Locks and Security News: your weekly locks and security industry newsletter
20th October 2021 Issue no. 578
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
Clubhouse and Facebook major data threat
It is being reported that a database containing the user records of millions of Clubhouse and Facebook users is being sold at a major hacker forum.
On its own, the database of phone numbers leaked from social-media platform Clubhouse didn’t have much value on the underground market. In fact, they were eventually dumped in a hacker forum for free.
But an enterprising threat actor has reportedly combined those phone numbers with 533 million Facebook profiles leaked last April and is selling that enhanced trove of personal identifiable information (PII) to the highest bidder on the underground market.
Commenting on the news is Trevor Morgan, product manager at data protection provider Comforte AG:
The report that a threat actor merged two leaked datasets (Clubhouse, Facebook) into a much more valuable and potentially damaging one proves a very simple point: any data related to a person, no matter how seemingly insignificant, can be used to “seed” cross-referencing activities ultimately resulting in a more complete personal profile. Threat actors can then use these enhanced personal profiles for much more successful and potentially lucrative attack methods such as phishing and smishing. In isolation, the billions of phone numbers stolen from Clubhouse would have yielded very little value—combined with hundreds of millions of Facebook profiles from an earlier data leak, they have incredible value to threat actors and represent a threat to all the affected data subjects. Every enterprise should take a lesson out of this situation and protect all of their data with data-centric security—not just borders and perimeters around their data—no matter how harmless those data elements seem to be. Format-preserving encryption and tokenization can make phone numbers incomprehensible, which would have thwarted an effort such as this one to create a richer dataset of PII. The lesson should be clear—every piece of information has potential value to hackers and other bad actors, so protect that data accordingly.
22nd September 2021