Much-hyped mobile payment app hacked before launch

A “guest user,” possibly a Stanford student, posted a list of 33 usernames, user IDs, profile photos, and phone numbers from the forthcoming service Clinkle to an online bulletin board.

Based on the leaked data, it seems the victims were Clinkle employees who are testing the app.

Clinkle was founded by a group of Stanford students in 2011, and has kept quiet while key employees finish their degrees. According to Business Insider, the intruder is a former intern of a rival service. The Clinkle app is expected to launch later this year and already has a waiting list.

Right now, the app has a waiting list wall, which “VIP” members can bypass once an administrator grants access. This likely allows Clinkle to demo the app to investors and partners without having to go through a cumbersome download process.

Company execs have raised $30 million from high profile investors.

And the hack provided some interesting factoids about those execs:

“Founder Lucas Duplan is listed as the first user (User ID: 1), with a picture that very much resembles him holding cash money,” Tech Crunch reports. “The CFO, Barry McCarthy, is also listed with a legitimate profile photo, as is the Head Of Comms, who confirmed the validity of the images and the data.

“The photos from Clinkle’s Team page, where 22 unidentified Clinkle employees are pictured alongside goofy pseudonyms, also seem to resemble people in the leaked profile photos. Finally, we can put faces to names.”

The compromised data apparently was retrieved through a private API that Clinkle has in place. “Referred to by the hacker as “typeahead”, the API appears to be the basis of an autocomplete tool, allowing uses to type a single letter (like ‘A’) and find all usernames starting with that letter (like ‘Adam’ and ‘Andrew’),” TechCrunch reports.

Clinkle likely uses this technology in its own app (presumably so users can find friends when making a payment), which allowed the perpetrator to search usernames, consequently revealing the associated user IDs and phone numbers.

Here’s what the hacker had to say:

Results from Clinkle typeahead API. It requires no authentication. The app stores writes results to disk automatically. . . Phone numbers masked as courtesy.

“In other words, whoever broke into the app didn’t need a userID to access Clinkle’s list of testers or their personal information, which seems to be saved on a Clinkle server,” Tech Crunch explains.

Here’s what Clinkle had to say:

You’re describing visibility that was purposefully built into the system as part of our preliminary user testing and was always intended to be turned off. As you can see from the list, we’ve been testing internally and registrations have been limited to Clinkle employees. We were using an open API, which has now been closed. That said, only names, phone numbers, photos, and Clinkle unique IDs were accessible.

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.