A hacker has leaked a database of 40 million users of the popular Wishbone application as a free download on one of the hacking forums, reports ZDNet.
For those unaware, Wishbone, a social networking app launched in 2015 that describes itself as “the go-to for comparing anything your heart desires” allows users to compare two or more items in a simple voting poll. This iOS and Android app covers everything from fashion, celebrities, humor, music, and more and is particularly targeted at teenagers.
The renowned hacker known as “ShinyHunters” has taken the credit for posting the database to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”
ShinyHunters is the same hacker who was found selling about 73.2 million user records stolen from 10 companies online for about $18,000.
This hacker is also behind the theft of 500GB from Microsoft’s private GitHub repositories, and the sale of the database of Indonesia’s largest online store, Tokopedia as well as the database of the online learning platform, Unacademy on the Dark Web.
The trove of exposed data now available for all includes usernames, email addresses, mobile numbers, gender, date-of-birth, city/state/country, Facebook and Twitter access tokens, hashed MD5-hashed passwords, profile images (that included loaded images of supposed minors), and much more.
This treasure trove of information could be useful to threat actors to perform follow-on phishing campaigns, credential stuffing attacks, and account takeovers.
The database was first publicly advertised for sale by a well-regarded data breach seller on RaidForums for 0.85 Bitcoin (around $8,000) this Wednesday. In response to this listing, ShinyHunters on Thursday decided to leak the Wishbone database on the same hacker forum for free.
The reseller claims the Wishbone app data was acquired in a hack that took place at the end of January 2020, which can be confirmed from the user registration and last login dates included in the Wishbone data sample provided by him. Also, the sample data shared by ShinyHunters show that they were downloaded in January 2020 confirming the data is from a new hack and not from a previous Wishbone hack in 2017.
It is unclear whether the exact seller of the data is the one who launched the cyber-attack on Wishbone. However, according to ZDNet, the seller is only a “data broker,” which specializes in buying and reselling hacked databases in the cybercriminal underground.
Mammoth Media, the parent company of Wishbone, has not yet made an official statement on the said recent hacking on their app but said it is aware of the situation and complaints regarding the app’s safety.
“Protecting data is of the utmost importance. We are investigating this matter and will share any significant developments,” the company said in a statement to ZDNet.
In lieu of the current incident, we would suggest Wishbone users change your password of their accounts immediately. Also, if you are the same email/username and password combination for other apps, we request you to have them updated as well. Additionally, we request you to cancel the app’s access to any linked email or social media accounts.