Clubhouse continues to make headlines around the world for another week, but this time with some controversial news. Personal data of 1.3 million users of the audio-based social network was exposed on a popular hacker forum, but the company disagrees that it was a leak.
As reported by CyberNews, someone has posted last week a database with data from 1.3 million Clubhouse users. This database includes information such as user ID, name, photo, social network profiles, and other profile details.
Immediately, Clubhouse CEO Paul Davison argued that the articles about the exposed data were “misleading and false” since he claims that all this data is public to Clubhouse users (via The Verge). After that, the official Clubhouse profile on Twitter shared a statement reinforcing that the exposed database data can be obtained by any developer through the app’s API.
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.
Still, this raised privacy concerns about the app. As the privacy of user data becomes more important every day, the fact that anyone can download a database with a list of all users from a social network is questionable to say the least.
CyberNews security researcher Mantas Sasnauskas argues that Clubhouse should rethink how its API works to restrict the amount of data developers can get through it. Although the exposed database includes only public information, this could lead to “phishing and social engineering attacks.”
The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire. This should not only be reflected in the ToS, but also in the technical implementation of the app, making it harder for anyone to scrape user data. Having no anti-scraping measures in place can be seen as a privacy issue.
Particularly determined attackers can combine information found in the leaked SQL database with other data breaches in order to create detailed profiles of their potential victims. With such information in hand, they can stage much more convincing phishing and social engineering attacks or even commit identity theft against the people whose information has been exposed on the hacker forum.
It was reported last week that Twitter considered acquiring Clubhouse for $4 billion, but later discussions were halted. Now Clubhouse is looking for other investors while the competition is growing with companies like Facebook and Twitter working on their own live audio platforms.