Clarity.fm, an online platform that connects entrepreneurs and professionals with on-demand expert advice from industry leaders and specialists, has experienced a data breach that leaked the personal information of more than 121,000 business leaders.
Among those affected are notable figures such as Mark Cuban, Eric Ries, and Brad Field The unsecured database in question included 121,000 member profiles and a total of 155,513 records which weren’t protected by a password.
The misconfigured database exposed individuals’ full names, phone numbers, and personal and professional email addresses. Additionally, it leaked sensitive information such as consultation content, payment records, hourly consultation rates, and internal scores.
“The records were marked as production data, indicating whether the individual was a member, leader, or mentor,” said cybersecurity researcher Jeremiah Fowler, who first reported on the leak.
He added that further investigation is required to determine if the compromised database originated from Clarity.fm or a third-party provider. He wrote that he immediately notified the company about the breach, and that they secured the database within a couple of days following his disclosure notice.
“Upon my discovery, I immediately sent a responsible disclosure notice, and the database was secured a few days later,” he explained. “I received several automated replies, but no official response. It remains unclear how long the database was exposed for, or if anyone else gained access, as only an internal forensic audit could identify this information.”
Although there’s currently no evidence that any threat actors accessed the unsecured data, the breach is pretty serious considering it involves high-profile individuals who are attractive targets for cybercriminals.
In addition to targeted phishing campaigns, a “potential risk is the growing trend of CEO fraud, also known as Business Email Compromise (BEC),” Fowler noted. “This is a type of spear phishing email attack where the perpetrator impersonates the CEO in an attempt to deceive recipients into disclosing sensitive information or performing financial transactions.”