TL,DR:
- Compromised passwords are stolen user credentials—often harvested via infostealer malware and now openly traded on platforms like Threads—that pose a critical threat by giving criminals direct access to user accounts.
- Security teams must immediately implement continuous monitoring across these emerging social platforms to detect exposed customer data and update internal fraud detection rules.
- The business impact of unmitigated compromised credentials is severe, directly resulting in widespread account takeovers (ATO), increased financial fraud, and lasting brand reputation damage.
- To prevent future password compromises from escalating, organizations should leverage proactive threat intelligence to identify and remediate exposed credentials before they can be weaponized.
Enterprise fraud teams and CISOs face increasing threats as criminals shift to new platforms where stolen data is shared more openly than ever. Threads, Meta’s Twitter/X competitor, has quickly become a new haven for cybercriminals looking to buy, sell, and distribute stolen credit card information, creating serious implications for businesses trying to prevent financial fraud and downstream identity abuse.
While not yet at the scale of dark web markets, the activity on Threads is significant and growing.
Threads post containing detailed financial card information, including what appears to be an account balance or credit limit.
Many of the observed posts contain sufficient data for bad actors to use to commit financial fraud as well as other targeted attacks (also known as “fullz”), including:
| Cardholder full names |
| Full and partial credit card numbers |
| SSNs |
| CVVs |
| Bin numbers |
| Pin numbers |
| Addresses |
| Associated bank name and/or credit card lender name |
| Credit card amounts |
| Expiration dates |
| IP addresses |
| Birth dates |
| Phone numbers |
| Email addresses |
| Passwords |
What types of stolen financial data appear on Threads
Stolen financial data on Threads includes comprehensive personal information, often called “fullz,” which allows criminals to commit fraud. This data ranges from full credit card numbers and CVVs to SSNs and addresses, providing a complete identity package.
Key data types include:
- SpyCloud Labs reported that stolen credit card data posted on Meta’s Threads included SSNs and CVVs, among other data elements.
- Addresses, phone numbers, and email addresses
Screenshot of a Threads post containing stolen card information along with a poll prompting users to select whether the associated debit card details worked for them, with the options “Worked fine” for a successful transaction or account opening or “Declined | Post more” for failed transactions.
How cybercriminals exploit Threads features
Threat actors are clearly using Threads’ built-in features to promote stolen financial data. They are taking advantage of the platform’s core functionality to maximize the visibility of their illicit posts.
|
Feature Exploited
|
Criminal Use Case
|
|---|---|
|
Recommendation Algorithm
|
Criminals rely on the algorithm to push their content into users' feeds, creating exposure without any user search action.
|
|
Polls
|
Actors use polls to crowdsource the validity of stolen cards and to artificially boost post engagement and visibility.
|
|
Trending Tags (#fyp)
|
Using tags like #fyp inserts their illicit posts into popular, high-traffic feeds, increasing their reach.
|
|
Bio Links
|
Accounts place links to private Telegram channels in their bio to funnel interested buyers to a more secure marketplace.
|
Screenshot of a post with stolen credit card information that contains “fyp,” an abbreviation of “For You Page.”
Where stolen credit card data comes from
The credit cards appearing on Threads are harvested from various illicit sources before being sold. The primary methods include:
- Infostealer Malware: This software infects a user’s device and steals saved data, including credit card numbers from browser autofill.
- Data Breaches: Criminals steal data from corporate databases, including e-commerce sites and service providers.
- Phishing Attacks: These scams trick victims into voluntarily entering their card details on fake websites.
How Telegram enforcement may be driving threats to Threads
The timing of this new activity on Threads directly correlates with increased content moderation on Telegram. This crackdown followed the arrest of its founder in August 2024.
Criminals are now using Threads as a public billboard. They use bio links to direct users back to their now-hidden Telegram channels, circumventing the new restrictions.
Screenshots from a Reddit post where an Instagram user talks about stumbling upon stolen credit/debit card data on Threads.
Business impact: Why this matters to your organization
The appearance of stolen financial data on a mainstream platform like Threads creates direct and severe consequences for businesses.
- Increased Fraud Losses: Exposed customer credit cards lead directly to more fraudulent transactions and chargebacks.
- Account Takeover (ATO): The ‘fullz’ data shared on Threads provides criminals with everything they need to take over customer accounts.
- Brand Reputation Damage: When customer data appears publicly, it erodes trust and can lead to customer churn.
Individuals
If you are concerned about whether you have exposed financial or other identity data circulating on the dark web, check your exposure with our free tool. Enter your email(s) to receive a free exposure report detailing what information criminals have in hand and learn what you can do to protect yourself.
Organizations:
The risk exposed consumer data poses for your business can impact your organization’s bottom line just as much as if the threat were to come from inside the house via an exposed employee or vendor. It’s imperative you have visibility into the stolen data being used to potentially create fraudulent accounts or transactions.
- SpyCloud’s Consumer Risk Protection solution helps you identify your customers’ darknet exposures and stop high-risk attacks like account takeover.
- SpyCloud’s Compromised Credit Card API lets your business query its own BIN(s) to proactively scan issued cards for dark web compromise, so you can remediate exposures before criminals can act.
- You can also enter your company’s domain into SpyCloud’s Check Your Exposure tool and get a free report on the company and consumer risk for your organization.
Has your organization been exposed on Threads?
Identify the compromised customer data that has your business at risk.
FAQs
Yes, many posts contain valid stolen card data used as advertising samples for larger criminal operations. However, scams are also present.
Criminals harvest data from sources like infostealer malware, data breaches, and phishing attacks, then aggregate it for sale.
Threat actors post free ‘samples’ of valid cards as a marketing tactic to attract buyers for their larger, paid databases of stolen data.
Immediately contact your bank to cancel the card and request a replacement. Monitor your account statements closely for fraudulent activity.
While Meta has content policies, criminals are currently evading detection. In some cases, the platform’s own algorithm is amplifying the illicit content.
Keep reading
