Was data of 1.3 million Clubhouse users actually leaked?

By Chandraveer Mathur

Apr 12, 2021

03:27 pm

What's the story

Over the weekend, it was reported that invite-only audio-based social network Clubhouse suffered a data breach that affected around 1.3 million users. However, Clubhouse called the leak "false and misleading". It clarified that the leaked data is actually publicly available through its Application Programming Interface (API). Nevertheless, Clubhouse revealing its users' Twitter and Instagram usernames is a privacy concern.

What was leaked?

Most of the leaked information is publicly available, not sensitive

On Saturday, CyberNews reported that 1.3 million Clubhouse user records were leaked online for free. The data included each account's User ID, name, photo URL, username, Twitter handle, Instagram handle, "follower" count, "following" count, account creation date, and profile name of the person who invited the user. The leak does not contain sensitive personally identifiable information such as credit card details and phone numbers.

Possible threat

Bad actors could use leaked information to profile potential victims

The report highlighted that bad actors could mount various forms of social engineering attacks including phishing, using the leaked data. The particularly determined attackers could possibly combine the Clubhouse data with information leaked from other sources to profile potential victims and commit identity theft, CyberNews reported. However, Clubhouse responded that its systems hadn't been breached. It clarified that the leaked data is publicly available.

Twitter Post

Clubhouse issues a statement clearly denying any sort of breach

This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo

— Clubhouse (@joinClubhouse) April 11, 2021

API scraping

Renowned security researcher corroborated Clubhouse's 'no leak' statement

Corroborating Clubhouse's statement that no data was "leaked," application researcher Jane Manchun Wong on Twitter said that the data could've been scraped from Clubhouse's API using a simple loop function since the user IDs were numerical. Meanwhile, in February, we had reported that the Stanford Internet Observatory identified loopholes in Clubhouse's security protocol. At the time, Clubhouse said it is "deeply committed" to privacy.

Copy-paste job

Wong called out initial media reports for poor factual accuracy

CyberNews's breach report mentioned Clubhouse "messages," "passwords," and "connection requests". Wong called out the report for probably copy-pasting its LinkedIn breach news from last week. She highlighted that Clubhouse doesn't have a messaging feature and users don't sign in using passwords. Wong also ridiculed the leaker saying that the so-called leaked Clubhouse data was actually publicly available.

Twitter Post

Application analyst Jane Manchun Wong's observation following the Clubhouse leak

The news report mentioned “messages” and “passwords” on Clubhouse, which is inaccurate because CH doesn’t have messaging, users don’t login using passwords

Coincidentally, the near-identical paragraph appears in the LinkedIn data breach report five days ago. This is a copy-paste https://t.co/MBWG46JmCB pic.twitter.com/ZnhnspqNX1

— Jane Manchun Wong (@wongmjane) April 11, 2021