SHANGHAI (Reuters) - U.S. audio app Clubhouse said it is reviewing its data protection practices, after a report by the Stanford Internet Observatory said it contained security flaws that left users' data vulnerable to access by the Chinese government.

The app said in a response to the study, published by the research group at Stanford University, that while it had opted not to make the app available in China, some people had found a workaround to download the app which meant the conversations they were a part of could be transmitted via Chinese servers.

"With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection," the company said in a statement published https://cyber.fsi.stanford.edu/io/news/clubhouse-china by the research group on Friday.

"Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers. We also plan to engage an external data security firm to review and validate these changes."

Clubhouse did not immediately respond to a request from Reuters for further comment on Saturday.

Launched in early 2020, the app saw global user numbers soar earlier this month after Tesla CEO Elon Musk and Robinhood CEO Vlad Tenev held a surprise discussion on the platform.

Masses of new users joined from mainland China, taking part in discussions on topics that included sensitive issues such as Xinjiang detention camps and Hong Kong's National Security Law. But their access to the app was blocked last week, triggering frustration and fears of government surveillance.

The Stanford Internet Observatory said that it had confirmed that Chinese tech firm Agora Inc supplied back-end infrastructure to Clubhouse, and that Agora would likely have access to users' raw audio, potentially providing access to the Chinese government.

It also said it observed room metadata relayed to servers it believed were hosted in China and audio to servers managed by Chinese entities. It added, however, that it believed the Chinese government would not be able to access the data if the audio was stored in the United States.

An Agora spokesman said the company had no comment on any relationship with Clubhouse, but that Agora does not have access to or store personal data, and does not route through China voice or video traffic generated from users outside China, including U.S. users. Agora provides software that allows customers "to build their security and privacy infrastructure in a way that is both compliant and relevant to their end-users," the spokesman wrote in an e-mail.

The Cyberspace Administration of China, which regulates the country's internet, did not respond to calls for comment made during China's Lunar New Year holiday.

"SIO chose to disclose these security issues because they are both relatively easy to uncover and because they pose immediate security risks to Clubhouse's millions of users, particularly those in China," the report said.

Data analytics firm Sensor Tower said the app, which is only available on Apple's iPhone, had about 3.6 million users worldwide as of Feb.2, with 1.1 million registered in the prior six days.

(Reporting by Brenda Goh; Editing by Clelia Oziel and Diane Craft)