Exposed Clubhouse user data raises privacy questions

There seems to be a spate of incidents in the recent weeks where large social networks had their database simply scraped, not hacked, to expose user records that were then distributed in hacker forums. At first, it seemed that Clubhouse, the budding audio-centric network, was the victim of such activity but the company denied that was the case. Unfortunately, its explanation for what really happened raised more questions than it answered, causing concerns about the way it is handling the security and integrity of its own official access points.

Security-focuses online publication CyberNews first broke the news that an SQL database containing 1.3 million Clubhouse user records have been leaked on a hackers' forum free for the taking. These records contained information such as users' names, usernames, Twitter and Instagram IDs, some follower data, and more. No particularly sensitive information, like passwords or even email addresses, was included in the data dump.

Clubhouse took to Twitter to set the record straight that it was neither hacked nor scraped. It says that these pieces of data are public information anyone can see anyway. Furthermore, the data was probably harvested using Clubhouse's own APIs or apps.

Unfortunately, that explanation didn't satisfy security and privacy advocates considering how Clubhouse pretty much admitted how easy it was to abuse its API to gather such data, private or otherwise. Clubhouse reportedly doesn't yet have documentation for those APIs but it had indirectly admitted that those have already been exploited by third parties.

There have also been concerns about the pieces of data that are publicly available in the first place, some even pointing out potential GDPR violations. Compared to recent Facebook and Linkedin incidents, Clubhouse's problem might be minor but it might tarnish the otherwise very positive image that the young social network currently enjoys.