Billions of users’ combined Clubhouse and Facebook data were exposed and put up for sale online in a massive data breach. The combined cache of data is expected to result in a rash of account takeover and smishing attacks, experts predict.
The database of 3.8 billion phone numbers leaked from social-media app Clubhouse wasn’t worth much on the underground market on its own, so it ended up being dumped in a hacker forum for free.
However, a resourceful cybercriminal has allegedly mixed those phone numbers with 533 million Facebook profiles leaked last April. They are selling that enhanced database of personal identifiable information (PII) to the highest bidder on the dark web market.
According to CyberNews, the Clubhouse-Facebook database includes names, phone numbers, and other information. It is listed on an underground forum for $100,000 for all 3.8 billion records, with smaller pieces of data available for a smaller price. Reportedly, the seller is still in search of buyers.
The Data Breach Is Likely To Fuel ATO Attacks
PerimeterX security analyst Brian Uffleman said that scammers could use the exposed credentials in basic ATO (account takeover) attacks.
“These stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,” Uffleman said. “ATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.”
He went on to add that it’s far easier for hackers to use stolen credentials than to try to find weak links in an organization’s cybersecurity defenses. Uffleman indicated that PerimeterX’s research showed out of all login attempts examined in the second half of the previous year, up to 85% were ATO attempts.
“Organizations need to be aware of signs that they’ve been attacked,” Uffleman warned. “These can include surges in help-desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks.”
Users also must be aware of signs of a breach, he added.
“Consumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.”
Clubhouse-Facebook Database Will Fuel Smishing Attacks
Smishing (socially engineering phishing attempts via SMS text messages) is a possible approach by which cybercriminals will monetize the huge database, according to BreachQuest’s Jake Williams.
“With this information, threat actors can send SMS phishes while spoofing the sender’s number of a known friend,” Williams said. “A threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.”
Willam warned Clubhouse users to watch out for suspicious texts, especially those asking to transfer funds or confirm requests with a phone call. Both methods are common smishing strategies.
Although thieves don’t see the value of that data, Netenrich’s John Bambenek, said he suspects intelligence agencies will take notice.
“Breaches like these often get sold at a discount because the ones who stole the data don’t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,” Bambenek explained. “Likely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.”
Beyond foreseeable ramifications of the combined data falling into the wrong hands, Archie Agarwal from ThreatModeler highlighted that as these leaks go on, they will enable cybercriminals to draw incredibly accurate profiles of potential victims.
“Aside from using data like this for more targeted scamming, there is a much larger concern,” Agarwal added. “As we share more and more personal information across an ever-growing list of social media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big-data analytics to mine it, could potentially reveal previously hidden information and behaviors on users.”