A hacker is offering for sale a database containing a whopping 3.8 billion phone numbers from the Clubhouse application servers.
<!–[if IE 9]><!–[if IE 9]>![endif]-->
The number is obviously scary: 3.8 billion phone numbers are up for auction on the Darknet. This database from the Clubhouse application was spotted by a cybersecurity researcher, Marc Ruef. “It’s not just Clubhouse members, but also contacts synced from users’ directories,” he says in a tweet. And there’s a good chance your phone number will show up.
But should we really be concerned? It seems that these numbers are not associated with any other contact information (name, first name, address), which is reassuring at first. Lionel Doumeng, cybersecurity expert at F-Secure, says that this data theft is important “because it is a platform that is used quite a lot” and that “phone numbers are easily associated with a person”. These numbers can be used to send a direct message to a person, build trust, send a link easily, all while validating the identity of the person through information associated with another platform, such as WhatsApp.
Full phone number database of #Clubhouse is up for sale on the #Darknet. It contains 3.8 billion phone numbers. These are not just members but also people in contact lists that were synced. Chances are high that you are listed even if you haven’t had a Clubhouse login. pic.twitter.com/PfAkUJ0BL5-
Marc Ruef (@mruef) July 23, 2021
The hackers behind the leak also state that phone numbers are associated with a popularity score cleverly constructed from the number of contacts who have the number in their phonebook. The higher the score, the more likely the personality associated with the number is “important”. The hacker also points out that it is not just private mobile numbers that are involved, but that the database contains landline numbers as well as numbers from companies and professional organisations. A sample of more than 80 million numbers from Japan is available to potential buyers to prove the “good faith” of the thieves.
How a database from CluCan bhouse be so meaty even though the app only has a few hundred million users? Therein lies the problem with mobile messaging, whether end-to-end encrypted or not. A subject we discussed with the people in charge of theFrench application Olvid, which does not need to access the user’s contact book, unlike WhatsApp, to name only the most famous messenger.
Most of them require access to the phonebook to function and thus access the entirety of the user’s contacts. This is also what the seller says: “All Gafa and Silicon Valley companies use the same process by collecting data from users who are not even registered on their service […] This is a serious violation of the right to privacy.”
The sale will take place on September 4, 2021, and is expected to interest large criminal groups. “They could hit companies, with data theft or ransomware attacks, and then maybe resell data to attackers who can go after smaller targets,” says Lionel Doumeng.