[HN Gopher] A database with 3.8B phone numbers from Clubhouse is...
___________________________________________________________________
A database with 3.8B phone numbers from Clubhouse is up for sale
Author : FabianBeiner
Score : 289 points
Date : 2021-07-24 10:56 UTC (12 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| ALittleLight wrote:
| It's funny how the hacker who is selling stolen private data is
| also complaining about GDPR compliance and privacy. On the one
| hand, he's right that Clubhouse (if this is true) has done
| something bad, but the hacker is much worse.
| agumonkey wrote:
| Ah I wonder if that's related to the bot flood I got recently.
| TechBro8615 wrote:
| I've been getting this since the FB hack (by "hack" I mean the
| recent bulk enumeration of 500m phone numbers that Facebook
| facilitated for an unknown party).
| stackedinserter wrote:
| Is clubhouse still a thing in July 2021? How do you use it? (and
| who do you talk to?)
| afrcnc wrote:
| It's fake:
| https://twitter.com/troyhunt/status/1419013520763539457
| mam3 wrote:
| Bilions ?? On clubhouse ?
| chovybizzass wrote:
| It includes every users' contact list from their phone. So
| likely damn near everyone on the planet with a cell phone.
| coldcode wrote:
| Are people really that stupid to give some mobile app company
| access to their contact list? On iPhone you have to
| explicitly give permission, I presume on Android as well. I
| find that hard to believe everyone is doing it.
| nemothekid wrote:
| > _Are people really that stupid to give some mobile app
| company access to their contact list?_
|
| Almost every social media startup in the last 15 years was
| bootstrapped this way.
| ipaddr wrote:
| I keep no contacts on my phone and gladly give that info
| away. I'm surprised people don't use multiple phones for
| privacy.
| eclipxe wrote:
| Most people don't care about privacy.
| patja wrote:
| Based on the popularity of WhatsApp, yes most people don't
| give it a second thought.
| sneak wrote:
| Yes.
| FabianBeiner wrote:
| That was what made Clubhouse so famous:
|
| "After registering, the clubhouse app asks for access to
| your address book. This must be granted if you want to
| invite friends."
| jbverschoor wrote:
| I have no idea how that went through the Apple checks
| codetrotter wrote:
| It must be granted to invite friends but you can deny it
| access and still use Clubhouse, just that until you grant
| access you can't invite others.
| codetrotter wrote:
| Actually now that I look into it again, it looks like
| since the middle of March of this year it's even possible
| to invite others without sharing your phonebook.
|
| https://www.blogher.com/social-media/clubhouse-invite-
| withou...
|
| https://www.gizchina.com/2021/03/16/clubhouse-new-update-
| use...
| CapitalistCartr wrote:
| Everyone doesn't have to. If one person with your number
| gives up their contact list, they have yours. I'd guess
| about 10-12% of the populace would have to cooperate.
| alpaca128 wrote:
| Afaik WhatsApp (on Android at least) requires you giving
| access to your contacts. So roughly speaking a huge chunk,
| probably the majority, of smartphone users shared their
| contact list to at least one company, which strictly
| speaking might not even be legal in many cases.
|
| After all that's how WhatsApp populates its contact list,
| it looks which users have each other's phone numbers. That
| way it doesn't need a user login and friend/contact
| requests, but in return you give up your privacy.
| wngr wrote:
| Not true. It'll work without, it's just very
| inconvenient.
| [deleted]
| Bjartr wrote:
| Yes, constantly.
| hdjjhhvvhga wrote:
| Many apps will refuse to work if you don't allow access to
| your contacts, so people just give in and allow it.
|
| Google is the biggest abuser in this area just grabbing all
| your contacts and linking them to your Google account once
| you add any Google account (like Gmail or Youtube) to your
| Android device.
| alisonkisk wrote:
| What are you talking about?
| flemhans wrote:
| It's extremely annoying to add a number to Telegram
| without adding it as a contact first, and allowing
| Telegram access to the contact list.
| noxer wrote:
| Whats the point of that? You dont need to exchange phone
| numbers for telegram just the @username and only one side
| needs to know the others username.
|
| And once you have a chat with someone both can share
| their own contact directly in the chat with 2 clicks and
| add it with 2 clicks as well.
|
| (which is still rather useless because there is no real
| benefit from adding someone as contact. But I guess if
| you want to store number then this is easy)
| b3morales wrote:
| You're thinking like a technically enlightened person --
| if not an engineer -- who prioritizes efficiency and
| control.
