Clubhouse Data Appears on Hacker Forum but Not as a Product of a Breach

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Someone has posted a set of 1.3 million records on a popular hacking forum and shared it for free with all users. The set, which is bundled in an SQL database, allegedly contained data relevant to Clubhouse profiles. Based on what was confirmed later by the social media platform itself, it was indeed valid. However, the data appears to have been derived from a scraping action, not a data breach, so it is basically a publicly available data collection.

Source: CyberNews

The data that was shared on the hacker forum includes the following:

Source: CyberNews

This is similar to what we saw last week with LinkedIn, so there’s a trend here with these aggregations. While some sellers present them as the products of a breach and try to trick buyers into paying them, others simply promote the sets for what value they hold as the mega-clusters they are. Having everything neatly bundled and easily searchable creates the ground for various low to mid-risk exploitation scenarios like phishing and scamming, so these scrapings aren’t innocuous.

This is precisely why internet platforms should deploy anti-scraping systems to prevent such occurrences, something that Clubhouse seems to have no qualms to omit. Simply accepting that anyone can access the above data via the API and scrape massive volumes of it is the wrong approach. Clubhouse and any other online platform should be trying their best to prevent these actions by putting API call limitations or via other mechanisms.

https://twitter.com/joinClubhouse/status/1381066324105854977

If you are a Clubhouse user, be aware of suspicious DMs in the platform, connection requests from profiles you don’t know, phishing attempts, and social engineering attacks. Remember, having the above data means that someone could make correlations or connections with past data leaks that may have some overlaps.

It is noteworthy that in the case of Clubhouse, we have a “closed” platform that users can only join after having received an invitation from an existing member. Thus, the exposure is more damaging for its userbase because some of the people who joined may have preferred to keep the fact private. Finally, we should point out that the number of exposed profiles is a fraction of the platform’s userbase, which is estimated to 10 million users at the moment.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: