UPDATE: Wishbone reaches Tech Times regarding the previous article about data breach linked to the Wishbone app. Here's the official statement of the company:
On May 20, our team became aware of a security issue where we believe an unauthorized individual may have had access to Wishbone's database through stolen credentials. Personal information for some of our users was compromised. No financial or other sensitive information was involved. We have since invalidated any current access methods to user information and updated keys accordingly, and we've also ensured that all employees or services which require access use cybersecurity approved multi-factor authentication or similar methods. Across the board, we are implementing stronger security and encryption of personal information to ensure the safety of all of our users' data. We value our users' privacy and deeply regret that this has happened.
Wishbone, a social polling app made by Mammoth Media, reportedly experienced a massive data breach. The company did not yet confirm the hacking, but it turns out that approximately 40 million of its users are now exposed to different online selling platforms. An exclusive report tells us that hackers of the app are now selling the profiles of Wishbone's users for a total price of $8,000.
For $8,000, you can now buy 40 million hacked profiles
ZDNet reported this week, a supposed hacker that sells 40 million user records for an amount of $8,000. The profiles were said to be hacked from a popular social polling app called Wishbone.
Wishbone is a popular app most used by teens, which allows users to take a polling test such as "what should I wear," "where shall I go," and other poll questions.
The hacked data from this app are now being sold online in multiple selling platforms and hacking forums for an amount of untraceable Bitcoin currency worth 0.85 BTC or $8,000.
As described on the seller's ads online, the Wishbone data includes usernames, emails, phone numbers, city/state/country, but also hashed passwords.
Not only that, but even the Wishbone users' profile pictures with loaded images of supposed minors were included in the sale.
Passwords can easily be cracked using Wishbone
The sale includes the passwords for each account in Wishbone. And surprisingly, they are not even encrypted properly.
ZDNet was intrigued by the hacker's claim that the passwords were in SHA1 format. But when they accessed the said passwords, they were found with MD5 format only, which can easily be cracked even by a normal person that knows technology.
It was not identified whether the exact seller of the data was the main hacker of Wishbone. But ZDNet thinks that the seller is only a "data broker," which specializes in selling and buying hacked items-- not part of the exact hacking business.
Wishbone may not be safe to use after all
Mammoth Media has not yet confirmed the said recent hacking on their app. But it turns out that this news may not be as shocking as it could be.
A group of advertisers under the Digital Advertising Accountability Program (DAAP) investigates the app, and its another affiliate called Yarn. According to them, the apps allegedly collect data of their users through their promoted ads.
"In Mammoth Media's case, "technical analysis revealed the collection of user data - including precise location data - by third parties for advertising purposes." But clear disclosure of those activities and requests for consent were not found," written on the report.
As of now, Mammoth Media spokesperson said that the company is now investigating the said sale and complaints regarding the app's safety.
"Protecting data is of the utmost importance," the company said. "We are investigating this matter and will share any significant developments."
