On its own, the database of 3.8 billion phone numbers leaked from social-media platform Clubhouse didn’t have much value on the underground market. In fact, they were eventually dumped in a hacker forum for free.
But an enterprising threat actor has reportedly combined those phone numbers with 533 million Facebook profiles leaked last April and is selling that enFhanced trove of personal identifiable information (PII) to the highest bidder on the underground market.
According to CyberNews, the combined Clubhouse-Facebook database includes names, phone numbers and other data, and is listed on an underground forum for $100,000 for all 3.8 billion entries, with smaller chunks of data available for less. Reportedly, the seller is still looking for buyers.
These credentials could quickly be leveraged for basic account takeover (ATO) attacks, according to Brian Uffelman, who is a security analyst for PerimeterX.
“These stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,” Uffelman told Threatpost. “ATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.”
He added that it’s much easier for cybercriminals to use stolen credentials than to do the work of trying to find holes in an organization’s cybersecurity defenses. In fact, Uffelman pointed out PerimeterX research showed out of all login attempts measured in the second-half of 2020, up to 85 percent were ATO attempts.
“Organizations need to be aware of signs that they’ve been attacked,” Uffelman warned. “These can include surges in help-desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks.”
Users need to be aware of signs of breach, too, he added.
“Consumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.”
Smishing, or socially engineered phishing attempts conducted through SMS text messages, is a likely way cybercriminals will try to turn this database into profit, Jake Williams, from BreachQuest told Threatpost.
“With this information, threat actors can send SMS phishes while spoofing the sender’s number of a known friend,” Williams said. “A threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.”
Williams added that Clubhouse users need to be on the lookout for suspicious texts, particularly those asking to transfer funds or confirm requests with a phone call, which are both common smishing tactics.
And even if petty thieves don’t see the value in the information, John Bambenek from Netenrich told Threatpost that he suspects intelligence agencies will take notice.
“Breaches like these often get sold at a discount because the ones who stole the data don’t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,” Bambenek said. “Likely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.”
Beyond immediate ramifications of the enhanced data falling into the wrong hands, Archie Agarwal from ThreatModeler pointed out that as these leaks continue, it will enable threat actors to create incredibly rich profiles of targets.
“Aside from using data like this for more targeted scamming, there is a much larger concern,” Agarwal told Threatpost. “As we share more and more personal information across an ever-growing list of social-media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big-data analytics to mine it, could potentially reveal previously hidden information and behaviors on users.”
While the infosec community is alarmed by the prospect of all that data floating around, Roger Grimes from KnowBe4 doesn’t expect the seller of the combined Clubhouse-Facebook data to get much finanical gain out of the deal.
“My bet is the seller doesn’t get anywhere close to their $100,000 asking price. It’s not a scarce resource,” Grimes said in an email to Threatpost.
He also noted that while he agrees the data could fuel future smishing and other socially engineered attacks, he doesn’t suspect much pushback from users.
“I think most people simply see this as a cost of using free internet services, Clubhouse or any other service,” he said.
Rule #1 of Linux Security: __No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.