40 Million Wishbone App Users' Records Are Sold Online
As we mentioned yesterday, cybercriminals often try to make money from data that was compromised years ago. When Catalin Cimpanu, one of ZDNet's security reporters, found an ad selling the information of Wishbone app users on an underground forum, he probably thought that this is exactly what's happening.
The popular quiz application suffered a data breach back in 2016 when hackers leaked a database containing the personal information of about 2.2 million users. At the time, the cybercriminals claimed that they are releasing only a small portion of the stolen information, and it looked like the new ad could be containing the rest of the details pilfered four years ago. After reviewing a sample from the newly advertised database, however, Cimpanu realized that this is a brand new hack.
A cybercriminal is selling 40 million Wishbone records for $8 thousand
The seller did point out that the database was taken in 2020, and ZDNet's reporter confirmed this by checking the timestamps and reviewing the sample data against a couple of breach notification services, which showed that it is indeed pretty recent. The number of affected individuals sits at around 40 million, and the records include names, usernames, email addresses, phone numbers, geographic locations, and hashed passwords. The seller is asking for 0.85 bitcoins or about $8 thousand, which means that the accounts are priced at $0.0002 apiece.
Wishbone's developers have yet to come out with an official statement, but ZDNet has confirmed that the data is genuine. It's relatively inexpensive, and it's offered by what appears to be an experienced trader. Catalin CImpanu's investigation revealed that the same seller is offering dozens of databases stolen from all sorts of service providers. In total, the reporter estimated that the cybercriminal is in possession of a whopping 1.5 billion stolen records.
Most likely, the seller will have no problems shifting the Wishbone database, and while he/she is counting the profits, the app's users must think about the potential consequences of the breach.
How can Wishbone's data breach affect users?
Although no financial data is involved, there is enough personally identifiable information to facilitate all sorts of scams. With the contact details, the hackers can easily get in touch with potential targets, and the rest of the data can help them spring a social engineering trap that the victims are likely to fall in. Considering the fact that the vast majority of Wishbone's userbase consists of teenage girls, the ramifications of the data breach are terrifying.
You could argue that the breach shouldn't have happened, but, as we've said in the past, no company is immune from getting hit by cyberattacks. The fact of the matter is, however, that although Wishbone has already been through one security incident, its developers don't appear to have learned their lesson.
In the advert, the data's seller said that the passwords were hashed with SHA1. This is a problem because SHA1 is not the most robust hash function and can be reversed. When Catalin Cimpanu looked at a sample of the leaked credentials, however, he realized that the passwords were actually hashed with MD5 – an algorithm that can be broken in seconds with freely accessible tools.
The threat to people's Wishbone accounts is very real, and if affected users are reusing the same passwords for multiple services, the damages could be even more significant.