Bad luck for Wishbone: large-scale attack on the teen-oriented social media app

latest data breach wishbone breach social app users data leak

Wishbone is a mobile app offering users instant two-question polls on various types of content. It is marketed towards the younger audience. Users compare images such as fashion looks or answer questions like “Doughnuts or cupcakes?”. Wishbone is one of the top 50 social networking apps in the App Store, and it even hit the top 10 in 2018. Google Play Store indicates that the app has from 5 to 10 million downloads. Wishbone was created in 2015 under the leadership of Michael Jones, former CEO of MySpace.

On May 21 the breached database of Wishbone users was published for free access on the dark web forum by a hacker group called Shiny Hunters.

According to Breach Report analysis, the 40-million-users database consists of 7,816,735 accounts with compromised emails and passwords. The passwords are MD5-hashed, which means they can be decrypted very easily.

Other breached information includes usernames, telephone numbers, cities/states/countries, access tokens for Facebook and Twitter, gender, dates of birth, and profile pictures that are often images of underage users, the key demographic of the app.

 

It appears that the database was breached on the 27th of January, 2020. Stolen data was initially offered at several hacker forums for 0.85 bitcoins (equivalent to 8 000 dollars). Judging by the comments on those websites, some users happened to purchase it. But later Shiny Hunters offered the base for free download, supposedly to stop the resellers.

On May 22, the follow-up base was openly published. It contains 8,633,758 user accounts and plain text passwords of Wishbone users. The greater number of compromised passwords in the base may be explained by fake accounts added for a bigger effect.

Mammoth Media, the owner of the Wishbone app, provided Breach Report with the following statement:

“On May 20, our team became aware of a security issue where we believe an unauthorized individual may have had access to Wishbone’s database through stolen credentials. Personal information for some of our users was compromised. No financial or other sensitive information was involved. We have since invalidated any current access methods to user information and updated keys accordingly, and we've also ensured that all employees or services which require access to use cybersecurity approved multi-factor authentication or similar methods. Across the board, we are implementing stronger security and encryption of personal information to ensure the safety of all of our users’ data. We value our users' privacy and deeply regret that this has happened”.

Breach Report recommends all Wishbone users change passwords they use to access the service, the connected Facebook and Twitter accounts, and any other services with the same text passwords, to prevent credential stuffing attacks. Also, Wishbone users should be very mindful of the possibility of phishing campaigns threatening their data. Users can check whether their emails were compromised and be informed about future threats with the Breach Report security monitoring service.

The safety of Wishbone users’ data was also put in risk in 2017 when cybercriminals leaked 2 million emails and full names, about 300 000 mobile phone numbers, and other information like gender and birth dates. The statement of the app owner said that the attacker "may have had access to an API without authorization." The 2017 breach didn’t compromise passwords, user communications, or financial account information.

Shiny Hunters hacker group has created a lot of buzz lately. In March 2020, they have attacked Tokopedia, a leading Indonesian e-commerce company. The attack compromised 12,099,389 accounts containing names, gender, birth dates, email addresses, and SHA-384 hashed passwords. Also that month they have stolen 500 GB of data from the Microsoft private repositories on the developer platform GitHub, which the tech giant owns.

As of May 27, the group offers more than 20 databases which they claim to have breached themselves, and promise to leak more data soon:

  • catho.com (40M + 10M plaintext)

  • chatbooks.com

  • unacademy.com

  • tokopedia.com

  • ck12.org & braingenie

  • leafly.com

  • minted.com

  • mathway.com

  • wappalyzer.com

  • styleshare.kr

  • bhinneka.com

  • ggumim.co.kr

  • homechef.com

  • startribune.com

  • indaba

  • zerista.com

  • yw.com

  • jewelry.com

  • rewardstyle.com

  • accuradio.com

  • zoosk.com