Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained an estimated 121,000 member accounts of entrepreneurs and business leaders. The records belonged to Clarity.fm, a platform connecting entrepreneurs with experts for on-demand advice and consulting sessions.
The database contained a total of 155,531 records, including 121,000 member profiles. The profiles showed personal and professional email addresses, hourly rates, past consulting sessions’ payments, and their internal rating or score (based on user feedback). The records were marked as production data, and indicated if the person was a member, leader, or mentor. Upon further research, I determined that the exposed records belonged to San Francisco-based Clarity.fm — a platform that connects entrepreneurs and professionals seeking advice or mentorship with experienced individuals in various fields. My intent is always to follow responsible disclosure practices, ensuring that organizations have the opportunity to rectify issues before I publicly share information. Upon my discovery, I immediately sent a responsible disclosure notice, and the database was secured a few days later. I received several automated replies, but no official response. It remains unclear how long the database was exposed for, or if anyone else gained access, as only an internal forensic audit could identify this information.
It is also unknown if the database was owned or managed by Clarity.fm or a third party contractor.
Clarity.fm was founded in 2012. Clarity.fm’s business model revolves around providing a marketplace where individuals can seek and offer advice through phone calls or virtual consultations in exchange for a set fee per minute or per call. The platform charges a percentage commission on the fees paid for consultations conducted through it. Clarity.fm connects entrepreneurs with high profile business figures like Mark Cuban, Brad Feld, and Eric Ries over the phone. In total, the platform claims to have over 30,000 verified experts from around the world.
This screenshot shows how members were listed, including first and last names, usernames, and email addresses. The records were also marked as production.
This screenshot allegedly displays the user profile for celebrity investor Mark Cuban — a billionaire entrepreneur, investor, and television personality known for his ownership of NBA team the Dallas Mavericks and his appearances on the hit TV show Shark Tank. His user profile displayed his contact information along with his bio and an internal score.
This screenshot shows the user profile for the CEO of Life360 Chris Hulls. The location-sharing app is one of the largest on the market, boasting over 50 million active users around the globe.
This screenshot allegedly displays the user profile for Brad Feld, an American entrepreneur, author, blogger, and venture capitalist at Foundry Group. He no longer appears to be on the site, but the database contained a profile for him.❮❯
After the Exposure: What Are the Risks?
The exposure of personal and business email addresses poses significant potential cybersecurity risks. Companies often choose not to publicly disclose the contacts of executive leadership due to harassment, spam, and other security concerns. Business executives and investors are prime targets for cybercriminals due to their substantial wealth and access to funds, which puts them at serious potential risk for financial exploitation. Furthermore, individuals in influential positions often have connections to other investors or high-profile individuals — that is, other prime targets for cybercriminals, who may try to misuse the personal information of business leaders for further social engineering scams or other fraudulent activities.Another potential risk is the growing trend of CEO fraud, also known as Business Email Compromise (BEC). This is a type of spear phishing email attack where the perpetrator impersonates the CEO in an attempt to deceive recipients into disclosing sensitive information or performing financial transactions. According to a report in Forbes, between 2013 and 2019, CEO fraud reportedly cost the economy a staggering $26 billion. In early 2024, a criminal used deepfake technology in a video call and convinced a finance worker to transfer $25 million. It is estimated that CEO fraud affects nearly 400 companies per day. In just three years, the world has seen around 22,000 victims and a staggering $3 billion in financial losses due to this type of fraud.The use of artificial intelligence (AI) in sophisticated phishing campaigns has changed the way criminals can launch their attacks. Just a few years ago, it was relatively easy to spot phishing attempts due to grammatical errors or because the person calling on the phone had poor communication skills. Now criminals can craft convincing emails with just a few prompts — and, if they combine that with internal information that has been compromised, it highly increases the chances of deceiving recipients into providing additional personal or business information or clicking on malicious links. Another serious risk is voice-cloning AI that only needs as little as a 3-second audio sample to successfully simulate a speaker’s voice. When cybercriminals impersonate legitimate business leadership or investors, they could potentially gain the trust of their victims and obtain unauthorized access to sensitive accounts or other systems where confidential information is stored.Anytime contact data such as personal or professional email accounts are exposed, it is important to take basic cybersecurity measures and implement risk mitigation strategies. It is also important to notify individuals in the event that their contact information has been exposed. Notification is crucial to prevent further exploitation of potentially compromised information. Awareness can also help individuals be cautious of suspicious communications and requests, or prevent them from unknowingly providing criminals with additional personal or business information.The database also exposed information that identified a separate cloud storage account where profile pictures were stored. Exposing the file path of additional storage accounts can pose several potential risks from a cybersecurity standpoint, even if access to the storage itself is restricted. Hypothetically, cybercriminals could launch targeted attacks against the company’s cloud storage infrastructure. With knowledge of the file path, attackers can attempt to exploit vulnerabilities in the storage system or use social engineering techniques for credential theft. Statistics by researchers show that social engineering campaigns account for nearly 98% of cyber crimes. Sharing credentials or other sensitive information could lead to unauthorized access to the company’s cloud storage account, allowing attackers to steal data or disrupt operations. In addition to credential theft, phishing and malware are still serious potential risks stemming from social engineering. Finally, account information like usernames and passwords that have been exposed in previous data breaches could also allow criminals to gain access to sensitive business accounts or internal documents.In a business environment, any private data could potentially provide valuable reconnaissance information to cybercriminals, allowing them to understand a specific company’s network or infrastructure, identify potential vulnerabilities, or plan future cyber attacks. I am not saying that Clarity.fm or their users are at risk of these threats, I am only providing a hypothetical real-world scenario of how this type of data could potentially be exploited by criminals. Understanding the risks and being aware of how cybercriminals target the business community can help executives, employees, and investors mitigate the risk of falling victim to fraud.I highly recommend companies and leadership both receive and provide regular training sessions to employees about the various forms of social engineering attacks, including CEO fraud. Knowing how to identify suspicious requests and verify the legitimacy of financial transactions can stop fraud before it happens and prevent financial loss and data theft. Always verify any requests for sensitive information or financial transactions — even if you think you know who you are talking to. Verify that the person you are communicating with is who they say they are and use only official communication channels and known phone numbers. Establish a clear approval process for financial transactions and changes to sensitive account information, and make sure this process requires multiple layers of verification, such as approval from multiple individuals or departments. It is also important to implement email authentication technologies such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication) to verify the authenticity of email senders and help identify spoofed or fraudulent emails. These proactive measures can help you and your team to create a layer of common-sense security. It is also helpful to be aware of emerging cybersecurity threats and trends, including new tactics used. Criminals are creative, and it is likely we will see a significant growth in fraud in the coming years due to the advancements in AI tech.I imply no wrongdoing by Clarity.fm or their partners and affiliates. I also do not claim that these individuals or their data were ever at risk. It is not known how long the data was exposed for, or if anyone else accessed the profile records. It is also not known if the potentially affected individuals were notified. As an ethical security researcher, I never download or extract the records I discover. I only take a limited number of screenshots for validation purposes. I publish my findings to educate the public and promote best practices in cybersecurity and data protection. My findings are shared to highlight real-world security risks and provide practical lessons that other companies can use to safeguard their systems
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
