The entire Clubhouse phone number database (3.8 billion) is for sale on the Darknet.
Update: Clubhouse has responded to reports of a leak. “There has been no breach of Clubhouse. There are a series of bots generating billions of random phone numbers. In the event that one of these random numbers happens to exist on our platform due to mathematical coincidence, Clubhouse’s API returns no user-identifiable information. Privacy and security are of the utmost importance to Clubhouse and we continue to invest in industry-leading security practices.”
The original story continues below.
Security researchers stumbled across a post on a popular hacking forum offering the database for sale. The user who posted the database sample says it will be sold to a single user at a private auction in September. The sample data includes 83 million phone numbers, mostly from Japan.
The Clubhouse phone number database leak includes mobile numbers, landline numbers, private phone numbers, and professional numbers. Those numbers also include a contacts list, thanks to how Clubhouse synchronizes a users’ contacts in real-time.
As soon as a new number is added to a Clubhouse users’ smartphone – it is added to the Clubhouse database. That means you don’t even need to have installed Clubhouse to be exposed; just have someone in your contacts list who has. Clubhouse itself says it only has around 10 million active users, which means its phone number scraping is very effective.
The hacker who is selling the database says Clubhouse ranks numbers on a scoring system. Depending on how often a number is found on the users’ smartphones, the higher the scoring. Clubhouse wants to determine the level of networking for private individuals and companies. The information can be resold to advertising and analysis companies.
But data collection from people who have not consented to the service is a violation of law in some European countries. The General Data Protection Regulation (GDPR) is aimed at preventing the collection of personal data for anyone who does not use a service. Clubhouse could face a stiff fine from the EU if the database leak includes European users.
The hacker himself makes reference to this fact, saying the Clubhouse phone number database is a test of GDPR laws. “All the GAFA and co from Silicon Valley use the same process of phonebook importation,” the hacker’s post reads. “They all collect data on people who are not members of their service.”
“It’s a dangerous violation of human privacy rights. They have private data on users that do not even use Clubhouse and are able to evaluate them. The GDPR law promises that companies who collect data on non-users will be punished. It’s time to see if the law is going to sanction Clubhouse or if it is only a threat.”
It will be interesting to see how the EU responds to this database leak. Right now, only a small portion of the database is available. The hacker has scheduled the private auction for September 4, 2021 – Google’s 23rd anniversary.