Payment service Clinkle hasn’t been officially launched yet, but tens of millions of dollars have been invested in the company and some big names have come on board. However, someone already claims to have hacked Clinkle.
An unknown individual has published on Pastebin the names, user IDs, photo URLs and phone numbers of Clinkle employees, including the details of the company’s founder, Lucas Duplan, its CFO, Mike Liberatore, and COO Barry McCarthy.
“Results from Clinkle typeahead API. It requires no authentication. The app stores writes results to disk automatically. This is much worse than Snapchat’s breach. Phone numbers masked as courtesy,” the hacker wrote next to the leaked data.
TechCrunch explains that this particular API, which is similar to one used by Twitter, is sort of an autocomplete tool. When users type a certain letter, all usernames starting with that letter are displayed.
By using a vulnerability in the API, the hacker has been able to gain access to information on the Clinkle employees who have been testing the app.
Clinkle representatives believe that a Stanford student is most likely behind the hack. It’s worth noting that Clinkle was actually founded in 2011 by a group of Stanford students.
“You’re describing visibility that was purposefully built into the system as part of our preliminary user testing and was always intended to be turned off,” Clinkle has told TechCrunch.
“As you can see from the list, we’ve been testing internally and registrations have been limited to Clinkle employees. We were using an open API, which has now been closed. That said, only names, phone numbers, photos, and Clinkle unique IDs were accessible.”
Since Clinkle only allows a select few to register accounts, there probably isn’t too much user information that could become compromised. However, security should always be a priority for payment processors.