1. Website Planet
  2. >
  3. News
  4. >
  5. Business Leaders & Celebrities’ Accounts Exposed in Startup Advice Platform Data Breach
Business Leaders & Celebrities’ Accounts Exposed in Startup Advice Platform Data Breach

Business Leaders & Celebrities’ Accounts Exposed in Startup Advice Platform Data Breach

Jeremiah Fowler Written by:
12 June 2024
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained an estimated 121,000 member accounts of entrepreneurs and business leaders. The records belonged to Clarity.fm, a platform connecting entrepreneurs with experts for on-demand advice and consulting sessions.

The database contained a total of 155,531 records, including 121,000 member profiles. The profiles showed personal and professional email addresses, hourly rates, past consulting sessions’ payments, and their internal rating or score (based on user feedback). The records were marked as production data, and indicated if the person was a member, leader, or mentor. Upon further research, I determined that the exposed records belonged to San Francisco-based Clarity.fm — a platform that connects entrepreneurs and professionals seeking advice or mentorship with experienced individuals in various fields. My intent is always to follow responsible disclosure practices, ensuring that organizations have the opportunity to rectify issues before I publicly share information. Upon my discovery, I immediately sent a responsible disclosure notice, and the database was secured a few days later. I received several automated replies, but no official response. It remains unclear how long the database was exposed for, or if anyone else gained access, as only an internal forensic audit could identify this information.
It is also unknown if the database was owned or managed by Clarity.fm or a third party contractor.

Clarity.fm was founded in 2012. Clarity.fm’s business model revolves around providing a marketplace where individuals can seek and offer advice through phone calls or virtual consultations in exchange for a set fee per minute or per call. The platform charges a percentage commission on the fees paid for consultations conducted through it. Clarity.fm connects entrepreneurs with high profile business figures like Mark Cuban, Brad Feld, and Eric Ries over the phone. In total, the platform claims to have over 30,000 verified experts from around the world.

After the Exposure: What Are the Risks?

The exposure of personal and business email addresses poses significant potential cybersecurity risks. Companies often choose not to publicly disclose the contacts of executive leadership due to harassment, spam, and other security concerns. Business executives and investors are prime targets for cybercriminals due to their substantial wealth and access to funds, which puts them at serious potential risk for financial exploitation. Furthermore, individuals in influential positions often have connections to other investors or high-profile individuals — that is, other prime targets for cybercriminals, who may try to misuse the personal information of business leaders for further social engineering scams or other fraudulent activities.

Another potential risk is the growing trend of ​​CEO fraud, also known as Business Email Compromise (BEC). This is a type of spear phishing email attack where the perpetrator impersonates the CEO in an attempt to deceive recipients into disclosing sensitive information or performing financial transactions. According to a report in Forbes, between 2013 and 2019, CEO fraud reportedly cost the economy a staggering $26 billion. In early 2024, a criminal used deepfake technology in a video call and convinced a finance worker to transfer $25 million. It is estimated that CEO fraud affects nearly 400 companies per day. In just three years, the world has seen around 22,000 victims and a staggering $3 billion in financial losses due to this type of fraud.

The use of artificial intelligence (AI) in sophisticated phishing campaigns has changed the way criminals can launch their attacks. Just a few years ago, it was relatively easy to spot phishing attempts due to grammatical errors or because the person calling on the phone had poor communication skills. Now criminals can craft convincing emails with just a few prompts — and, if they combine that with internal information that has been compromised, it highly increases the chances of deceiving recipients into providing additional personal or business information or clicking on malicious links. Another serious risk is voice-cloning AI that only needs as little as a 3-second audio sample to successfully simulate a speaker’s voice. When cybercriminals impersonate legitimate business leadership or investors, they could potentially gain the trust of their victims and obtain unauthorized access to sensitive accounts or other systems where confidential information is stored.

Anytime contact data such as personal or professional email accounts are exposed, it is important to take basic cybersecurity measures and implement risk mitigation strategies. It is also important to notify individuals in the event that their contact information has been exposed. Notification is crucial to prevent further exploitation of potentially compromised information. Awareness can also help individuals be cautious of suspicious communications and requests, or prevent them from unknowingly providing criminals with additional personal or business information.

The database also exposed information that identified a separate cloud storage account where profile pictures were stored. Exposing the file path of additional storage accounts can pose several potential risks from a cybersecurity standpoint, even if access to the storage itself is restricted. Hypothetically, cybercriminals could launch targeted attacks against the company’s cloud storage infrastructure. With knowledge of the file path, attackers can attempt to exploit vulnerabilities in the storage system or use social engineering techniques for credential theft. Statistics by researchers show that social engineering campaigns account for nearly 98% of cyber crimes. Sharing credentials or other sensitive information could lead to unauthorized access to the company’s cloud storage account, allowing attackers to steal data or disrupt operations. In addition to credential theft, phishing and malware are still serious potential risks stemming from social engineering. Finally, account information like usernames and passwords that have been exposed in previous data breaches could also allow criminals to gain access to sensitive business accounts or internal documents.

In a business environment, any private data could potentially provide valuable reconnaissance information to cybercriminals, allowing them to understand a specific company’s network or infrastructure, identify potential vulnerabilities, or plan future cyber attacks. I am not saying that Clarity.fm or their users are at risk of these threats, I am only providing a hypothetical real-world scenario of how this type of data could potentially be exploited by criminals. Understanding the risks and being aware of how cybercriminals target the business community can help executives, employees, and investors mitigate the risk of falling victim to fraud.

I highly recommend companies and leadership both receive and provide regular training sessions to employees about the various forms of social engineering attacks, including CEO fraud. Knowing how to identify suspicious requests and verify the legitimacy of financial transactions can stop fraud before it happens and prevent financial loss and data theft. Always verify any requests for sensitive information or financial transactions — even if you think you know who you are talking to. Verify that the person you are communicating with is who they say they are and use only official communication channels and known phone numbers. Establish a clear approval process for financial transactions and changes to sensitive account information, and make sure this process requires multiple layers of verification, such as approval from multiple individuals or departments. It is also important to implement email authentication technologies such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication) to verify the authenticity of email senders and help identify spoofed or fraudulent emails. These proactive measures can help you and your team to create a layer of common-sense security. It is also helpful to be aware of emerging cybersecurity threats and trends, including new tactics used. Criminals are creative, and it is likely we will see a significant growth in fraud in the coming years due to the advancements in AI tech.

I imply no wrongdoing by Clarity.fm or their partners and affiliates. I also do not claim that these individuals or their data were ever at risk. It is not known how long the data was exposed for, or if anyone else accessed the profile records. It is also not known if the potentially affected individuals were notified. As an ethical security researcher, I never download or extract the records I discover. I only take a limited number of screenshots for validation purposes. I publish my findings to educate the public and promote best practices in cybersecurity and data protection. My findings are shared to highlight real-world security risks and provide practical lessons that other companies can use to safeguard their systems

Rate this Article
5.0 Voted by 3 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Reply
View %s replies
View %s reply
More news
Show more
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:
1 1 1

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

1 < 1 1

Or review us on 1

3340826
50
5000
97145741