Wishbone App Hacked, Exposes 2.2M Email Addresses, 300K Phone Numbers
A rather popular social networking app for teens was hacked with attackers getting away with 2.2 million email addresses and some 287,000 cellphone numbers.
The social networking app allows users to create and vote on simple quizzes with two options. In time, it has become extremely popular, especially among teenagers, something that makes this data breach that much more troublesome – many of the users affected by the incident are young people, including underage girls and boys. About 70% of users in a sample of 200 leaked accounts were under 18 years old.
App Annie places Wishbone among the top 10 most popular social networking apps for iPhones in the United States, which means there are quite a lot of users playing around with it. Mostly, it is geared towards teenagers and young adults, mostly female, one of the founders said in the past.
Data comes from unprotected database
Troy Hunt, the security researchers behind breach notification website Have I Been Pwned? says that hackers found an unprotected database for the app and stole its contents, which are now circulating on the dark web.
Motherboard reports that Hunt received what seemed to be a copy of a MongoDB database with Wishbone data on it. The collection of data on it included 2,326,452 full names, 2,247,314 email addresses, 287,502 cellphone numbers, as well as birthdates and user’s gender.
The data trove does not contain any identifying information for the affected users, mostly because Wishbone doesn’t require it to create an account.
The tech incubator behind the app, Science Inc, confirmed there’s been a data breach. In a statement, they claim hackers may have had access to an API without authorization. While the vulnerability has already been patched, it’s too little too late since so many users have been exposed. Affected users have been notified via email.
People can check if their email address is in the database over on Have I Been Pwned?