What do you get when you add a totally free 1.3 Billion set of phone numbers and data from millions of Facebook profiles? A massive dox database of users now up for sale for $100,000.

The Clubhouse data breach earlier this year, while headline-worthy, resulted in a big nothing where all the phone numbers exfiltrated were simply posted on the Dark Web. But one enterprising hacker combined the Clubhouse data with several of the already famous Facebook breaches, along with other data sources to create a 3.8 billion-strong database of accounts.

It’s been posted up for sale for $100,000 to any and all takers who believe they can do some effective mischief and malice with it.

There are a few ways this data can be used:

  • SMiShing Attacks – if threat actors have your phone number and name, they can use texting to trick you into all kinds of badness; credential attacks, fraud, malware, and more.
  • Account Takeover Attacks – with the Facebook account details and phone number, it’s possible to potentially brute force account logins, even perform SIM-swapping for accounts using SMS as their 2Fa.
  • Social Engineering Attacks – I’ve seen successful attacks with less pertinent or valuable details over the years. Having your current phone number and Facebook logon is easily enough to trick users into giving up their credentials, credit card details, and more.

This latest sale of data raises a major red flag for organizations – with literally billions of users prime for social engineering scams, this data set can easily be used to target executives, those in the Finance department, etc. in an interest to infect corporate endpoints, install ransomware, etc.

Users should be warned against any kind of notification that either overtly is tied to Facebook or could remotely be associated with their Facebook account. Users that undergo continual Security Awareness Training should already be aware of this potential scam and be vigilant against it.