The Clubhouse database breach is likely a non-breach. Here’s why

Before the work week ended last week Friday, a security researcher found a leak of what is claimed to be full phone numbers of users of Clubhouse, the new social media app everyone is talking about and just recently came out of beta.

Clubhouse is an audio-only social media platform where, unlike many popular social sites in the market, users can communicate with each other in voice chat rooms that can accomodate thousands of people. Think of it as Zoom without the video and text chat options. As it got exponentially popular during the pandemic, it is deemed as “the next big social network” following TikTok. But, as one Clubhouse user had put it, “It feels more personal, deeper, than other social media.”

HaveIBeenPwned-creator Troy Hunt, however, was quick to ask the important question before things get completely out of hand. After all, a compromise of 3.8 billion data—in this case, phone numbers—is not something you can easily dismiss.

Anyone seen any verification of this claim yet? https://t.co/9vdNkZ2Wj7

— Troy Hunt (@troyhunt) July 24, 2021

Below is a partial extract of the text from off the screenshot of that Dark Web forum post:

Clubhouse (valued at over $3 billion USD) is the latest social network including the most influential people in the world.

COMPROMISED DATA:
3.8 billion phone numbers (including cellphones + fixed + private + professional numbers).

Clubhouse is connected in real time to all their users’ phonebooks meaning each time you add a new phone number in your phonebook, the number is automatically added into the secret database of Clubhouse. Each number is ranked by a score (the score corresponds to the number of Clubhouse users who have this specific phone number in their phonebook).

With this score we are able to evaluate the level of the network of each phone number in the world. We can do national and international ranking of each human and organization.

The partial extract. To be honest, the last sentence doesn’t even make sense.

Alon Gal, or @UnderTheBreach on Twitter, CTO of cybercrime intelligence firm Hudson Rock, was able to verify the phone numbers and had given his unabashed take.

The new Clubhouse database leak is pretty much bullshit.

It is just a list of phone numbers, without any additional information, they could have arrived from anywhere. pic.twitter.com/fj9GnriAov

— Alon Gal (Under the Breach) (@UnderTheBreach) July 24, 2021

If you’re wondering why we shouldn’t make a big deal out of this so-called breach, Gal further explains in the same Twitter thread:

When there are at least two fields things begin to get interesting because if there is an email but I don’t know the identity of the person behind it, if I’ll see his name in the leak next to the email I will now be able to determine who that person is, same goes for phones

— Alon Gal (Under the Breach) (@UnderTheBreach) July 24, 2021

Jane Manchun Wong, or @wongmjane on Twitter, a security and app researcher, had a similar take.

I guess someone did it by uploading a contact list from like (000) 000-0000 to (999) 999-9999

and then retrieve the list of “amount of contacts on @Clubhouse” by hitting the app’s private API

I really don’t think the database is breached. It’s just scrapped data https://t.co/b566BwXDk4

— Jane Manchun Wong (@wongmjane) July 24, 2021

Many more chimed in, with some shedding light on the dark web forum post (“bad sample”) and on the poster itself (“This seller has a bad past”).

This is the same Telegram group which was selling Fake #Whatsapp database of 470 mn users "Without Name & Photo". Now they changed the group name from "Whatsapp Database Leak" to "ClubHouse Database Leak". Now selling fake @Clubhouse numbers without name and Photo. #InfoSec pic.twitter.com/1lIXOjgEMz

— Rajshekhar Rajaharia (@rajaharia) July 24, 2021

Every breach report, especially if it involves big names and/or big numbers, could drive anyone scrambling to get the full story, how it happened, how many were affected, and what should users do now. However, cybercriminals, being criminals, won’t think twice about using “The Breach angle” as lure to score thousands of dollars from fellow data-hungry criminals.

As always, stay safe, and don’t believe every report of breach out there until it’s verified by an expert!

The post The Clubhouse database breach is likely a non-breach. Here’s why. appeared first on Malwarebytes Labs.

Article Link: The Clubhouse database "breach" is likely a non-breach. Here's why.