DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Popular teen app Wishbone hacked (again), 40 million users’ info being given away

Posted on May 21, 2020 by Dissent

We know that no security is perfect, but when a company collecting and storing teenagers’ data has repeated breaches, it’s cause for concern – and possible investigation by federal and state regulators.

In 2017, we learned that the popular teen quiz app, Wishbone, had been “hacked.” According to reports at the time, hackers snagged 2.2 million email addresses and 287,000 cellphone numbers. It wasn’t really a hack, though, although media described it that way — it was a misconfigured MongoDB that someone found and downloaded.

In a statement to users at the time, the company wrote:

We value your privacy and deeply regret that this incident occurred. Maintaining the integrity of your personal information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused you. We are continuing to investigate this matter and have taken and will continue to take appropriate action to prevent future similar incidents. Please be assured that we will keep you informed of any developments in the investigation that may be of importance to you.

Now it appears that they were hacked once again in January of this year, and 40 million users’ data is now available on a popular forum.

On Wednesday, a well-regarded reseller on RaidForums first listed the database for sale.

The data were described as containing 40 million users’ Email addresses, Names, Usernames, Phone numbers, Geographic locations, Genders, Social media profiles, and MD5 Passwords

ZDNet, who reported on the listing yesterday, noted that in verifying the data legitimacy, they also found links to teens’ photographs.

This morning, ShinyHunters, responded on RaidForums with their own listing:

Hello dear RaidForums community, since people are starting to resell wishbone, we’ve decided to leak it for free.

[“free” in the context of this forum, means the data are not being sold for cash or BTC, but for forum tokens].

The schema, as posted by ShinyHunters, includes:

uid,username,email,name,mobile_number,country_code, fbid,access_token,auth_token,ip,create_time,twitter_id,t witter_access_token,twitter_access_secret,gender,date_of_birth,password,image,follower_count,device_token, android_device_token,is_admin,timezone,displaying_post_date,is_device_active,shared_for_date, show_second_session_date,apple_idfa,google_advertiser_id,stickers_left, deleted_at,updated_at

And like the reseller listing it, ShinyHunters provided their own sample of the data.  Both their sample and the reseller’s sample show that the data were downloaded in January 2020, even as late as January 27, 2020.

At the time of this posting, there is no indication on Wishbone’s site that they were aware of any hack. A request sent to their Media support contact resulted in an auto-reply that they would respond within 1 to 2 business days. Given that they told ZDNet yesterday that they were looking into things, it does not seem like they are yet in full crisis management or incident response mode, but a breach of this size and sensitivity is very concerning.

But meanwhile, back in the another-day-another-drama department, why did ShinyHunters just dump data that would likely have attracted a number of buyers? They say it was because others were already reselling it, but did they cut off their nose to spite their face?   ShinyHunters responded to an inquiry from DataBreaches.net by saying that  Whysodank (aka Whysodankk, ShinyHunter’s partner) had sold it to the reseller. But if you sell it to a known reseller why would you then screw the reseller by dumping the data for free? I put the question to ShinyHunters, who answered, “Well, let’s just say I didn’t agree with his decision.”

In a separate chat on Jabber, the reseller claims that they did not buy the data from whysodank, but were listing it for someone whysodank had sold it to:

“I was proxying the sale through a client. I guess he got angry I did that and he leaked it for free. Stupid move but what can you do”

With more data dumps and sales likely coming down the pike from ShinyHunters and whysodankk, that’s a question we may hear again.

This post was edited post-publication to restore some content that was accidentally deleted and to reformat the fields in the schema.

Update:  Mammoth Media replied to my inquiry that contained a number of questions with this response:

Protecting data is of the utmost importance. We are investigating this matter and will share any significant developments.

As of the time of this update, there is still nothing posted on their web site, on AppStore, Google Play, or on their Twitter account to alert users that their data might be in unauthorized individuals’ hands. Also as of the time of this update, I’ve found that the Wishbone database has now also been listed on two Russian-language forums.

Related posts:

  • “ShinyHunters” lists more than 160 million user records from 11 companies for sale on dark web
  • A guilty plea in the PowerSchool case still leaves unanswered questions
  • RaidForums seized in Operation TOURNIQUET; forum’s administrator and two accomplices arrested
  • The “reincarnation” of BreachForums: A cyberdrama in three acts
Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← Ohioans’ and Coloradans’ personal info exposed in pandemic unemployment data breaches
Ontario: North Bay Parry Sound District Health Unit Announces Privacy Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.