- A set of scraped data from Clubhouse has been offered on hacker forums for free.
- The platform responded that this was just the result of abusing their API and that there’s no breach.
- The dangers for the exposed users remain important even if the data was already publicly available.
Someone has posted a set of 1.3 million records on a popular hacking forum and shared it for free with all users. The set, which is bundled in an SQL database, allegedly contained data relevant to Clubhouse profiles. Based on what was confirmed later by the social media platform itself, it was indeed valid. However, the data appears to have been derived from a scraping action, not a data breach, so it is basically a publicly available data collection.
The data that was shared on the hacker forum includes the following:
- User ID
- Photo URL
- Twitter handle
- Instagram handle
- Number of followers
- Number of people followed by the user
- Account creation date
- Invited by user profile name
This is similar to what we saw last week with LinkedIn, so there’s a trend here with these aggregations. While some sellers present them as the products of a breach and try to trick buyers into paying them, others simply promote the sets for what value they hold as the mega-clusters they are. Having everything neatly bundled and easily searchable creates the ground for various low to mid-risk exploitation scenarios like phishing and scamming, so these scrapings aren’t innocuous.
This is precisely why internet platforms should deploy anti-scraping systems to prevent such occurrences, something that Clubhouse seems to have no qualms to omit. Simply accepting that anyone can access the above data via the API and scrape massive volumes of it is the wrong approach. Clubhouse and any other online platform should be trying their best to prevent these actions by putting API call limitations or via other mechanisms.
If you are a Clubhouse user, be aware of suspicious DMs in the platform, connection requests from profiles you don’t know, phishing attempts, and social engineering attacks. Remember, having the above data means that someone could make correlations or connections with past data leaks that may have some overlaps.
It is noteworthy that in the case of Clubhouse, we have a “closed” platform that users can only join after having received an invitation from an existing member. Thus, the exposure is more damaging for its userbase because some of the people who joined may have preferred to keep the fact private. Finally, we should point out that the number of exposed profiles is a fraction of the platform’s userbase, which is estimated to 10 million users at the moment.