A SQL database containing 1.3 million scraped Clubhouse user records has been leaked on a popular hacker forum for free, CyberNews reports.
The leaked database contains Clubhouse user-related information, including name, user ID, photo URL, username, Instagram and Twitter handle, number of followers and the people they follow, invited by user profile name and account creation date.
The company’s April 11 statement on Twitter denied that it has been hacked or breached, and noted that the “data referred to is all public profile information from our app, which anyone can access via the app or our API.”
Mantas Sasnauskas, a senior information security researcher for CyberNews, said that the Clubhouse app’s design “lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire.”
He added that Clubhouse should make an extra effort to inform the public about its privacy policy on data scraping and mining. “This should not only be reflected in the ToS, but also in the technical implementation of the app, making it harder for anyone to scrape user data. Having no anti-scraping measures in place can be seen as a privacy issue.”
Clubhouse data leak: 1.3 million scraped user records online for free
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
Such an issue, which was identified and reported by Databricks security team member Kostya Kortchinsky, affects all Apache Avro instances up to version 1.11.3, according to Qualys Manager of Threat Research Mayuresh Dani, who also noted potential abuse of the bug through Kafka.
Attackers who successfully activated "CSS Combine" and "Generate UCSS" within Page Optimization settings could leverage the vulnerability not only to exfiltrate sensitive data but also to elevate privileges and facilitate website takeovers for further compromise, according to an analysis from Patchstack.