In a forum on the Darknet, an anonymous user announces that he has a complete set of all telephone numbers from the address books of clubhouse users and is selling them to a highest bidder. Clubhouse is a special social media service for audio chat rooms. Allegedly, there are 3.8 billion phone numbers: those of the users of the Clubhouse app and all of their address book contacts who may not have installed the app at all. But the matter is dubious and the Clubhouse company has already denied a leak. The Swiss security specialist Marc Ruef first reported about it on Twitter.
Leaker criticizes data collection and hopes for GDPR
Ruef shows a screenshot of a Darknet forum post in which a user with the immodest name “God” advertises his leak. The allegedly stolen 3.8 billion phone numbers are said to represent mobile and landline numbers of private individuals and professionals. The source is a “secret database” that Clubhouse updates “in real time” as soon as a new contact appears in the address book of a Clubhouse user. Clubhouse rate the phone numbers with a score: the more often a phone number appears in the database, the higher its ranking.
The forum user “God” announced in his posting that he wanted to auction the data set at a private auction on September 4th. He will only sell exclusively to one person and that person must be “seriously” interested. In fact, the Clubhouse app also uses the app users’ address books to access the phone numbers of people who do not use the service (as some messenger services do). “God” has a clear criticism of this approach: Clubhouse and the large digital corporations Google, Apple, Facebook and Amazon collected and processed data from uninvolved users, which violates the human right to privacy. Actually, the EU General Data Protection Regulation (GDPR) should punish companies for these practices – now it is time to observe whether the regulation actually applies to Clubhouse.
Sample data set worthless, clubhouse denies attack
The Darknet user also publishes an example of his collection with a good 83 million telephone numbers from Japan. Several IT security specialists have taken a closer look at this sample data set and come to a damning verdict: Because the record contains nothing but unconnected telephone numbers without any further information on user identity, it is worth nothing – and the whole thing is possibly just a hoax. Such a collection of numbers could just as easily be created using a script with random values ​​or arbitrarily compiled from publicly accessible telephone number directories. Even if there are 3.8 billion leaked telephone numbers, almost nothing can be read from this data collection.
The Clubhouse company has already commented on the alleged leak: Compared to BILD, it denied an attack on its systems and pointed out that the app’s communication did not contain any data that could be used to identify users. Clubhouse called it a “mathematical coincidence” to the newspaper that the phone numbers of Clubhouse users appeared on the Darknet.
Clubhouse: short hype, lack of data protection and a serious leak
The relatively new Clubhouse app received a lot of attention at the beginning of the coronavirus pandemic. It offers live podcasts, originally only with invited participants. There are currently around ten million registered users. Initially, the Clubhouse app was only available for iOS, but the Android app has now also left the test phase. In addition, you no longer have to hope for an invitation to an audio chat from a registered user, with the end of the beta test Clubhouse will open to all users.
The service drew criticism from the start: for example, due to a lack of data protection, a lack of moderation and a missing imprint on the website. Much more serious than the current incident was a real leak in user data from April of this year: 1.3 million Clubhouse user data appeared in a forum, including real and profile names and connections to Instagram and Twitter accounts.
(tiw)
