According to CyberNews, a database holding the records of about 3.8 billion Clubhouse and Facebook users is being auctioned at a major hacker forum. The person selling them is reportedly asking for $100,000 for the complete database but is ready to split it up into smaller caches for lower costs.
These records contain sensitive information such as phone numbers, addresses, and names, among other things. All of this information appears to have been obtained through a breach of Clubhouse's systems on July 24th, during which numerous members' phone numbers were exposed online. However, the damage isn't limited to Clubhouse's users.
According to the September 4 post, the database also contains profiles of users who do not have Clubhouse accounts, whose phone numbers may have been obtained by threat actors as a result of Clubhouse's previous requirement that users share their entire contact lists with the social media platform in order to use it.
Because the platform requires users to sync their contacts with the app, contact numbers from a user's phone can also be revealed if the company's servers are hacked. And it appears that this is exactly what occurred. As a result, those who do not have a Clubhouse ID and password have their data exposed to the hacker site and may be at risk. While it is still unclear how Facebook user IDs ended up in the mix, it is plausible that the cybercriminal compared the revealed numbers to those found in prior Facebook hacks, which have been many.
Prior to this compilation, threat actors had little use for the purportedly scraped Clubhouse phone numbers, which were posted without any additional information about the participants. As a result, the prior Clubhouse scrape was labeled a "bad sample" on the forum and failed to pique scammers' interest.
However, according to CyberNews senior information security expert Mantas Sasnauskas, the expanded compilation “could serve as a goldmine for scammers.” They would obtain access to a lot more contextual information about the owners of the hacked phone numbers, according to Sasnauskas, such as usernames, locations based on phone number suffixes, Clubhouse network sizes, and Facebook profiles.
This means that scammers would be able to launch localized mass campaigns and create customized scams based on information acquired from potential victims' Facebook accounts much more easily. “People tend to overshare information on social media. This could give insights for scammers on what vector to employ to run their scams successfully by, for example, calling people with the information they learned from their Facebook account,” says Sasnauskas.