Advisory follows a string of evidence showing attackers leveraging data brokers for recon and social engineering
The joint CISA/FBI/CNMF updated advisory on Scattered Spider acknowledges what several analysts have previously noted: the threat group is using commercial data brokers as part of their reconnaissance toolkit and as fuel for social engineering.
In its July 29, 2025 update, the joint advisory states that Scattered Spider’s targeted social engineering campaigns are “enriched by access to personal information derived from social media, open-source information, commercial intelligence tools, and database leaks.”
What are “commercial intelligence tools” in this context? According to CISA, this refers to ‘commercial data aggregating and analytics services that can be purchased for use’ — in other words, the data broker platforms that sell employee and executive information. Scattered Spider uses these tools to map organizations, identify high-value targets, and craft convincing social engineering lures.
The updated advisory confirms what we noted in our own recent article on Scattered Spider. As we stated there, the most direct way to disrupt Scattered Spider’s reconnaissance is to proactively reduce the personal data available to them. Removing employee info from data brokers deprives Scattered Spider of easy target intelligence. It’s a preventive measure that few discuss, yet it directly targets the source of their advantage.
The Gap in Mitigation Guidance
The updated Scattered Spider advisory underscores a larger issue: standard mitigation advice typically doesn’t account for the role of data brokers in fueling attacks. For years, breach and threat intelligence reports have ranked social engineering at the top of the most common initial access vectors. But personal data removal from data broker sites as a preventative measure is not part of most mitigation guidance, despite mounting proof that threat actors use these sites for reconnaissance and targeting.
Several examples from recent years illustrate this pattern. Analysis of leaked Conti ransomware chats revealed operators actively using ZoomInfo and RocketReach to profile potential victims and estimate their revenue. The more recently leaked Black Basta chats showed members using ZoomInfo and RocketReach to build detailed targeting lists and craft social engineering campaigns. Okta’s investigation into the 0ktapus campaign concluded that the attackers, Scatter Swine, “likely harvested mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations.” A joint FBI/CISA vishing advisory from 2020 describes attackers compiling employee dossiers using sources including “recruiter and marketing tools,” and “publicly available background check services,” both of which are types of data brokers. And the latest example is the joint CISA/FBI/CNMF advisory on Scattered Spider, placing commercial data aggregators alongside social media, OSINT, and leak data as inputs for social engineering.
These examples make clear that attackers are using data broker sites. Within the criminal ecosystem, some groups purchase access directly while others resell it as a lookup service. Either way, broker profiles supply the intelligence that drives social engineering attacks.
The Value of Data Brokers For Attackers
A document entitled “Data Brokers and Security: Risks and Vulnerabilities Related to Commercially Available Data”, published by the NATO Strategic Communications Centre of Excellence, highlights the value of data broker info for malicious actors:
“Data brokerages are a treasure trove for malicious actors in the 21st century, especially from a military perspective. Without costly intelligence and reconnaissance capacities, a malicious actor can obtain detailed and potentially sensitive information about its targets. Without concern for the legality of information collection, vast and detailed data sets can be obtained immediately and at a comparatively cheap price. And because the industry has very low barriers to entry and only sporadically conducts screenings, the market is open to any actor with the means to pay for products and services. If access cannot be obtained legally, hacking into a data broker’s server is also lucrative, since a wealth of data is stored in one place and security practices tend to be insufficient.”
The report cites an example of the latter case in which the U.S. broker Interactive Data LLC was compromised by a malicious actor who “gathered personal data on people and businesses later used for impersonation, scams, and fraudulent emails” — a clear instance of data broker information fueling social engineering and fraud. The broker profiles enabled the fraudsters to impersonate real individuals and businesses in emails targeting government agencies, stealing tens of millions of dollars. The same data also let them pass online verification systems at banks and financial institutions to open fraudulent accounts and obtain prepaid cards. Investigative reporter Brian Krebs noted that these scammers were also sharing highly detailed personal and financial records from this data broker “via a free web-based email service that allows anyone who knows an account’s username to view all email sent to that account — without the need of a password.”
Whether purchased directly, resold within the criminal ecosystem, or exposed through broker compromises, data broker profiles pose a major threat to businesses across industries, particularly as they are exploited for social engineering.
Personal Data Removal As a Security Imperative
CISA’s guidance on avoiding social engineering and phishing attacks is clear: ‘Do not provide personal information or information about your organization… unless you are certain of a person’s authority to have the information.’ Yet, data brokers effectively distribute that same sensitive information by default. This makes personal data removal a security imperative.
Until personal data removal is recognized as a core mitigation, and adopted in practice, organizations will continue to face attackers armed with data broker dossiers.
Those that address their data broker exposure proactively, however, disrupt attacker reconnaissance efforts, prevent targeting, and significantly limit an attacker’s ability to launch social engineering campaigns against them.