Posted on May 21, 2020 at 1:55 PM
A hacker has exposed the records of 40million Wishbone app user records and offered them for sale on the dark web. Wishbone is a popular mobile app that allows users to make comparisons between two items through a voting poll.
From the sample of the published data and based on the seller’s claims, the Wishbone data includes user information like their phone numbers, emails, usernames, place of residence, as well as hashed passwords.
The hacker also said the hashed passwords are in SHA 1 format, but a sample collected by the ZNET security research firm today shows the passwords are in MD5 format.
The MD5 password format is technically very easy to crack, which almost any tech-savvy person can crack to show the original plaintext passwords. People can use free online available passwords tools to crack this password.
As it stands, ZNET has already cracked those passwords with the help of the free tool.
Data contained other vital wishbone information
According to the report, the stolen data contains some links to the Wishbone profile picture. Another fact is the revelation of profile pictures of some minors, a category that has been very popular in the Wishbone app. The information about these under-aged users was not taken likely by many parents.
The hacker claims he stole the Wishbone app data during a hack that occurred earlier in the year. The login dates and user registration dates included in the breached data sample shows the statement may be true, as all timestamp are dating back to January this year.
Those in control of the forum ads pointed out that the ads were placed by a “data broker”. Data brokers are cybercriminals whose speciality is to buy and sell hacked and stolen data in the darknet community. They are not usually involved in the hacking off data but act as middlemen between the hackers and those who are interested in the stolen information.
According to a recent report, the data brokers have a long list of hackers who are their clients and are ready to push any data into the cybercriminal market, as long as they are making profits. Presently, they are selling more than 1.5 billion records from data stolen from dozens of other companies.
However, what is not clear is whether the seller of the data who has released the information to these hacking forums.
Wishbone has been previously hacked
The majority of the data offered for sale were hacked in the previous years, and Wishbone was also one of the victims of such previous hacks. In a previous hack in 2017, 2.2 million user accounts of Wishbone’s users were breached.
But from the verification of this recent hack, the records of the 2017 hack was not even included in the released details. User emails from today’s data were taken and verified. The result shows that the records for the 2017 data hack were not included in the present breach.
The data was checked using Have I Been Pwned, which is a secure site that allows people to find out if their emails were included in any previous hack.
The emails were also verified using a private security platform known as KELA, a platform that indexes and tracks data linked to older hacking incidences. But none of the details from the 2017 hack appeared on the checklist.
Wishbone may be unsafe to use
The news of data breach on Wishbone may not be shocking news to many, as the platform has suffered a similar breach in the past.
Some advertisers registered with the Digital Advertising Accountability Program (DAAP), investigated the app recently. Based on their findings, the Wishbone app gets data from some of its users via its promotional ads. The report on the findings revealed Wishbone may not have used a genuine advertisement method through third parties. According to the report, the app allegedly collects data of users but does not provide a request for consent.
In defense of this allegation, Wishbone stated it has high policies on the safety of user data. According to the company, “Protecting data is of the utmost importance,”
It further stated that the firm is currently investigating the breach and more information will be shared when there is any other development.