The Clubhouse database "breach" is likely a non-breach. Here's why.

The Clubhouse database “breach” is likely a non-breach. Here’s why.

Before the work week ended last week Friday, a security researcher found a leak of what is claimed to be full phone numbers of users of Clubhouse, the new social media app everyone is talking about and just recently came out of beta.

Clubhouse is an audio-only social media platform where, unlike many popular social sites in the market, users can communicate with each other in voice chat rooms that can accomodate thousands of people. Think of it as Zoom without the video and text chat options. As it got exponentially popular during the pandemic, it was deemed as “the next big social network” following TikTok. And, as one Clubhouse user had put it, “It feels more personal, deeper, than other social media.”

HaveIBeenPwned-creator Troy Hunt, however, was quick to ask the important question before things get completely out of hand. After all, a compromise of 3.8 billion data—in this case, phone numbers—is not something you can easily dismiss.

Below is a partial extract of the text from off the screenshot of that Dark Web forum post:

Clubhouse (valued at over $3 billion USD) is the latest social network including the most influential people in the world.

COMPROMISED DATA:
3.8 billion phone numbers (including cellphones + fixed + private + professional numbers).

Clubhouse is connected in real time to all their users’ phonebooks meaning each time you add a new phone number in your phonebook, the number is automatically added into the secret database of Clubhouse. Each number is ranked by a score (the score corresponds to the number of Clubhouse users who have this specific phone number in their phonebook).

With this score we are able to evaluate the level of the network of each phone number in the world. We can do national and international ranking of each human and organization.

The partial extract. To be honest, the last sentence doesn’t even make sense.

Alon Gal, or @UnderTheBreach on Twitter, CTO of cybercrime intelligence firm Hudson Rock, gave an unabashed take about the hack.

https://twitter.com/UnderTheBreach/status/1418889649708208137

If you’re wondering why we shouldn’t make a big deal out of this so-called breach, Gal further explains in the same Twitter thread:

https://twitter.com/UnderTheBreach/status/1418899926646464520

Jane Manchun Wong, or @wongmjane on Twitter, a security and app researcher, had a similar take.

Many more chimed in, with some shedding light on the dark web forum post (“bad sample”) and on the poster itself (“This seller has a bad past”).

Every breach report, especially if it involves big names and/or big numbers, could drive anyone scrambling to get the full story, how it happened, how many were affected, and what should users do now. However, cybercriminals, being criminals, won’t think twice about using “The Breach angle” as a lure to score thousands of dollars from fellow data-hungry criminals.

As always, stay safe, and don’t believe every report of breach out there until it’s verified by an expert!

ABOUT THE AUTHOR