Alleged clubhouse leak: 3.8 billion phone numbers announced on the Darknet


In a forum on the Darknet, an anonymous user announces that he has a complete set of all telephone numbers from the address books of clubhouse users and that he is selling them to a highest bidder. Clubhouse is a special social media service for audio chat rooms. Allegedly, there are 3.8 billion phone numbers: those of the users of the Clubhouse app and all of their address book contacts who may not have installed the app at all. But the matter is dubious and the Clubhouse company has already denied a leak. The Swiss security specialist Marc Ruef first reported about it on Twitter.

Ruef shows a screenshot of a Darknet forum post in which a user with the immodest name “God” advertises his leak. The allegedly stolen 3.8 billion phone numbers are said to represent mobile and landline numbers of private individuals and professionals. The source is a “secret database” that Clubhouse updates “in real time” as soon as a new contact appears in the address book of a Clubhouse user. The telephone numbers are given a score: the more often a telephone number appears in the database, the higher the value.

The forum user “God” announced in his posting that he wanted to auction the data set at a private auction on September 4th. He will only sell exclusively to one person and that person must be “seriously” interested. In fact, the Clubhouse app also uses the app users’ address books to access the phone numbers of people who do not use the service (as some messenger services do). “God” has a clear criticism of this approach: Clubhouse and the large digital corporations Google, Apple, Facebook and Amazon collected and used data from uninvolved users, which violates the human right to privacy. Actually, the EU General Data Protection Regulation (GDPR) should punish companies for these practices – now it is time to observe whether the regulation actually applies to Clubhouse.

The Darknet user also publishes an example of his collection with a good 83 million telephone numbers from Japan. Several IT security specialists have taken a closer look at this sample data set and come to a devastating verdict: Because the record contains nothing but unconnected telephone numbers without any further information on the user identity, it is worth nothing – and the whole thing is possibly just a hoax. Such a collection of numbers could just as easily be created using a script with random values ​​or arbitrarily compiled from publicly accessible telephone number directories. Even if there are 3.8 billion leaked telephone numbers, almost nothing can be read from this data collection. The moderation in the Darknet forum has already provided the posting with the note “Bad sample” – the sample data are useless.

The company behind Clubhouse has already commented on the alleged leak and denied an attack on its systems. “There was no data leak at Clubhouse,” says a statement from the company that heise online is available. “There are a number of bots that generate billions of random phone numbers. In the event that one of these random numbers exists on our platform due to a mathematical chance, the Clubhouse API does not return any user-identifiable information. Privacy and security are for Clubhouse by of paramount importance and we continue to invest in industry leading security practices. Clubhouse does not use cookies or sell any personal information to third parties. ”

The relatively new Clubhouse app received a lot of attention at the beginning of the coronavirus pandemic. It offers live podcasts, originally only with invited participants. There are currently around ten million registered users. Initially, the Clubhouse app was only available for iOS, but the Android app has now also left the test phase. In addition, you no longer have to hope for an invitation to an audio chat from a registered user, with the end of the beta test Clubhouse will open to all users.