the world for another week, but this time with some controversial news. Personal data of 1.3 million users of the audio-based social network was exposed on a popular hacker forum, but the company disagrees that it was a leak.

As reported by CyberNews, someone has posted last week a database with data from 1.3 million Clubhouse users. This database includes information such as user ID, name, photo, social network profiles, and other profile details.

Immediately, Clubhouse CEO Paul Davison argued that the articles about the exposed data were “misleading and false” since he claims that all this data is public to Clubhouse users (via The Verge). After that, the official Clubhouse profile on Twitter shared a statement reinforcing that the exposed database data can be obtained by any developer through the app’s API.

This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.

Still, this raised privacy concerns about the app. As the privacy of user data becomes more important every day, the fact that anyone can download a database with a list of all users from a social network is questionable to say the least.

CyberNews security researcher Mantas Sasnauskas argues that Clubhouse should rethink how its API works to restrict the amount of data developers can get through. Although the exposed database includes only public information, this could lead to “phishing and social engineering attacks.”

The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire. This should not only be reflected in the ToS, but also in the technical implementation of the app, making it harder for anyone to scrape user data. Having no anti-scraping measures in place can be seen as a privacy issue.

Particularly determined attackers can combine information found in the leaked SQL database with other data breaches in order to create detailed profiles of their potential victims. With such information in hand, they can stage much more convincing phishing and social engineering attacks or even commit identity theft against the people whose information has been exposed on the hacker forum.

It was reported last week that Twitter considered acquiring Clubhouse for $4 billion, but later discussions were halted. Now Clubhouse is looking for other investors while the competition is growing with companies like Facebook and Twitter working on their own live audio platforms.

Read more:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Filipe Espósito Filipe Espósito

Filipe Espósito is a Brazilian tech Journalist who started covering Apple news on iHelp BR with some exclusive scoops — including the reveal of the new Apple Watch Series 5 models in titanium and ceramic. He joined 9to5Mac to share even more tech news around the world.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications