CyberNews reported that a threat actor combined a database of 3.8 billion phone numbers from social media platform Clubhouse with phone numbers from 533 million Facebook profiles exposed in April, and has been selling the merged cache of data for $100,000 in the dark web, with smaller pieces of the data being sold for a lower price.
The data being sold could be used by threat actors for account takeover attacks, PerimeterX analyst Brian Uffelman, told Threatpost in a followup report.
"These stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit card numbers, loyalty points or making false purchases. ATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire," Uffelman said.
Meanwhile, BreachQuest Chief Technology Officer Jake Williams warned that the combined database could be leveraged in smishing attacks.
"With this information, threat actors can send SMS phishes while spoofing the sender's number of a known friend. A threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts," said Williams.