Real-time audio social media app Clubhouse has drawn intense criticism from security and privacy advocates following the discovery that its API exposes information about its users.
The popular app’s questionable policy was confirmed by the company following the discovery that 1.3 million user profiles and related data had been posted to a hacking forum.
“Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API,” the company posted to its official Twitter feed April 10.
API is short for “application programming interface.” It makes it possible for an app–or any website–to transmit and receive data. In the case of Clubhouse, the API allows third parties unlimited access to information about its users including user IDs, names, photos, usernames, and Twitter and Instagram accounts.
Although the available public information doesn’t include more sensitive information such as email addresses, payment information, or locations, it does potentially leave its users more vulnerable to social engineering attacks. Hackers and scammers often use breadcrumbs like the data available on Clubhouse to target people.
Clubhouse is not the only social media platform to be targeted by data scraping. Facebook and LinkedIn made headlines earlier this month when data connected to over 500 million users of each platform appeared on hacking forums. The right-wing social media app Parler also left its API open to the public, which resulted in their data being used to identify participants in the January 6 Capitol riots.
- Publicly available information on social media accounts can leave users at an increased risk of social engineering-style hacking attacks. Be circumspect about what personal information, if any, you share online.
- Although most social media networks forbid data scraping within their rules and terms of services, this is not a guarantee that they take meaningful steps to secure their data. Do your homework before opening an account to see a company’s track record on user privacy and data security.
- Protect all accounts online with strong unique passwords and 2-factor authentication.