What do you get when you add a totally free 1.3 Billion set of phone numbers and data from millions of Facebook profiles? A massive dox database of users now up for sale for $100,000.
The Clubhouse data breach earlier this year, while headline-worthy, resulted in a big nothing where all the phone numbers exfiltrated were simply posted on the Dark Web. But one enterprising hacker combined the Clubhouse data with several of the already famous Facebook breaches, along with other data sources to create a 3.8 billion-strong database of accounts.
It’s been posted up for sale for $100,000 to any and all takers who believe they can do some effective mischief and malice with it.
There are a few ways this data can be used:
- SMiShing Attacks – if threat actors have your phone number and name, they can use texting to trick you into all kinds of badness; credential attacks, fraud, malware, and more.
- Account Takeover Attacks – with the Facebook account details and phone number, it’s possible to potentially brute force account logins, even perform SIM-swapping for accounts using SMS as their 2Fa.
- Social Engineering Attacks – I’ve seen successful attacks with less pertinent or valuable details over the years. Having your current phone number and Facebook logon is easily enough to trick users into giving up their credentials, credit card details, and more.
This latest sale of data raises a major red flag for organizations – with literally billions of users prime for social engineering scams, this data set can easily be used to target executives, those in the Finance department, etc. in an interest to infect corporate endpoints, install ransomware, etc.
Users should be warned against any kind of notification that either overtly is tied to Facebook or could remotely be associated with their Facebook account. Users that undergo continual Security Awareness Training should already be aware of this potential scam and be vigilant against it.
Can hackers spoof an email address of your own domain?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit “CEO Fraud”, penetrating your network is like taking candy from a baby.
Now they can launch a “CEO fraud” spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/domain-spoof-test-partner?partnerid=001a000001lWEoJAAW