Site navigation

Hacker Offers Database on 3.8bn Facebook and Clubhouse Users

Michael Behr


Hacker Facebook Clubhouse
By combining data from different sources, the hacker has created a resource that could be used to tailor spear phishing attacks.

A hacker is reportedly selling a database containing information on a combined 3.8 billion Clubhouse and Facebook users on a major hacker forum.

The 3.8 billion users previously had their phone numbers leaked and made available. However, the numbers alone were not considered valuable by cybercriminals and were eventually given away for free.

However, one criminal aggregated the numbers with data on 533 million Facebook users. The data was stolen back in 2019 and released in April this year. The database now contains more personal identifiable information (PII), including people’s names.

The database is now being sold for $100,000 on a hacker forum. The information comes with all entries from the two leaks, though smaller pieces are available for a discount.

Reportedly, the hacker is still looking for a buyer.

The more data a criminal has on a person, the more complete picture they can create. This allows them to tailor spear phishing attacks, winning their victim’s trust, and defrauding them. With enough data, a criminal could potentially even hack and takeover a victim’s account.

Similar breaches have taken place in the past, such as scraping operations on Clubhouse and LinkedIn. While these were not breaches in the traditional sense – instead gathering publicly available data – in the wrong hands, it can put people at serious risk.


Trevor Morgan, product manager at comforte, said: “The report that a threat actor merged two leaked datasets (Clubhouse, Facebook) into a much more valuable and potentially damaging one proves a very simple point: any data related to a person, no matter how seemingly insignificant, can be used to ‘seed’ cross-referencing activities, ultimately resulting in a more complete personal profile.

“Threat actors can then use these enhanced personal profiles for much more successful and potentially lucrative attack methods such as phishing and smishing.

“In isolation, the billions of phone numbers stolen from Clubhouse would have yielded very little value – combined with hundreds of millions of Facebook profiles from an earlier data leak, they have incredible value to threat actors and represent a threat to all the affected data subjects.”

Morgan added: “Every enterprise should take a lesson out of this situation and protect all of their data with data-centric security – not just borders and perimeters around their data—no matter how harmless those data elements seem to be.

“Format-preserving encryption and tokenization can make phone numbers incomprehensible, which would have thwarted an effort such as this one to create a richer dataset of PII.

“The lesson should be clear – every piece of information has potential value to hackers and other bad actors, so protect that data accordingly.”

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: