Media reported that a hacker was selling the details of Wishbone’s 40 million registered users and claimed the data was stolen during a hacking campaign earlier this year. As a popular mobile app, it allows users to compare between two items through a simple poll. However, ZDNet notes that a large amount of Wisbone’s registered user information is being listed on multiple hacking forums for just 0.85 bitcoins (about $8,000).
Examples posted by the seller show that the database contains information such as Wishbone’s user name, email, phone number, city, and hash value of the password.
Hackers claimed the password was in SHA1 format, but the ZDNet review found that the sample contained passwords in the MD5 format.
As a weak password hash format, MD5 is prone to brute force to work out the original plain text string, and even online there are many free-to-use hacking tools.
In addition, the database summary contains links to The Wishbone profile picture, which clearly covers a large group of minor users.
Hackers claim that The Wishbone app data was stolen in an attack earlier this year, as evidenced by the user registration and final login date included in the sample (back in January 2020), but it is not clear who put it up to the hacker forum to sell it.
ZDNet analytics found that the hacker is still peddling databases of dozens of other companies (more than 1.5 billion records in total), and most of them come from companies that have been reported in previous years, such as the 2.2 million user data breach that affected Wishbone in 2017.
Although Wishbone has not disclosed user size data in recent years, the app has been the top 50 social app in the iOS App Store for many years (even jumping to the top 10 in 2018), and the Google Play Store has downloaded between 5 and 10 million.