Several “hack” reports emerged last week concerning popular social networks, including Facebook and LinkedIn. The Facebook and Microsoft systems were not breached, but attackers scraped personal data from more than a billion users between the two services. The Facebook attack dates back to August 2019, but it reemerged a few days ago, as a database containing information for 533 million users was posted on a forum. The LinkedIn attack followed.
Facebook and Microsoft aren’t the only companies hit by data scrapping attacks, with a new report claiming that Clubhouse data belonging to 1.3 million users has leaked in a similar way. The CEO of the hottest social network in town denied reports that user data was leaked.
Clubhouse is a new social network built around voice-only interaction. It’s an iPhone-only app that needs an invite at the moment, and it’s grown so popular this year that several companies are creating copycats. Facebook and Twitter are among the companies interested in offering customers voice-only social experiences.
A report from CyberNews said over the weekend that someone posted on a hacker forum a SQL database containing 1.3 million scraped Clubhouse user records. The report notes that the database did not include any “deeply sensitive data,” like credit card details or legal documents.
The database includes several data points, like user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the user, account creation date, and invitation source.
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo
— Clubhouse (@Clubhouse) April 11, 2021
Clubhouse issued a statement on the matter, saying reports are “misleading and false,” as the company has not been breached or hacked. “The data referred to is all public profile information from our app, which anyone can access via the app or our API,” the company said.
Separately, Clubhouse CEO Paul Davison said on Sunday that the report claiming that user data had been leaked was false. “No, this is misleading and false, it is a clickbait article, we were not hacked,” the exec answered a question during a town hall, according to The Verge. “The data referred to was all public profile information from our app. So the answer to that is a definitive ‘no.’”
This doesn’t change the fact that the database containing the personal information listed above circulated online. While most of that might be public information that anyone could collect with enough time on their hands, it’s troubling to see that anyone could just grab that sort of data in bulk from a social network. As CyberNews points out, the database would let attackers connect some of the missing dots, linking profiles to names and other people. The information could be used to initiate phishing and social engineering attacks.
Whether you’ve been impacted or not, you should consider using strong password for each different online service, Clubhouse included. Password managers and two-factor authentication (2FA) can enhance the security of online properties. People should also disregard suspicious Clubhouse messages from strangers.