Clubhouse says it wasn’t breached its API was accessed

Share on facebook
Share on twitter
Share on linkedin
Share on email

The popular kid on the social network block at the moment is Clubhouse. The app – which is currently exclusively available for iOS – allows users to drop in and out of audio chats with friends or celebrities.

At the weekend, CyberNews reported that an SQL database containing the records of 1.3 million users had appeared online on a hacker forum. The user records were reportedly available for free.

The information said to be in this database included:

  • User ID
  • Name
  • Photo URL
  • Username
  • Twitter Handle
  • Instagram Handle
  • Number of followers
  • Number of users followed by a user
  • Account creation date
  • User who invited you

CyberNews reports that it did not find any sensitive data in the database such as credit card information. As it turns out, there is a reason for that.

Following the publication of the breach, Clubhouse said that the report was misleading and false.

“Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API,” Clubhouse wrote in a tweet.

An Application Programming Interface, or API, is how apps and applications are able to talk to each other. Some APIs are rather complex and allow for cross posting on websites while others, such as the Clubhouse one, are a bit more simple.

It appears as if the database on the hacker forum spotted by CyberNews is one that contains data scrapped from a public API. However, given that this is something Facebook just came under fire for a week ago, Clubhouse could’ve responded with a bit more clarity.

The data that was supposedly put up for download on the hacker forum isn’t what we’d deem sensitive information. Could a cybercriminal craft a phishing campaign with this data? Sure, but we’d argue an active Twitter user’s profile could offer up a similar vector for an attacker.

We feel Clubhouse could have stepped in to explain why its API is public (even if you understand not everybody does) and why folks shouldn’t be worried but then again, somebody accessing a public database and not getting anything of value, not even an email address, is low on the list of “events that need addressing”.

The short of this entire debacle is that your Clubhouse data is safe.

[Image – CC 0 Pixabay]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.