A data leak of Clubhouse member information has been reported. The information consists of publicly available data and does not consist of sensitive information like passwords. The so-called leak may actually be just a scrape of publicly available information.
Data Leak
A data leak is generally described as a breach that exposes private, confidential and sensitive information. The data leak typically happens because of a security lapse that compromises hidden information.
According to reports about the so-called data leak, all of the information that was obtained is not sensitive and is publicly available.
Report of Clubhouse “Data Leak”
A report in Cybernews.com states that there has been a data leak at Clubhouse, a popular social media app that is available to Apple users only.
According to the Cybernews report:
“…it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million Clubhouse user records leaked for free on a popular hacker forum.”
Was Confidential Information Leaked?
The so-called data leak does not seem to feature any confidential information. All of the information appears to be publicly available data that does not require a hack to obtain.
This is the list of the kind of (publicly available) data that Cybernews reported was leaked:
- “User ID
- Name
- Photo URL
- Username
- Twitter handle
- Instagram handle
- Number of followers
- Number of people followed by the user
- Account creation date
- Invited by user profile name”
Possibly Not a Data Leak
Security researcher and technology blogger Jane Manchun Wong (@wongmjane) questioned whether this was a leak at all. She suggested that it resembles a simple automated download of public information.
Jane Manchun Wong is a technology blogger and security analyst who frequently posts breaking news related to the technology industry and has been profiled on top media sites like CNN, CNET and The Next Web. She’s been awarded four times by the Facebook Bug Bounty program for discovering vulnerabilities.
Jane tweeted that the Clubhouse leak appears to be a data scrape of publicly available information.
A scrape is when a software is able to download public information from a website, like member information or even just the content. It’s like an automated browser that downloads public information.
In this case the scraper was able to download public user information one by one. What made this scraping possible was apparently Clubhouse creates and stores user information in numerical order.
Every time a user creates an account they’re assigned a user number that corresponds to them. The next person to register is assigned a number that is one digit higher. Someone who wants to download user information can easily guess what the member numbers are and use a software called a scraper to download the public information.
Because the member numbers are in numerical order the scraper can simply look up each account number one by one and download the public member information.
This is how Jane describes it in a tweet:
“Not seeing any private info in this “leaked data” of Clubhouse
The user IDs are numerical. So it just seems like someone scraped the data by hitting Clubhouse’s private API, iterating from user ID 1 to beyond”
Jane remarked on how this lacked the technical sophistication of actual hacks:
“Honestly this “hack” is not very impressive at all. Like wow, you looped the API from 1 to 2 to 3 for the otherwise publicly available data. Wow, very technically challenging”
Jane added quotes to the phrases “leaked data” and “hack” presumably to call into question the validity of calling this a “leak” and a “hack.”
A data leak consists of private and sensitive data, not public data that is available to anyone.
She followed up with this tweet:
“Data of 1 Clubhouse profile, including name, social media handles, profile picture, followers/following count, and more, apparently posted on Twitter
The source of this leak told me this is done by opening Clubhouse app, viewing the profile of the victim, and taking a screenshot”
Twitter members who were following Jane’s discussion tweeted satirical responses indicating how underwhelmed they were by the so-called “hack” of publicly available content:
OMG it works here too 😆🥴 pic.twitter.com/invBPAXWc8
— Herman Couwenbergh (@Hermaniak) April 11, 2021
OH NOOOOOOOO
— linusbeardstan69420 (@linusbeardstan) April 11, 2021
GASP
— karraaayyyy (@smallkittylove) April 11, 2021
Others questioned how it’s a big deal to download public information:
is it really illegal then? finding access to a private API and calling it so easily is on Clubhouse
— Journey To A Million Net Worth (@JourneytoMilly) April 11, 2021
using my skills to hack some public data into my computer
— 🌦 (@zemnmez) April 11, 2021
Why This May Not be a Data Leak of Clubhouse
None of the information is private or sensitive. All of the information is publicly available. The method used to obtain the information appears to not have been due to a security lapse. According to security researcher Jane Manchun Wong this appears to be a relatively unsophisticated download of publicly available information.
Citations
Jane Manchun Wong Explains Clubhouse “Leak” on Twitter
Clubhouse Data Leak: 1.3 Million User Records Leaked Online for Free