Details of 1.3 million Clubhouse users have been posted online, according to a report. The information is said to include names and usernames, social media account handles, follower and following numbers, and the accounts by which users were invited to join the service. In response to reports about the leak, Clubhouse has explained the data was all publicly available, but that has raised more questions.
News of the data spillage caps a bad week or so for social media privacy. It first emerged that the details of 533 million Facebook users acquired via a 2019 vulnerability had been posted online and then data from 500 million LinkedIn user profiles was reported as being for sale on a hacker forum. Although the number involved for Clubhouse is far more modest, it's not a good look for a relatively new platform that has already faced questions about user privacy.
According to CyberNews, the 1.3 million Clubhouse user records were published for free in an SQL database on a popular hacker forum. The data is not especially sensitive, but does include identifiable information like names, Twitter handles, and Instagram handles. Perhaps more concerning is Clubhouse's reaction, which characterized the CyberNews report as being "misleading and false" because the platform had "not been hacked or breached." Not only does the report not suggest this, but Clubhouse's argument that the data "is all public profile information from our app, which anyone can access via the app or our API," raises questions about the company's view of its privacy responsibilities.
Privacy Questions For Clubhouse
Firstly, there is the question of whether or not Clubhouse is following a 'privacy by design' approach, whereby only necessary information is collected or, in this case, made available. Not only is this good practice, but it is also enshrined into law in Europe, where Clubhouse has users and where it is already under investigation for an alleged failure to comply with the General Data Protection Regulation (GDPR). Secondly, questions have been raised about what protections Clubhouse may have implemented on its public API, such as throttling, rate limiting, and authentication access requirements.
While this may not be the biggest or most serious of data spills, it may yet land Clubhouse in hot water with data protection authorities. It may also serve as a useful learning experience for Clubhouse in terms of PR. Going on the attack when 1.3 million user records have been published online won't mean any less scrutiny in the future. Clubhouse is only a year old and has had an explosive rise to prominence, so the odd misstep here and there is perhaps understandable. Hopefully, any early wobbles will stand the platform in good stead as it grows.
Source: CyberNews