Clubhouse in the spotlight after user records posted online
Reports of another trove of scraped user data add to the recent woes of popular social media platforms
It seems that threat actors are increasingly setting their sights on extracting vast amounts of user data from social media platforms. The cascade of incidents started off last week with a data leak impacting more than half a billion Facebook users and was followed by another incident where personal information belonging to a similar number of LinkedIn users also ended up for sale on a hacking forum. Barely a few days have passed and Clubhouse, the popular audio-only social media platform, has experienced a sort of incident of its own.
According to Cybernews, which broke the latest story, an SQL database containing scraped personal data of 1.3 million Clubhouse users is up for grabs on a hacker forum. The records include user IDs, names, usernames, social media handles, photo URLs, account creation dates, and information about who nominated the user to the app.
However, Clubhouse said that the data is public and anyone can access it through its API. Additionally, most of the information is freely viewable by other users of the app.
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo
— Clubhouse (@joinClubhouse) April 11, 2021
In the meantime, some well-regarded security experts have also joined the fray and contend that the incident is nowhere near as grave as portrayed by some media.
The Clubhouse breach story is nonsense. It’s like saying Google hacked Twitter as they store people’s Twitter usernames and follower counts. https://t.co/9Jpdo2uq1v
— Kevin Beaumont (@GossiTheDog) April 11, 2021
Regardless, it’s not a stretch to think that a motivated cybercriminal could use the harvested information in combination with data from other incidents in order to create a comprehensive portrait of potential victims. This could be then used to carry out targeted phishing campaigns and social engineering attacks; in some cases, the data could even be used to carry out identity theft.
There are ways for users to mitigate the chances of falling victim to enterprising cybercriminals. First of all, you should be wary of any unsolicited message you may receive from strangers on your linked social media accounts. Use strong and unique passwords as well as turn on multi-factor authentication wherever available, preferably with a hardware token or a mobile app. It’s also worth considering what kind of information you share on a publicly searchable profile, since oversharing can have serious consequences.
Clubhouse also made headlines in February, when it emerged that an unidentified user had found a way to stream audio feeds from the app’s chat rooms to a third-party website. In addition, ESET researchers recently found that threat actors have also been trying to piggyback off the platform’s sudden success by spewing out malware that poses as the (still non-existent) official Android version of Clubhouse and aims to steal users’ login information for various online services.