Clubhouse, the startup invitation-only chat app, is the latest social-media platform to see mammoth troves of user data collected and posted in underground forums. An SQL file containing the personal data of 1.3 million Clubhouse users has been posted in a hacker forum for free.
Names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app are among the information contained in the database, according to CyberNews, giving threat actors key information which can be used against victims in phishing and other socially engineered scams.
For its part, Clubhouse said that its users’ data being public isn’t a bug, it’s just how the platform is built:
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo
— Clubhouse (@joinClubhouse) April 11, 2021
The company isn’t supplying any other details and Clubhouse didn’t respond to Threatpost’s request for additional comment.
Clubhouse followers on Twitter were quick to note the statement points out a difference without any distinction to its exposed users.
“I fail to see what is false … ” user Benjamin Maynard responded to the Clubhouse statement.
Leaky APIs Plague Social Media
Clubhouse’s terms of service prohibit data scraping, yet its API, by its own admission, is sitting online with no protection against it.
“Clubhouse has conflicting user policies – being an invite-only platform and at the same time free-for-all user data,” Setu Kulkarni, vice president with WhiteHat Security said. “All it takes is one user to figure out the API for such large data egress of the millions of users on the platform.”
Kulkani added that these platforms need to shift to an API-first security strategy.
“Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data,” he said.
CyberNews researcher Mantas Sasnauskas analyzed the Clubhouse data and said the privacy bug is built into the platform itself.
“The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire,” Sasnauskas said.
The CyberNews team added that the SQL file posted in the hacker forum only has Clubhouse-related information and doesn’t include “sensitive data like credit-card details or legal documents.”
Denying the Problem
In the past two weeks, 533 million Facebook users’ data was leaked, LinkedIn saw scraping of 500 million people’s data and now Clubhouse has given up the information on another 1.3 million people.
And as Politico Europe’s Nicholas Vinocur pointed out, they’ve all followed an eerily similar disclosure playbook: deny it ever happened.
In past ten days:
533 million people’s data leaked at Facebook.
500 million people’s data leaked at LinkedIn.
1.3 million people’s data leaked at Clubhouse.
All deny the data was leaked or there was a problem of any sort.
— Nicholas Vinocur (@NicholasVinocur) April 12, 2021
Facebook was similarly vulnerable through their API, which Michael Isbitski from Salt Security told Threatpost is becoming more common.
“Content scraping is a common attack pattern,” Isbitski said in the wake of the Facebook leak. “Organizations often build or integrate APIs, without fully considering the abuse cases of the APIs.”
LinkedIn also out a statement in the wake of its incident, explaining the platform wasn’t technically “breached,” but that the information was public and scraped from the LinkedIn site.
To view the LinkedIn user data file in the hacker forum, it costs $2 worth of forum credits. The full database was up for auction in the four-figures range.
“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies” that includes “publicly viewable member-profile data that appears to have been scraped from LinkedIn,” the company said in a statement. “This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”
Data Scraping Fallout
“I don’t expect that this will be the last of these sort of scraping incidents,” Isbitski predicted. “APIs are regularly the vehicle for functionality and data. Social media companies inherently design their platforms to be consumable, powering much of it with APIs. Attackers know this, and they continue to target APIs in scraping attacks, repurposing publicly available data for malicious purposes”
Users of all three of these social media platforms should be aware they could be targeted by email phishing campaigns, so strong passwords and multi-factor authentication are important. CyberNews offers a personal data leak checker to help users figure out if their data was compromised.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.