The good old days of Clubhouse App may have seen their days coming because, in the past, the social media app boasts their exclusivity where they believe that level of pickiness will help them totally avoid a data breach. A proficient security researcher like us knows that exclusivity and narrowing down users have a negligible effect or no effect when trying to avoid getting hacked.
Now we witness some outbreak of information that the Clubhouse App’s database has been hacked where 3.8 Billion Phone numbers are allegedly up for sale on the Darknet. In the notorious surface web yet criminally involved forum called Raidforums, a user posted that the Clubhouse App data is for sale exclusively for one buyer.
Our team witnessed the fresh post on July 24. There hasn’t been any response yet for how much the RaidForum user is willing to sell it. But it appears that the affected data only pertains to the phone numbers of the users and non-users on the waitlist.
Clubhouse Secret Database
It appears that the seller is telling the public that Clubhouse has a secret database of phone numbers scanned and then imported by the app from their users into the secret database, which could be a GDPR violation. We do hope that the EU takes notice of this. Clubhouse itself hasn’t commented yet about the allegations. The CEO Paul Davison is currently in denial of the claims, calling them false and misleading. Clubhouse says that bots are creating random phone numbers; they also said that their API returns no personally identifiable information when queried using those randomly generated phone numbers that the bots generate. The alleged bot technique will allow any malicious actor to create a fake data breach. Numerous security researchers are sceptical about the breach. As of now, the breach is not available at I Have Been Pwned. We also believe that the RF user Tedliner has attempted to sell lame or unverified database breaches in the past. In other words, the user has a reputation for making lame and outlandish claims. This is based on my previous experience with the seller through undercover and basic research. We concluded that there is a falsehood pattern when this RF user lays claim on what it sells.
Dark web monitoring utilizes numerous approaches for intel gathering. iZOOlogic researches and intensely monitor the dark web and criminally connected forums to discover and recover data. This includes a validity check to ensure that we only stick with facts and legitimate claims as a security company. Not only do private individuals fall prey to social engineering tactics but also private companies too. Only a good level of vigilance among security teams and researchers can withstand the influence of disinformation and misinformation. In this era of fake news, we encourage individuals to be their own fact-checkers.