CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Clubhouse application icon on smartphone showing Clubhouse and Facebook users phishing and account takeover attacks
Cyber SecurityNews
·4 min read

“Combo File” Merging 3.8 Billion Phone Numbers from Clubhouse With Scraped Facebook Users Could Cause Surge in Phishing, Account Takeover Attacks

Scott Ikeda·October 1, 2021
TwitterFacebookLinkedIn

Each taken on their own, the recent leaks of basic personal contact information from Clubhouse and Facebook users were not major security concerns. A new “combination file” offered on the dark web that makes connections between specific users of both platforms is more of a threat to create a spike in specific attack types, namely phishing and account takeover attempts.

In April, a bug in Facebook’s API created an opening for the contact information of about 533 million users to be scraped. Similar abuse of the Clubhouse API over the summer caused a file containing 3.8 billion phone numbers scraped from the platform to appear on the dark web for sale (Clubhouse has about 10 million active monthly users, but the platform asks for permission to go through contact lists to find friends upon signup). Someone has combined these two data dumps, going through the database of 3.8 billion entries from Clubhouse to make connections to the 533 million Facebook users.

The addition of phone number(s) to the Facebook contact information could be just enough for attackers to forge a convincing phishing text message or force their way into an account that is not properly secured.

Facebook users with Clubhouse accounts at increased risk

The primary group at risk from this new combination file are Facebook users that may have fallen victim to a glitching “Add Friend” feature sometime in 2019. The 533 million users impacted were fairly evenly distributed around the world, with about 32 million in the United States. The impacted accounts were posted in a public hacking forum, and Facebook should have notified anyone affected by now.

That breach potentially contained the full names, email addresses and phone numbers of Facebook users (depending on what information they chose to share with the platform). While the Clubhouse breach only contains phone numbers, many of these are likely from contacts listed in other apps and services rather than the user’s own account. This adds the context of personal network size and potentially Facebook relationships to the mix, invaluable information for someone looking to pull off a scam or craft a realistic-looking phishing message.

Listed on a dark web forum, the seller is asking $100,000 for the merged Clubhouse-Facebook user data. Cybersecurity experts say that it does not appear to have been sold yet, and some think the seller will have to come down on the price considerably given that it does not contain anything that is immediately usable for profit.

Account takeovers, phishing a concern with this breach

The primary concern about this breach is that the data it pairs together is particularly useful for the sort of basic account takeover attacks that could be run en masse with bots. Account takeover attempts make up the vast majority of failed fraudulent login attempts, and these are largely fed by information leaked in data breaches. Criminals may attempt brute force logins, or may attempt to initiate fraudulent password resets or calls to the help desk in trying to gain illicit access to the accounts.

In addition to direct account takeover attempts, phishing attacks will also likely draw on this database when it gets out into the wild. This particular set of information is best suited to attacks based on text messages. Threat actors will select a target, look for that target’s contacts, and spoof one of their known numbers to make the message appear legitimate. They might even be able to draw realistic details from the recent account activity if both are Facebook users.

This data will also likely find its way to being combined with the results of other  breaches and existing “combination files”, some of which have become frighteningly massive already. More “legitimate” sources have also been known to buy this sort of information; intelligence agencies looking to run operations, and the more unethical data brokers that furnish marketing profiles with detailed user records to online businesses.

Archie Agarwal, Founder and CEO at ThreatModeler, notes that each breach and data merge of this nature gradually creates greater risk of account takeover and scam targeting for anyone who has had any scraps of information compromised and included in the pile: “Aside from using this data for more targeted scamming, there is a much larger concern. As we share more personal information across an ever-growing list of social media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big data analytics to mine it, could potentially reveal previously hidden information and user behaviors.”

For its part, Clubhouse claims that the vast majority of the billions of phone numbers that were captured were randomly generated by bots in an attempt to create fake accounts and that users have little to fear in terms of account takeover or other attacks. Facebook users can check to see if they were a part of the April breach by entering the email address associated with the account at the data leak checker HaveIBeenPwned.

Someone has combined two recent data dumps, going through the database of 3.8 billion phone number entries from Clubhouse to make connections to 533 million Facebook users. #cybersecurity #respectdataClick to Tweet

Jake Williams, Co-Founder and CTO at BreachQuest, has some advice for anyone who may have been impacted: “By combining leaked phone numbers with Facebook profile information, it becomes trivial to connect phone numbers of users who are friends (and other likely friends). This allows extremely precise targeting of victims … Users are advised to be extremely careful in taking action on unexpected SMS messages, even from senders they believe they know. Clubhouse users should be on the lookout for suspicious SMS messages, especially those requesting the transfer of funds and confirm requests with a phone call (taking the threat actor out of band).”

 

TwitterFacebookLinkedIn
Tags
Account Takeover AttackClubhouseData ScrapingFacebook UsersPhishing
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.

Latest

Hand taking dollar from pile illuminated by red light showing ransomware attacks down due to ransom payments

NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments

Happy woman shopping showing credit card data stolen from online checkout using PHP code

FBI: Hackers Injected Malicious PHP Code Into Online Checkout Pages to Scrape Credit Card Data

Hand touching screen of smartphone showing cyber defense

5 Ways Enterprises Can Protect Their Data, Time, Money, and Infrastructure

New Data Shows Compliance Falls Short of Protecting Your Organization

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Stay Updated

Follow Us

© 2022 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results