|
| You're not thinking like a "normie" goal-oriented user,
| who doesn't care about understanding the system, and for
| whom the shortest path to achieving their goal generally
| passes through saying _" sure, whatever"_ to any requests
| the app makes.
| user-the-name wrote:
| I do not think you are allowed on the Apple App Store if
| you do that.
| capableweb wrote:
| Maybe not for smaller apps but apps with large user bases
| are under different rules than the rest.
| [deleted]
| BatteryMountain wrote:
| They forgot to "select distinct"?
| FabianBeiner wrote:
| According to the screenshot: All members plus every single
| number in each of their phone books.
| oliv__ wrote:
| Even if they had 10M users (which I doubt), at 100 contacts
| per user that's 1B contacts.
| mcintyre1994 wrote:
| Clubhouse does the classic "share your contacts with us to find
| your friends here" thing, but it sounds like they just upload
| your entire list into their database instead of doing anything
| remotely privacy aware. I'm mostly curious how much else they
| uploaded with the numbers - is this name + number + email etc?
| And if this dump is just numbers, do Clubhouse have the rest
| somewhere else?
| justinclift wrote:
| Yeah, not sure either. Suspecting it's some other Clubhouse,
| not the main (project planning) one (https://clubhouse.io).
| SahAssar wrote:
| It's the audio chat one: https://www.joinclubhouse.com/
| justinclift wrote:
| Thanks, that makes more sense. :)
| deliberateJack wrote:
| I am selling a database with ten billion phone numbers. 1.25 GB
| file with each number compressed to a single bit. You can compare
| the clubhouse database against mine to determine which numbers
| are not in their set.
| Scoundreller wrote:
| Knowing which numbers are capable of receiving SMS and which
| aren't has some value.
|
| Especially in a world of number portability where you can't
| just say "oh, that's an old number, it must be POTS".
|
| But I guess, here, if a number is from your contact list, it
| may still be POTS.
|
| But at least you have higher assurance that it's an active
| user. If you wardial one day, you quickly find out how many
| numbers never lead to a human for various reasons. In theory,
| some of these are trap numbers and quickly flag the caller as
| suspicious, but I doubt it.
| simfree wrote:
| The Local Routing Number provides this value in the USA, and
| multiple carriers offer daily deactivation reports from the
| cellular carriers so you can tell which numbers are
| unroutable.
| rospaya wrote:
| In some countries mobile phone numbers have a prefix so you
| know by that.
| gsich wrote:
| Also some POTS provider will accept SMS and either read it to
| you, or you can read them in some web portal (or the router
| possibly).
| fisherjeff wrote:
| Great. It's the weekend and I can theoretically now stop
| thinking about software, and yet here I am thinking of ways to
| efficiently compress lists of phone numbers
| perihelions wrote:
| There was a thread about that last month,
|
| https://news.ycombinator.com/item?id=27549075 ("Sorted
| Integer Compression")
| fisherjeff wrote:
| The rabbit hole deepens...
| [deleted]
| quchen wrote:
| Just enumerate them all, if none is missing it's fairly easy
| to compress. (And 1b per number is really inefficient) ;-)
|
| main = traverse print [1..99999999]
| luckman212 wrote:
| What language is that?
| WJW wrote:
| Haskell
| WJW wrote:
| The Kolmogorov complexity of the set of all phone numbers
| is pretty low. All phone numbers with a few missing is also
| pretty low.
|
| In fact, I now wonder if you can even compress the 3.8b
| phone number set to less than 1 bit per phone number. It
| should be pretty doable since a significant chunk of the
| number space is not valid.
| dillondoyle wrote:
| But not all numbers are valid? 911. Not all area codes
| exist.
| H8crilA wrote:
| Presumably all non-american ones are not on your list?
| saiya-jin wrote:
| I have even better - for every country, just covering all their
| operator's prefix and then 99999-9999999 numbers in that range.
| Definitely the biggest dataset around, and bigger is alwyas
| better, right?
| michelb wrote:
| How realistic would it be to send (anonymous) mass sms messages
| with phishing or other malicious links to those numbers? I'm
| occasionally getting sms message with bogus sender info (i cannot
| reply, nor get contact info), always wonder how spammers pull
| that off so easily.
| Scoundreller wrote:
| As a challenge, I try to takedown these things by reporting
| them to Google Safebrowsing, their SSL provider (if they have
| one), their host, their URL shortener, etc.
|
| Though in Canada, I'm seeing them apply some cloaking measures
| so they don't get removed as quickly.
