[PragmaticPulp]

According to the Tweet, the leaker provides a claimed data sample that is a list of phone numbers without any additional information.

A list of 3.8 billion phone numbers that simply exist is useless. The leak would only have value if the numbers were associated with some identifying information.

If it’s really only phone numbers, I wonder if it’s a leak or if someone brute-forced all possible phone numbers against a ClubHouse API that leaked information about whether or not the number existed in their database.

[sebmellen]

If Clubhouse can’t detect >3.8B erroneous requests and shut down that API/microservice, that destroys my confidence more than a data breach.

[mohanmcgeek]

Clubhouse didn't have 3.8B users.. why would they have 3.8B phone numbers?

This whole thing seems made up.

[mcintyre1994]

Because they encourage users to upload their contacts so they can connect them on the platform. At one point when it was invite-only these uploaded contacts were the only way to invite friends.

[makapuf]

A fair share of my phone numbers are bogus(old numbers, info I store as a phone number even if its not) so the db extracted from here would be dubious

[jsjohnst]

Last I heard, they had around 10M users. Since they employ the, what I would consider, dark pattern of heavily encouraging folks to upload their contact list, that comes out to an average of 380 people per person. Given the Clubhouse user base demographics, I find this at least plausible.

[jimkleiber]

I'd say it's even more of a dark pattern than that. They didn't encourage me to "upload my contact list" but rather "give access to my contacts" (or something like that) Perhaps the difference is trivial in how it's coded yet even though I've removed their access to my contacts, they still have my contacts. I think they should have to delete them whenever I remove their access, or not even upload them in the first place but just read them when necessary.

Also, some apps seem to do this with photos, asking for access, does anyone know if these apps also upload all of one's photos once the user grants permission on iOS?

[d110af5ccf]

> does anyone know if these apps also upload all of one's photos once the user grants permission on iOS

That would eat up a lot of bandwidth. I suspect someone would notice it. An app could extract a lot of information from the metadata though, assuming it had access (I'm not sure how permissions on iOS work currently). It could also potentially run facial recognition algorithms locally (not sure how well that would work in practice though).

[jimkleiber]

I really like that point about the bandwidth and also about the metadata and facial recognition.

I guess I just wish we had more insight into what info companies take and how, permissions on iOS and Android seem to be getting more granular and yet still seem quite broad to me.

[acid__]

That would only be true if it were 380 _unique_ contacts per person. Surely there is significant overlap from user to user.

[jsjohnst]

See my reply to sibling comment here: https://news.ycombinator.com/item?id=27949879

[whatch]

Shouldn't it be 380 distinct people?

[jsjohnst]

Not necessarily. Do we know every single number in the 3.8B is unique? I’ve seen zero proof of that, but maybe I missed it.

[sellyme]

I'm pretty sure that would qualify as the number being "made up".

If anyone disagrees, I'm happy to sell my database of 100B valid phone numbers.