[BreachExchange] Hacker Swipes Data On 40 Million Users Of Popular Wishbone App

Destry Winant destry at riskbasedsecurity.com
Tue May 26 10:17:21 EDT 2020


https://www.forbes.com/sites/leemathews/2020/05/22/40-million-wishbone-accounts-hacked/#7d673fab385f

Personal data from some 40 million users of the popular voting app
Wishbone was swiped during a breach earlier this year. Now the hacker
who claims responsibility is giving that data away for free.

It’s the second major incident in the past three years for Wishbone.
In 2017, hackers made off with 2.2 million email addresses and nearly
300,000 cell numbers.

A great number of those belonged to young women. Documents that leaked
around the same time revealed that upwards of 70% of Wishbone’s users
were under 18.

That had parents and privacy advocates bristling, and that lightning
may very well strike twice. This new breach impacts nearly 20 times
more users and includes far more data on each and every one.

ZDNet’s Catalin Cimpanu reports that the hacked data includes
usernames, emails, phone numbers, and location information. It also
includes hashed passwords.

While the fact that passwords were not stored in plain text is good
news, Cimpanu says those he examined were hashed using the MD5
algorithm. MD 5 was declared “cryptographically broken” by experts all
the way back in 2010.

A moderately-complex password hashed with MD5 could be cracked in 30
minutes or less. That’s not great news for these 40 million users.

It’s a safe bet that some percentage of them used the same password
with other apps or websites. Password fatigue continues to lead many
down the slippery slope of password re-use.

Email address and password pairs stolen in this breach could now be
used to break in to those users’ other accounts.

That’s particularly alarming given Cimpanu’s most recent update. The
hacker who stole the data was originally selling it for $8,000. Now
it’s being given away on hacking forums.


More information about the BreachExchange mailing list