UPDATED 23:15 EST / APRIL 12 2021

SECURITY

Account details of 1.3M Clubhouse users published on hacking forum

Clubhouse has seemingly suffered another data breach, with details of 1.3 million users published on a hacking forum but the audio-based social app provider claims it wasn’t hacked and that the data was pulled through their application programming interface.

The data, which ended up on Raid Forums, was advertised as offering user I.D., photo, username, Twitter name, Instagram name, number of followers, number of people followed by the user and account creation data.

In a sign that Clubhouse has a serious issue about being oversensitive, the company posted the following on Twitter, responding to Cybernews, which broke the story Saturday, saying the data had been posted for free online.

The bigger question is why a company that operates as a closed shop and doesn’t allow Android users is opening up all of its user data via an application programming interface so it can be taken and posted to begin with?

“Following data leaks from Facebook, LinkedIn and now Clubhouse, it’s clear that there is a bigger problem with API incidents than just these three isolated events,” Michael Isbitski, technical evangelist a API security company Salt Security Inc., told SiliconANGLE. “While social media companies are taking the heat right now because of the sensitivity of data they keep and resulting privacy impacts, I don’t expect that this will be the last of these sort of scraping incidents.”

APIs are regularly the vehicle for functionality and data, Isbitski added. “Social media companies inherently design their platforms to be consumable, powering much of it with APIs,” he said. “Attackers know this, and they continue to target APIs in scraping attacks, repurposing publicly available data for malicious purposes.”

Setu Kulkarni, vice president of strategy at application security company WhiteHat Security Inc., noted that Clubhouse has conflicting user policies: being an invite-only platform and at the same time having free-for-all user data.

“When all development has now shifted to API first development, then why hasn’t security also shifted to API first security?” Kulkarni asked. “Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data by malintending actors.”

Image: Clubhouse

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU