Each taken on their own, the recent leaks of basic personal contact information from Clubhouse and Facebook users were not major security concerns. A new “combination file” offered on the dark web that makes connections between specific users of both platforms is more of a threat to create a spike in specific attack types, namely phishing and account takeover attempts.
In April, a bug in Facebook’s API created an opening for the contact information of about 533 million users to be scraped. Similar abuse of the Clubhouse API over the summer caused a file containing 3.8 billion phone numbers scraped from the platform to appear on the dark web for sale (Clubhouse has about 10 million active monthly users, but the platform asks for permission to go through contact lists to find friends upon signup). Someone has combined these two data dumps, going through the database of 3.8 billion entries from Clubhouse to make connections to the 533 million Facebook users.
The addition of phone number(s) to the Facebook contact information could be just enough for attackers to forge a convincing phishing text message or force their way into an account that is not properly secured.
Facebook users with Clubhouse accounts at increased risk
The primary group at risk from this new combination file are Facebook users that may have fallen victim to a glitching “Add Friend” feature sometime in 2019. The 533 million users impacted were fairly evenly distributed around the world, with about 32 million in the United States. The impacted accounts were posted in a public hacking forum, and Facebook should have notified anyone affected by now.
That breach potentially contained the full names, email addresses and phone numbers of Facebook users (depending on what information they chose to share with the platform). While the Clubhouse breach only contains phone numbers, many of these are likely from contacts listed in other apps and services rather than the user’s own account. This adds the context of personal network size and potentially Facebook relationships to the mix, invaluable information for someone looking to pull off a scam or craft a realistic-looking phishing message.
Listed on a dark web forum, the seller is asking $100,000 for the merged Clubhouse-Facebook user data. Cybersecurity experts say that it does not appear to have been sold yet, and some think the seller will have to come down on the price considerably given that it does not contain anything that is immediately usable for profit.
Account takeovers, phishing a concern with this breach
The primary concern about this breach is that the data it pairs together is particularly useful for the sort of basic account takeover attacks that could be run en masse with bots. Account takeover attempts make up the vast majority of failed fraudulent login attempts, and these are largely fed by information leaked in data breaches. Criminals may attempt brute force logins, or may attempt to initiate fraudulent password resets or calls to the help desk in trying to gain illicit access to the accounts.
In addition to direct account takeover attempts, phishing attacks will also likely draw on this database when it gets out into the wild. This particular set of information is best suited to attacks based on text messages. Threat actors will select a target, look for that target’s contacts, and spoof one of their known numbers to make the message appear legitimate. They might even be able to draw realistic details from the recent account activity if both are Facebook users.
This data will also likely find its way to being combined with the results of other breaches and existing “combination files”, some of which have become frighteningly massive already. More “legitimate” sources have also been known to buy this sort of information; intelligence agencies looking to run operations, and the more unethical data brokers that furnish marketing profiles with detailed user records to online businesses.
Archie Agarwal, Founder and CEO at ThreatModeler, notes that each breach and data merge of this nature gradually creates greater risk of account takeover and scam targeting for anyone who has had any scraps of information compromised and included in the pile: “Aside from using this data for more targeted scamming, there is a much larger concern. As we share more personal information across an ever-growing list of social media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big data analytics to mine it, could potentially reveal previously hidden information and user behaviors.”
For its part, Clubhouse claims that the vast majority of the billions of phone numbers that were captured were randomly generated by bots in an attempt to create fake accounts and that users have little to fear in terms of account takeover or other attacks. Facebook users can check to see if they were a part of the April breach by entering the email address associated with the account at the data leak checker HaveIBeenPwned.
Jake Williams, Co-Founder and CTO at BreachQuest, has some advice for anyone who may have been impacted: “By combining leaked phone numbers with Facebook profile information, it becomes trivial to connect phone numbers of users who are friends (and other likely friends). This allows extremely precise targeting of victims … Users are advised to be extremely careful in taking action on unexpected SMS messages, even from senders they believe they know. Clubhouse users should be on the lookout for suspicious SMS messages, especially those requesting the transfer of funds and confirm requests with a phone call (taking the threat actor out of band).”