Billions of Leaked Telephone Numbers Could Lead to Account Takeovers

Isolated data is rarely particularly valuable, if accessed in isolation. This proved true once again when over 3.5 billion telephone numbers leaked from Clubhouse - a social media service focuses on audio interaction. However, the data did not remain in isolation for a long time.

Initially, an entity who had access to the leak of billions of phone numbers published the data on an underground hacking forum, free of charge for anyone interested. Things got interesting when a third party got to work with the data leak. Another bad actor picked up the leaked numbers and started pairing them with another data leak comprised of over half a billion Facebook profiles leaked earlier in 2021.

Once the two datasets have been carefully matched and paired, the combined data is now suddenly worth $100,000 and is up for sale on the dark web. ThreatPost quoted security outlet CyberNews, who reported that the data is sold both in bulk and in smaller chunks, at more approachable prices.

The newly emerged combined data can now be put to good use by bad actors who can use it in account takeover attacks. The news outlets further quoted security researcher Brian Uffelman, an analyst with PerimeterX, who stated that account takeover attempts comprised nearly 85 percent of the total login attempts in the last half of 2020 - a staggeringly large percentage.

The data can be used for a number of attack vectors, from sending fake SMS messages in what is referred to as smishing, with specially tailored believable contents, to attempting petty theft of gift cards and other financially attractive items accessible through compromised accounts. Structured data like this can also be used for laser-precision ad targeting and tailoring if purchased by ad networks.

Incidents like this one only show that information can hold both value and power, especially when separate data sets are combined into new structures.