OnSecurity uncovering what went wrong with Wishbone

Cyber Nightmare: Data spill - What went wrong with Wishbone?

In this blog we uncover a huge data spill for Wishbone, revealing massive amounts of user data available for malicious actors to share and exploit.

OnSecurity Team
OnSecurity Team
Protect your business from hackers
October 13, 2020

Launched in 2015, Wishbone is a social networking app that encourages users to have their say in comparisons of everything from clothing to music. Advertised as a "quick and fun start to each morning" it has over 3.1 million active monthly users, many of them teenage girls. However, there has been considerable concern about the safety of the Wishbone app as unsolicited messages have been received and the user profile database has been hacked on two separate occasions.

Causing understandable concern among the world's social media users, privacy advocates, and parents; the latest Wishbone cybersecurity breach happened at the turn of 2020. It involved the theft of a database featuring the email addresses, names, usernames, phone numbers, geographic locations, genders, social media profiles, and MD5 passwords of around 40 million users.

Repeated Nightmares

It would have been hoped that lessons had been learned as a result of the 2017 hack, involving the discovery and download of a MongoDB database featuring 2.2 million email addresses and nearly 300,000 cell numbers. The company responded with the release of a statement, claiming that "the integrity of your personal information is extremely important to us. We are continuing to investigate this matter and will continue to take appropriate action to prevent future similar incidents."

Unfortunately, the preventative actions proved insufficient and Wishbone fell prey to another cybersecurity breach in January of 2020. The latest attack is known to have impacted 20 times as many users and resulted in the loss of far more personal data than the first. It is thought that the hacked database was initially sold on to a "data broker" who then attempted to sell it for the price of 0.85 bitcoin (equivalent to ~£2,300 in January) across a range of illicit platforms. However, it has recently been made available as a free download to members of the RaidForum community. Personal information obtained during the 2017 breach have not been included within this year's download.

Passwords included within the Wishbone database had not been saved in the plain text format, which would have caused great scrutiny. However, they had been hashed using the same MD5 algorithm deemed "cryptographically broken" by leading tech experts in 2010. It is known that such passwords can be deciphered in as little as 30 seconds, increasing the digital vulnerability of the Wishbone users.

It's suspected that many of the teen Wishbone users would have given the same usernames and passwords on registration with other websites and apps, placing themselves at considerable risk of cyber-crime. This is a particularly pertinent point, given the sharing of personal information among teenage social media users. There is a definite generational gap, with the sharing of personal information becoming normalised within today's generation.

Wishbone Response

Although the hack is known to have happened back in January, it wasn't acknowledged by Mammoth Media (owners of Wishbone) until May. A statement was then shared with ZDNet, saying that the cybercrime was being investigated. There was a further attempt to reassure the public, as Mammoth Media emphasized the importance of data protection and promised to share any developments arising during their investigations. However, it's been suggested that the response should have come much sooner given the scale and sensitivity of the breach.

There is bound to be continued concern over the use of the Wishbone app, particularly among privacy advocates and parents of the teenage users. The changing of usernames and passwords should certainly be considered a priority.

Digital experts have suggested that Mammoth Media should be taking additional precautions for the safeguarding of user data; including the forced change of login information. Details of the security response haven't been shared on the Wishbone website, AppStore, Google Play, or Twitter account at the time of writing.

Other recommendations for the security of social media profile data include:

  • Using an encrypted password manager
  • Regularly updating usernames and passwords across all apps
  • Opting against the access of linked email or social media accounts
  • Creating a unique email account for social media
  • Using two-factor authentication wherever possible

Penetration Testing Recommendation

Any business owners keen to avoid similar cyber security nightmares are encouraged to sign up for the OnSecurity penetration testing service. With real-time reporting and continued app testing, we will ensure you of optimum digital security. As they say, an ounce of prevention is worth a pound of cure!

Get your penetration testing quote today.

More recommended articles

© 2024 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU). All rights reserved.