CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Clubhouse application icon on smartphone showing Clubhouse and Facebook users phishing and account takeover attacks
Cyber SecurityNews
·4 min read

“Combo File” Merging 3.8 Billion Phone Numbers from Clubhouse With Scraped Facebook Users Could Cause Surge in Phishing, Account Takeover Attacks

Scott Ikeda·October 1, 2021
TwitterFacebookLinkedIn

Each taken on their own, the recent leaks of basic personal contact information from Clubhouse and Facebook users were not major security concerns. A new “combination file” offered on the dark web that makes connections between specific users of both platforms is more of a threat to create a spike in specific attack types, namely phishing and account takeover attempts.

In April, a bug in Facebook’s API created an opening for the contact information of about 533 million users to be scraped. Similar abuse of the Clubhouse API over the summer caused a file containing 3.8 billion phone numbers scraped from the platform to appear on the dark web for sale (Clubhouse has about 10 million active monthly users, but the platform asks for permission to go through contact lists to find friends upon signup). Someone has combined these two data dumps, going through the database of 3.8 billion entries from Clubhouse to make connections to the 533 million Facebook users.

The addition of phone number(s) to the Facebook contact information could be just enough for attackers to forge a convincing phishing text message or force their way into an account that is not properly secured.

Facebook users with Clubhouse accounts at increased risk

The primary group at risk from this new combination file are Facebook users that may have fallen victim to a glitching “Add Friend” feature sometime in 2019. The 533 million users impacted were fairly evenly distributed around the world, with about 32 million in the United States. The impacted accounts were posted in a public hacking forum, and Facebook should have notified anyone affected by now.

That breach potentially contained the full names, email addresses and phone numbers of Facebook users (depending on what information they chose to share with the platform). While the Clubhouse breach only contains phone numbers, many of these are likely from contacts listed in other apps and services rather than the user’s own account. This adds the context of personal network size and potentially Facebook relationships to the mix, invaluable information for someone looking to pull off a scam or craft a realistic-looking phishing message.

Listed on a dark web forum, the seller is asking $100,000 for the merged Clubhouse-Facebook user data. Cybersecurity experts say that it does not appear to have been sold yet, and some think the seller will have to come down on the price considerably given that it does not contain anything that is immediately usable for profit.

Account takeovers, phishing a concern with this breach

The primary concern about this breach is that the data it pairs together is particularly useful for the sort of basic account takeover attacks that could be run en masse with bots. Account takeover attempts make up the vast majority of failed fraudulent login attempts, and these are largely fed by information leaked in data breaches. Criminals may attempt brute force logins, or may attempt to initiate fraudulent password resets or calls to the help desk in trying to gain illicit access to the accounts.

In addition to direct account takeover attempts, phishing attacks will also likely draw on this database when it gets out into the wild. This particular set of information is best suited to attacks based on text messages. Threat actors will select a target, look for that target’s contacts, and spoof one of their known numbers to make the message appear legitimate. They might even be able to draw realistic details from the recent account activity if both are Facebook users.

This data will also likely find its way to being combined with the results of other  breaches and existing “combination files”, some of which have become frighteningly massive already. More “legitimate” sources have also been known to buy this sort of information; intelligence agencies looking to run operations, and the more unethical data brokers that furnish marketing profiles with detailed user records to online businesses.

Archie Agarwal, Founder and CEO at ThreatModeler, notes that each breach and data merge of this nature gradually creates greater risk of account takeover and scam targeting for anyone who has had any scraps of information compromised and included in the pile: “Aside from using this data for more targeted scamming, there is a much larger concern. As we share more personal information across an ever-growing list of social media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big data analytics to mine it, could potentially reveal previously hidden information and user behaviors.”

For its part, Clubhouse claims that the vast majority of the billions of phone numbers that were captured were randomly generated by bots in an attempt to create fake accounts and that users have little to fear in terms of account takeover or other attacks. Facebook users can check to see if they were a part of the April breach by entering the email address associated with the account at the data leak checker HaveIBeenPwned.

Someone has combined two recent data dumps, going through the database of 3.8 billion phone number entries from Clubhouse to make connections to 533 million Facebook users. #cybersecurity #respectdataClick to Tweet

Jake Williams, Co-Founder and CTO at BreachQuest, has some advice for anyone who may have been impacted: “By combining leaked phone numbers with Facebook profile information, it becomes trivial to connect phone numbers of users who are friends (and other likely friends). This allows extremely precise targeting of victims … Users are advised to be extremely careful in taking action on unexpected SMS messages, even from senders they believe they know. Clubhouse users should be on the lookout for suspicious SMS messages, especially those requesting the transfer of funds and confirm requests with a phone call (taking the threat actor out of band).”

 

TwitterFacebookLinkedIn
Tags
Account Takeover AttackClubhouseData ScrapingFacebook UsersPhishing
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Closeup of man holding a fake moustache showing Meta sued surveillance company for data scraping with fake accounts
Data PrivacyNews

Surveillance Company Voyager Labs Sued by Meta for Data Scraping, Use of Fake Accounts

January 26, 2023
Hacker working on computer showing search engine ads used for malware and phishing
Cyber SecurityNews

FBI: Hackers Are Using Search Engine Ads for Phishing and Malware Distribution

January 6, 2023
Meta logo on device screen showing GDPR fine for data scraping
Data ProtectionNews

€265 Million GDPR Fine for Meta Over Data Scraping Conducted Prior to 2020

November 30, 2022
Senior business man using mobile phone showing whaling attacks
Cyber SecurityInsights

How High-Level Employees Can Defend Against Cybersecurity Whaling Attacks

July 15, 2022
Instagram logo on a smartphone with a security padlock showing hacked Instagram accounts
Cyber SecurityNews

Attackers Publicly Demanding Ransom From Hacked Instagram Account Owners in a Brazen Phishing Campaign

February 14, 2022
Boy and father playing games showing account takeover via phishing and social engineering
Cyber SecurityNews

EA Confirms Account Takeover Attacks Compromising High-Profile Gamers via Phishing and Social Engineering Attacks

January 20, 2022
Close up of hacker hand using laptop with email icons showing phishing-as-a-service
Cyber SecurityInsights

Phishing-as-a-Service Brings Cybercrime to the Masses

January 20, 2022
Security locks with a fish hook on computer keyboard showing phishing and cybersecurity culture
Cyber SecurityInsights

Can Your Cybersecurity Culture Stand Up to the Latest Spear Phishing Techniques?

December 8, 2021

Latest

Yellow crime scene tape on computer keyboard showing law enforcement operations on Hive ransomware gang

Hive Ransomware Shut Down by Law Enforcement Operation; FBI in Possession of Decryption Keys, Group’s Public-Facing Website

Woman holding glasses showing data privacy regulations

Navigating the Data Privacy Landscape in 2023

WhatsApp app icon on a smartphone showing GDPR violations

WhatsApp Receives €5.5 Million Fine for GDPR Violations

League of Legends website page showing security breach of game cheats and source code

Security Breach at Riot Games Reveals Game Cheats, Source Code for Popular eSport “League of Legends”

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Stay Updated

Follow Us

© 2022 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results