3.8 billion Facebook, Clubhouse user records up for sale

According to the CyberNews research team, 3.8 billion allegedly scraped and merged Facebook and Clubhouse user records have been put on sale online.

The database was allegedly compiled by combining 3.8 billion phone numbers from a previously scraped Clubhouse database with users’ Facebook profiles.

The compilation appears to include names, phone numbers and other data.

The poster asks $100,000 for the complete database of 3.8 billion entries but is also willing to split the archive into smaller portions for potential buyers. “[Scraped data like this] often get[s] sold at a discount because the ones who stole the data don’t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,” explains John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company. “Likely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting."

The database contains profiles of users who don’t have Clubhouse accounts, whose phone numbers might have been acquired by threat actors "due to the company’s past insistence that users share their full contact lists with Clubhouse to use the social media platform," the CyberNews research team says.

Past Clubhouse leaks have been lists of phone numbers without user details, says Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Ga.-based leader in incident response. “By combining leaked phone numbers with Facebook profile information, it becomes trivial to connect phone numbers of users who are friends (and other likely friends), which allows exact targeting of victims. Spoofing the sender of an SMS message is trivial; the problem is always knowing which number to spoof. With this information, threat actors can send SMS phishes while spoofing the sender’s number of a known friend. A threat actor could go even further by using an SMS phishing pretext tailored to the victim’s recent Facebook posts. Users are advised to be extremely careful in taking action on unexpected SMS messages, even from senders they believe they know. Clubhouse users should be on the lookout for suspicious SMS messages, especially those requesting the transfer of funds and confirm requests with a phone call (taking the threat actor out of band).”

Archie Agarwal, Founder and CEO at ThreatModeler, a Jersey City, N.J.-based automated threat modeling provider, says, “Aside from using this data for more targeted scams, there is a much larger concern. As we share more personal information across an ever-growing list of social media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big data analytics to mine it, could potentially reveal previously hidden information and user behaviors.”

Editor's note: Clubhouse provided the following statement to Security magazine.

“There has been no breach of Clubhouse. There are a series of bots generating billions of random phone numbers. In the event that one of these random numbers happens to exist on our platform due to mathematical coincidence, Clubhouse’s API returns no user identifiable information. Privacy and security are of the utmost importance to Clubhouse and we continue to invest in industry-leading security practices.”

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.