Clubhouse has seemingly suffered another data breach, with details of 1.3 million users published on a hacking forum but the audio-based social app provider claims it wasn’t hacked and that the data was pulled through their application programming interface.

The data, which ended up on Raid Forums, was advertised as offering user I.D., photo, username, Twitter name, Instagram name, number of followers, number of people followed by the user and account creation data.

In a sign that Clubhouse has a serious issue about being oversensitive, the company posted the following on Twitter, responding to Cybernews, which broke the story Saturday, saying the data had been posted for free online.

This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo

— Clubhouse (@joinClubhouse) April 11, 2021

The bigger question is why a company that operates as a closed shop and doesn’t allow Android users is opening up all of its user data via an application programming interface so it can be taken and posted to begin with?

“Following data leaks from Facebook, LinkedIn and now Clubhouse, it’s clear that there is a bigger problem with API incidents than just these three isolated events,” Michael Isbitski, technical evangelist a API security company Salt Security Inc., told SiliconANGLE. “While social media companies are taking the heat right now because of the sensitivity of data they keep and resulting privacy impacts, I don’t expect that this will be the last of these sort of scraping incidents.”

APIs are regularly the vehicle for functionality and data, Isbitski added. “Social media companies inherently design their platforms to be consumable, powering much of it with APIs,” he said. “Attackers know this, and they continue to target APIs in scraping attacks, repurposing publicly available data for malicious purposes.”

Setu Kulkarni, vice president of strategy at application security company WhiteHat Security Inc., noted that Clubhouse has conflicting user policies: being an invite-only platform and at the same time having free-for-all user data.

“When all development has now shifted to API first development, then why hasn’t security also shifted to API first security?” Kulkarni asked. “Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data by malintending actors.”

Image: Clubhouse