[BreachExchange] Teen quiz app Wishbone hacked, users’ emails and phone numbers exposed

Thu Mar 16 09:36:39 EDT 2017

https://techcrunch.com/2017/03/15/teen-quiz-app-wishbone-
hacked-users-emails-and-phone-numbers-exposed/

Check your kid’s phone for this app, ASAP: Wishbone <http://wishbone.io/>.
This popular quiz app for kids, tweens and teens has been hacked, according
to a report
<https://motherboard.vice.com/en_us/article/popular-teen-quiz-app-wishbone-has-been-hacked-exposing-tons-of-user-information>
from
Motherboard out this morning. The hack involved 2.2 million email
addresses, as well as 287,000 phone numbers, many of which are from kids
under the age of 18.

The app is operated by the incubator Science
<https://techcrunch.com/2015/09/30/with-the-success-of-wishbone-app-venture-studio-science-makes-a-big-mobile-push/>,
and is one of the more popular social networking applications in the U.S.,
currently ranking No. 14 in that category on iTunes.

Users have been alerted to the hack by way of an email from the company,
which explains that it became aware of the breach on March 14, 2017.

Per the email, hackers appear to have accessed a private API to pull
information on Wishbone users. This included usernames, personal names,
emails and phone numbers. Some users also opted to provide their date of
birth to Wishbone, and, if they did, this information was also included.
Wishbone says no passwords or financial information was part of the breach,
however.

Users were also alerted via an in-app notification.

The message says that Wishbone is initiating “precautionary measures” as a
part of the breach. But Motherboard received confirmation
<https://motherboard.vice.com/en_us/article/popular-teen-quiz-app-wishbone-has-been-hacked-exposing-tons-of-user-information>
that
the vulnerability has now been fixed.

Unfortunately, the data is already out there in the wild, and consists
mainly of kids’ personal information. The app’s core demographic is very
young users — many who don’t even yet have iPhones, but play with the app
on their iPod touch. Thankfully, this limited the amount of phone numbers
included in the data breach.

The app, which was created by Science co-founder Michael Jones, previously
CEO of MySpace, is a time-waster of sorts. It lets users vote on
user-generated polls
<https://techcrunch.com/2016/06/01/wishbone-an-app-for-comparing-anything-with-photos-dives-into-video/>
accompanied
by pictures, like which celeb is cuter, or “would you rather…?”-style
questions. It’s sort of a modern-day, digital version of teen magazines, as
it presents an angle on pop culture and offers visibility into what trends
are popular among fellow young users.

In its statement to Wishbone users, Science offered the following apology:

We value your privacy and deeply regret that this incident occurred.
Maintaining the integrity of your personal information is extremely
important to us. We sincerely apologize for any inconvenience this incident
may have caused you. We are continuing to investigate this matter and have
taken and will continue to take appropriate action to prevent future
similar incidents. Please be assured that we will keep you informed of any
developments in the investigation that may be of importance to you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170316/b1e146ea/attachment.html>