|
| I think there's two streams of this:
|
| 1. a crooked telecom that has low-level access
|
| 2. buy a bunch of SIM cards and dump them into one of these
| aliexpress machines that has 16 wireless modems in them that
| let you do whatever you want:
|
| https://www.aliexpress.com/item/4000462982086.html
|
| Can even network them to a bank thingy that'll hold 128 cards:
|
| https://www.aliexpress.com/item/4000462976225.html
| ttam wrote:
| https://twitter.com/UnderTheBreach/status/141888964970820813...
|
| this tweet says it's BS (they validated the japan sample)
| mm983 wrote:
| they didn't "validate" anything, they just opened the csv. also
| i'd be interested in their take on the second column, that
| looks like clubhouse's scoring system (which they ran without
| telling anyone, likely for marketing purposes, according to
| this* article). if so, you can in fact tell which numbers are
| more significant than others.
|
| *https://futurezone.at/apps/clubhouse-leakt-38-milliarden-
| tel...
| zinekeller wrote:
| Hmm, so the "highest" numbers would be publicly-knowable
| numbers anyway (because they are the numbers to dial and
| contact the government/customer service of a private
| company).
|
| If this is only a list of numbers and their relative
| popularity, the best you can do is accusation of adultery
| (and even in that, you could say that you're "popular"
| because coworkers also store your numbers).
| FabianBeiner wrote:
| https://zerforschung.org/posts/clubhouse-telefonnummern-en/
| PragmaticPulp wrote:
| According to the Tweet, the leaker provides a claimed data
| sample that is a list of phone numbers without any additional
| information.
|
| A list of 3.8 billion phone numbers that simply exist is
| useless. The leak would only have value if the numbers were
| associated with some identifying information.
|
| If it's really only phone numbers, I wonder if it's a leak or
| if someone brute-forced all possible phone numbers against a
| ClubHouse API that leaked information about whether or not the
| number existed in their database.
| sebmellen wrote:
| If Clubhouse can't detect >3.8B erroneous requests and shut
| down that API/microservice, that destroys my confidence
| _more_ than a data breach.
| mohanmcgeek wrote:
| Clubhouse didn't have 3.8B users.. why would they have 3.8B
| phone numbers?
|
| This whole thing seems made up.
| jsjohnst wrote:
| Last I heard, they had around 10M users. Since they
| employ the, what I would consider, dark pattern of
| heavily encouraging folks to upload their contact list,
| that comes out to an average of 380 people per person.
| Given the Clubhouse user base demographics, I find this
| at least plausible.
| jimkleiber wrote:
| I'd say it's even more of a dark pattern than that. They
| didn't encourage me to "upload my contact list" but
| rather "give access to my contacts" (or something like
| that) Perhaps the difference is trivial in how it's coded
| yet even though I've removed their access to my contacts,
| they still have my contacts. I think they should have to
| delete them whenever I remove their access, or not even
| upload them in the first place but just read them when
| necessary.
|
| Also, some apps seem to do this with photos, asking for
| access, does anyone know if these apps also upload all of
| one's photos once the user grants permission on iOS?
| acid__ wrote:
| That would only be true if it were 380 _unique_ contacts
| per person. Surely there is significant overlap from user
| to user.
| whatch wrote:
| Shouldn't it be 380 _distinct_ people?
| mcintyre1994 wrote:
| Because they encourage users to upload their contacts so
| they can connect them on the platform. At one point when
| it was invite-only these uploaded contacts were the only
| way to invite friends.
| makapuf wrote:
| A fair share of my phone numbers are bogus(old numbers,
| info I store as a phone number even if its not) so the db
| extracted from here would be dubious
| astatine wrote:
| The 3.8B numbers is really meaningless, in isolation. This is the
| problem of plenty - 10K numbers with a very specific profile
| might be a lot more valuable. The real worry would be the info on
| the relationships between the numbers (which number is connected
| to whom). This leak seems to have a count of relations rather
| than the actual connections.
| axegon_ wrote:
| Well the facebook data that was published everywhere earlier
| this year could hold some value when combined with this one:
| While the facebook data is somewhat outdated, I'm pretty sure
| you'd get millions of people with relevant and up to date
| information.
| koolba wrote:
| They should combine it with that zero click remote iMessage bug.
| That'd be some serious black hat marketing synergy.
| qpiox wrote:
| If you have enough cash and time you can legally create your own
| list of all possible numbers on the world. Pick a number, dial
| and see if it exists. Hang up to prevent further charges.
