A database with 3.8B phone numbers from Clubhouse is up for sale (opens in new tab)

Knowing which numbers are capable of receiving SMS and which aren't has some value.

Especially in a world of number portability where you can't just say "oh, that's an old number, it must be POTS".

But I guess, here, if a number is from your contact list, it may still be POTS.

But at least you have higher assurance that it's an active user. If you wardial one day, you quickly find out how many numbers never lead to a human for various reasons. In theory, some of these are trap numbers and quickly flag the caller as suspicious, but I doubt it.

Great. It’s the weekend and I can theoretically now stop thinking about software, and yet here I am thinking of ways to efficiently compress lists of phone numbers

Presumably all non-american ones are not on your list?

How much?

I have even better - for every country, just covering all their operator's prefix and then 99999-9999999 numbers in that range. Definitely the biggest dataset around, and bigger is alwyas better, right?

Well the facebook data that was published everywhere earlier this year could hold some value when combined with this one: While the facebook data is somewhat outdated, I'm pretty sure you'd get millions of people with relevant and up to date information.

According to the Tweet, the leaker provides a claimed data sample that is a list of phone numbers without any additional information.

A list of 3.8 billion phone numbers that simply exist is useless. The leak would only have value if the numbers were associated with some identifying information.

If it’s really only phone numbers, I wonder if it’s a leak or if someone brute-forced all possible phone numbers against a ClubHouse API that leaked information about whether or not the number existed in their database.

they didn't "validate" anything, they just opened the csv. also i'd be interested in their take on the second column, that looks like clubhouse's scoring system (which they ran without telling anyone, likely for marketing purposes, according to this* article). if so, you can in fact tell which numbers are more significant than others.

*https://futurezone.at/apps/clubhouse-leakt-38-milliarden-tel...

Why fake a new data leak at all? It's likely to be illegal either way. Depending on the quality of your work I suspect it would be easy to find buyers for aggregated and cross validated data sets on the black market.

For that matter, I have to assume that the shadier businesses silently make use of publicly available leaks. The data is just too valuable to ignore depending on your business model.

Clubhouse does the classic “share your contacts with us to find your friends here” thing, but it sounds like they just upload your entire list into their database instead of doing anything remotely privacy aware. I’m mostly curious how much else they uploaded with the numbers - is this name + number + email etc? And if this dump is just numbers, do Clubhouse have the rest somewhere else?

According to the screenshot: All members plus every single number in each of their phone books.

They forgot to "select distinct"?

It includes every users' contact list from their phone. So likely damn near everyone on the planet with a cell phone.

Yeah, not sure either. Suspecting it's some other Clubhouse, not the main (project planning) one (https://clubhouse.io).

It's not fake, it's just not valuable.

Edit: Or rather, the tweet doesn't claim it's fake, just that it's not valuable.

If the seller gets caught that is how it works

If the seller doesn’t get caught due to the purchasing methods and general routine OPSEC, then its just another example of the Fed reliably monetizing everything, meaning there will always be a buyer and everyone should sell more.

That's what law enforcement does all the time: when there are illegal goods for sale, and a chance to catch the seller, they will go in, make the purchase and arrest the seller.

Let's play devil's advocate here and assume I am the dude selling the list.

I would ask for monero and would not care if the FBI is the buyer. The most they can do is to watch exchanges where monero is exchanged versus dollars or other cryptocoins. Then do this a few times over and start buying goods with those then sell the goods on Amazon/eBay for hard $$$. Small amounts and even with 50 cents at a dollar is still worth it for one person.

As a challenge, I try to takedown these things by reporting them to Google Safebrowsing, their SSL provider (if they have one), their host, their URL shortener, etc.

Though in Canada, I'm seeing them apply some cloaking measures so they don't get removed as quickly.

I think there's two streams of this:

1. a crooked telecom that has low-level access

2. buy a bunch of SIM cards and dump them into one of these aliexpress machines that has 16 wireless modems in them that let you do whatever you want:

https://www.aliexpress.com/item/4000462982086.html

Can even network them to a bank thingy that'll hold 128 cards:

https://www.aliexpress.com/item/4000462976225.html

I’ve been getting this since the FB hack (by “hack” I mean the recent bulk enumeration of 500m phone numbers that Facebook facilitated for an unknown party).

> create your own list of all possible numbers on the world. Pick a number, dial and see if it exists.

Let’s say you had the ability to do that 1,000x a minute using an automated dialer. Just in the US alone that would take you over a year to complete and how many of those numbers you verified changed active/disconnected status during that time?

(PS, I didn’t downvote you, just pointing out a problem with your theory)

You've invented wardialing

https://en.wikipedia.org/wiki/Wardialing