Clubhouse has confirmed that it did not suffer a data breach and leaked records are in fact collected through data scraping.
In the last couple of weeks, threat actors leaked a trove of scraped LinkedIn and Facebook user records. In LinkedIn’s case, the leaked records contained personal details of more than 1 billion users while the Facebook leak had 533 million users’ records.
Now, Clubhouse, an invitation-only audio chat app for iOS with more than 10 million users has become a victim of data scraping. This time, a threat actor has published a database that contains details of 1.3 million Clubhouse users.
What data was published
On Saturday 10th April, a threat actor published a database claiming it belongs to Clubhouse. Hackread.com has seen the data and it can be confirmed that it includes no email addresses or passwords. What it does includes is:
- User IDs
- Full names
- User names
- Twitter handle
- Instagram handle
- Number of followers
- Account creation date
- Invited by user profile name
- Number of people followed by the user
- Links to photos belonging to Clubhouse users.
Example of photos in the database (Image: Hackread.com)
It is worth noting that details about the origin of the data such as whether Clubhouse suffered a data breach or the information was collected through web scraping remained unclear.
However, Clubhouse was quick to react to address the issue on Twitter and rubbished rumors that the app has suffered a data breach.
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API, the company said in a tweet.
What is data scraping?
Depending on its use; web data scraping is an illegal technique in which a computer program (bot) extracts publically and sometimes private data from a website.
Remember, third-party firms can use data scrapping, a fairly common practice to extract the personal information of users from websites like Facebook or Twitter. Facebook in particular allows users to access third-party websites by using their existing Facebook login information.
A threat to Clubhouse users
A sigh of relief for Clubhouse is that their email address, passwords, and phone numbers are safe. However, the published data also threatens Clubhouse users’ privacy as their photos can be used for making fake profiles on social media, the data can be a treasure trove for data scrapers who can use the information to make a larger database of Clubhouse users and leak it online.
Clubhouse and cyber attacks
Clubhouse app is growing among iOS users while Android and desktop users are eagerly waiting for the app. However, cybercriminals are taking advantage of the situation and creating fake apps and websites to lure users and infect their devices with data-stealing malware.
In March 2021, a Trojan malware dubbed “BlackRock” was caught disguising as an Android version of the invite-only audio chat app.
In another incident just a couple of days ago, a Facebook advertising campaign was caught offering a fake Clubhouse app for PC which took users to a fake Clubhouse app website that looked quite authentic but its download link dropped malware.