| jsjohnst wrote:
| > create your own list of all possible numbers on the world.
| Pick a number, dial and see if it exists.
|
| Let's say you had the ability to do that 1,000x a minute using
| an automated dialer. Just in the US alone that would take you
| over a year to complete and how many of those numbers you
| verified changed active/disconnected status during that time?
|
| (PS, I didn't downvote you, just pointing out a problem with
| your theory)
| mm983 wrote:
| They are done for this time. Leaking peoples' number who haven't
| even signed up yet because of their economy flame approach for
| literally anything, oh boy...
| robertwt7 wrote:
| How does it work for the seller when the FBI is the one who ends
| up buying that list and then busted him in the auction?
|
| Genuinely asking.. might be dumb question
| dmitriid wrote:
| That's what law enforcement does all the time: when there are
| illegal goods for sale, and a chance to catch the seller, they
| will go in, make the purchase and arrest the seller.
| finger wrote:
| Sorry for the stupid question, but isn't it illegal to buy
| illegal stuff? How does the police get away with that?
|
| For instance in Denmark it is technically illegal to buy
| stolen goods, even if you genuinely aren't aware of it being
| stolen. Im sure this applies to most countries.
| zenexer wrote:
| LEOs often seem to be exempt when acting in an official
| capacity. I'm not sure what the restrictions are--do they
| need a court order in a situation like this?--but LEOs are
| definitely allowed to break laws and buy illegal wares.
| noxer wrote:
| Illegal is defined by law and laws applied to a subset of
| people. What do you think the police does with illegal
| substances? Not confiscating them because "owning" it is
| illegal? No, the police does not take ownership the state
| does and the laws do not apply to the state. There is
| nothing out there in the world that is illegal for everyone
| to handle. not drugs, not nukes, not illegal media etc.
| someone has to have the right to handle it somehow.
| dmitriid wrote:
| This differs from country to country. There's some info on
| Wikipedia:
| https://en.wikipedia.org/wiki/Sting_operation?wprov=sfti1
| noxer wrote:
| This would not be a classics sting operation. The seller
| already committed the crime(s) by offering it. Sting
| operation usually are the reason someone could commit a
| crime by creating a bait crime opportunity.
| unnouinceput wrote:
| Let's play devil's advocate here and assume I am the dude
| selling the list.
|
| I would ask for monero and would not care if the FBI is the
| buyer. The most they can do is to watch exchanges where monero
| is exchanged versus dollars or other cryptocoins. Then do this
| a few times over and start buying goods with those then sell
| the goods on Amazon/eBay for hard $$$. Small amounts and even
| with 50 cents at a dollar is still worth it for one person.
| sennight wrote:
| I've wondered about the feasibility of using state run
| lotteries for laundering in a cash based criminal enterprise.
| The known odds of low cost/return scratch-offs and the need
| to only account for claimed winnings would make it
| tempting... if it wasn't so labor intensive.
| edoceo wrote:
| Cant go wrong with Quick Pick.
| Aeolun wrote:
| Isn't it great that a lot of high-tech crime is prevented
| by the people capable of it being too lazy to bother?
| sennight wrote:
| I learned a long time ago that the most effective way to
| correct a vice is to play it against another vice, sloth
| being an easy goto. But in this case... I'm not a drug
| dealer, so I don't need to launder large amounts of small
| bills. But... if I wanted to launder a bunch of public
| ledger based crypto: instead of a using a loud and proud
| "bitcoin tumbler", I'd use something like satoshibet. Of
| course, that is likely why the original no longer exists
| - and I imagine anyone standing up a replacement (without
| a sufficiently invasive KYC implementation) would face
| similar hostility. Anyway, I expect that'll change when a
| state run satoshibet eventually emerges.
| clavigne wrote:
| I don't think it would be a good idea, given that you'd
| have to claim the winnings. It might work once or twice but
| not over and over again.
|
| Additionally in most cases I'd think the lottery odds would
| be lower than the cost of traditional laundering (smurfing,
| through crooked banks, using cash based businesses like
| taxis etc.) Especially if you have to pay people to buy
| tickets.
| ptr2voidStar wrote:
| Check mate.
| vmception wrote:
| If the seller gets caught that is how it works
|
| If the seller doesn't get caught due to the purchasing methods
| and general routine OPSEC, then its just another example of the
| Fed reliably monetizing everything, meaning there will always
| be a buyer and everyone should sell more.
___________________________________________________________________
(page generated 2021-07-24 23:01 UTC)