Skip to main content

Clubhouse data leak: Data of 1.3m users dumped on a hacker forum

Soon after it came to light that hackers had set up a fake Android app in the name of Clubhouse to target users with malware, a database containing records of 1.3 million Clubhouse users has been leaked for free on a popular hacker forum.

According to CyberNews which spotted the leaked SQL database on a hacker forum, the database contained detailed profile information of Clubhouse users such as their names, user IDs, photo URLs, usernames, social media handles, number of followers, number of people followed by users, and account creation dates.

The database, however, did not store personally-identifiable information such as email addresses, phone numbers, identity documents, or financial information of any of the 1.3 million users.

“We did not find any deeply sensitive data like credit card details or legal documents in the archive posted by the threat actor,” CyberNews said, adding that “even a profile name, with connections to the user’s other social media profiles identified and established, can be enough for a competent cybercriminal to cause real damage.”

Soon after the data leak came to light, Clubhouse issued a statement, stressing that it was neither breached not hacked and that the leaked data records could be accessed by anyone via the app or its API. THis may be true as it is possible for anyone to scrape public profile information from the Clubhouse site on a mass scale without ruffling any feathers.

Mantas Sasnauskas, a senior information security researcher at CyberNews, says that the fact that Clubhouse allows anyone to scrape profile information from its platform basically goes against the company’s stated policy of not allowing unauthorised data mining or data scraping. “The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire.”

“Having no anti-scraping measures in place can be seen as a privacy issue. This should not only be reflected in the ToS, but also in the technical implementation of the app, making it harder for anyone to scrape user data,” he adds, stressing that Clubhouse should extend its privacy policy into the website design as well.

According to Jeremy Hendy, CEO of Skurio, APIs can be used to extract data en masse unless security controls are applied to prevent unauthorised access. These interfaces should always be created in line with the company’s data privacy policy and data protection regulations that apply to them.

“Although sensitive information such as banking details and passwords were not included in this leak, the data could be beneficial for a threat actor when researching a target business or individual. Where corporate email accounts have been linked with private social media identities – or vice-versa – this information could be exploited when combined with other data breaches or research.

“Businesses can understand if commingling of personal and corporate profiles is occurring by using a data monitoring solution to provide data breach detection. Organisations must use this opportunity to review and refresh their policies on the use of business emails for personal accounts,” he adds.

News about the latest data leak involving Clubhouse arrives not long after researchers at ESET discovered a fake Clubhouse app created by cyber criminals to spread the BlackRock malware to millions of Android device users. The fake Android app was distributed via a malicious site that spoofed the original Clubhouse website and contained a malware trojan named “BlackRock” that could steal credentials for hundreds of online services.

Once the BlackRock Trojan is installed, it tries to steal credentials using an overlay attack. Whenever a user launches the fake app after downloading it, the malware asks the user to log in to online services, and captures the user’s credentials when they are entered. Furthermore, SMS-based two-factor authentication will also not help the user as BlackRock has the ability to intercept text messages as well.


All rights reserved Teiss Recruitment Ltd.