In a forum on the Darknet, an anonymous user announces that he has a complete set of all telephone numbers from the address books of clubhouse users and that he is selling them to a highest bidder. Clubhouse is a special social media service for audio chat rooms. Allegedly, there are 3.8 billion phone numbers: those of the users of the Clubhouse app and all of their address book contacts who may not have installed the app at all. But the matter is dubious and the Clubhouse company has already denied a leak. The Swiss security specialist Marc Ruef first reported about it on Twitter.
Leaker criticizes data collection and hopes for GDPR
Ruef shows a screenshot of a Darknet forum post in which a user with the immodest name “God” advertises his leak. The allegedly stolen 3.8 billion phone numbers are said to represent mobile and landline numbers of private individuals and professionals. The source is a “secret database” that Clubhouse updates “in real time” as soon as a new contact appears in the address book of a Clubhouse user. The telephone numbers are given a score: the more often a telephone number appears in the database, the higher the value.
The forum user “God” announced in his posting that he wanted to auction the data set at a private auction on September 4th. He will only sell exclusively to one person and that person must be “seriously” interested. In fact, the Clubhouse app also uses the app users’ address books to access the phone numbers of people who do not use the service (as some messenger services do). “God” has a clear criticism of this approach: Clubhouse and the large digital corporations Google, Apple, Facebook and Amazon collected and used data from uninvolved users, which violates the human right to privacy. Actually, the EU General Data Protection Regulation (GDPR) should punish companies for these practices – now it is time to observe whether the regulation actually applies to Clubhouse.
Sample data set worthless, clubhouse denies attack
The Darknet user also publishes an example of his collection with a good 83 million telephone numbers from Japan. Several IT security specialists have taken a closer look at this sample data set and come to a devastating verdict: Because the record contains nothing but unconnected telephone numbers without any further information on the user identity, it is worth nothing – and the whole thing is possibly just a hoax. Such a collection of numbers could just as easily be created using a script with random values or arbitrarily compiled from publicly accessible telephone number directories. Even if there are 3.8 billion leaked telephone numbers, almost nothing can be read from this data collection. The moderation in the Darknet forum has already provided the posting with the note “Bad sample” – the sample data are useless.
Clubhouse: short hype, lack of data protection and a serious leak
The relatively new Clubhouse app received a lot of attention at the beginning of the coronavirus pandemic. It offers live podcasts, originally only with invited participants. There are currently around ten million registered users. Initially, the Clubhouse app was only available for iOS, but the Android app has now also left the test phase. In addition, you no longer have to hope for an invitation to an audio chat from a registered user, with the end of the beta test Clubhouse will open to all users.