On July 23, a hacker group claimed that they have got access to over 3.8 billion phone numbers from Clubhouse servers. The claim posted on a hackers’ forum alleging the leak states that the list of numbers contains cellphone, fixed, private and professional numbers. The information about the claim was shared on Twitter by Jiten Jain, Director, Voyager Infosec.
A database of 3.8 billion phone numbers of #Clubhouse users is up for sale on the #Darknet. It also contains Numbers of people in user’s PhoneBooks that were Synced. So Chances are high that you are listed even if you haven’t had a Clubhouse login. #DataPrivacy pic.twitter.com/IFgFGA8meU— Jiten Jain (@jiten_jain) July 24, 2021
The alleged hackers have claimed that they were able to evaluate the level of the network of each phone number in the world. ‘We can do a national and international ranking of each human and organisation’, they claimed, and said that they will sell the data of 3.8 billion phone numbers through a private auction on the 4th September 2021, on the occasion of the 23rd anniversary of Google.
Furthermore, the Hacker claims that the Clubhouse connects to users’ phonebooks in real and every time someone adds a new number, it gets synced to the Clubhouse servers. Though the claim is fairly true as it shows who has joined Clubhouse from the phonebook of a user, many fingers are pointing at the claims made by the Hacker.
Post marked as ‘Bad Sample’
The hackers’ forum has marked the post as Bad Sample, which possibly means that the sample provided by the Hacker has not much ‘useful’ information. When we scanned through the comments on the forum, we noticed that many users on that forum had called his data trash.
Experts’ views on the alleged leak
OpIndia contacted Sunny Nehra, Admin at Hacks And Security, to get his point of view over the alleged leak. He said, “I have seen this Hacker making mountainous claims before as well, but in the end, his alleged leaks are mostly fake. The list he is providing contains only phone numbers that can be extracted by any means. There are thousands of databases available for every country with only a list of phone numbers. Who knows if he had just compiled all the lists together and marked it as Clubhouse Leak! To be honest, such forums are mostly full of fakes.”
In a tweet, Nehra said, “News of Clubhouse data breach on #darknet is getting viral. The first thing the seller claims FREE sample, but it requires eight credits to unlock. Second, it’s just random Japan phone numbers. Third, threat actor is quite new on that forum, is least active & habitual to making such lame claims.”
The threat actor seems to be scamming users of that forum on name of #clubhouse #dateleak.— Sunny Nehra (@sunnynehrabro) July 24, 2021
Earlier someone made similar claim and the data was just scraped public data of clubhouse users.
And this one even more lame. Just providing a random japan numbers list 🤷♂️ as a sample.
He further added, “The threat actor seems to be scamming users of that forum on the name of #clubhouse #dateleak. Earlier someone made a similar claim, and the data was just scraped public data of clubhouse users. And this one is even more lame. Just providing a random japan numbers list.” Nehra said that such numbers could be generated using a simple script as well.
While talking to OpIndia, Rajshekhar Rajaharia, Internet Security Researcher, said, “Hacker is just selling Clubhouse mobile numbers that seems generated. There is no name, photo or any other details available. This list of phone numbers can be generated very easily. PII (Personal Identification Information) is not available for any number in the database. Data leak claim seems a fake.”
In a tweet, he said, “A #Hacker is allegedly selling a list of 3.8 billion phone numbers of #Clubhouse. Seems completely fake. There are only mobile numbers without names, photos. This list of phone numbers can be generated very easily. PII not available.”
A #Hacker is allegedly selling a list of 3.8 billion phone numbers of #Clubhouse. Seems completely fake. There are only mobile numbers without name, photos. This list of phone numbers can be generated very easily. PII not available. #InfoSec #DataLeak #GDPR @Clubhouse pic.twitter.com/RugQhaSKhq— Rajshekhar Rajaharia (@rajaharia) July 24, 2021
He further added, “This seller has a bad past. Attracting buyers by showing lakhs telegram followers. Seems Fake. This is the same Telegram group that was selling the Fake #Whatsapp database of 470 mn users “Without Name & Photo”. Now they changed the group name from “Whatsapp Database Leak” to “ClubHouse Database Leak”. Now selling fake Clubhouse numbers without name and photo.”
This is the same Telegram group which was selling Fake #Whatsapp database of 470 mn users “Without Name & Photo”. Now they changed the group name from “Whatsapp Database Leak” to “ClubHouse Database Leak”. Now selling fake @Clubhouse numbers without name and Photo. #InfoSec pic.twitter.com/1lIXOjgEMz— Rajshekhar Rajaharia (@rajaharia) July 24, 2021
Co-Founder & CTO at cybercrime intelligence firm Hudson Rock said in a tweet, “The new Clubhouse database leak is pretty much b*llsh*t. It is just a list of phone numbers, without any additional information, they could have arrived from anywhere.”
The new Clubhouse database leak is pretty much bullshit.— Alon Gal (Under the Breach) (@UnderTheBreach) July 24, 2021
It is just a list of phone numbers, without any additional information, they could have arrived from anywhere. pic.twitter.com/fj9GnriAov
The experts believe that the alleged leak is not real and such numbers can be generated via simple scripts. The users should not panic and wait for an official statement from ClubHouse.