While the entire world is worried about the current pandemic and evaluating their life choices, the cyberattacker community doesn’t seem affected by it at all. Their most recent data-breach target is ‘Wishbone’ – the popular teen social networking app where users interact via comparison quizzes, held across a vast number of categories.
Wishbone User Database For Sale
On May 20, 2020, an undisclosed hacker put public ‘For Sale’ ads on various well-known hacking forums over the dark web. It agrees on a delivery of 40 Million Wishbone user account details for a whopping price of 0.85 bitcoin cryptocurrency (equivalent to $8,000).
In recent times, more and more cyber attackers are switching to cryptocurrency for ransom because of easy transfer and untraceable benefits. Just last week, in the scandalous data leak of Donald Trump, Lady Gaga, Madonna and more A-listers, the attacker ‘REvil’ has sold high-profile data for a massive price in ‘Monero’ cryptocurrency.
Coming back to Wishbone hacking ordeal, companies like Cyble have hinted that this database has been circulating for sometime in private dealings, but has surfaced for public sale just now.
The seller in this case might just be a ‘data broker’ instead of the actual hacker. Moreover, there’s a huge possibility that the corresponding Wishbone data breach actually took place earlier this year with identified time-stamps dating back to January, 2020.
Additionally, this cyber criminal is currently dealing in selling tons of valuable databases from influential companies, amounting to approx 1.5 billion records.
Wishbone User Data Leak for FREE
But the incident took an interesting turn when the infamous hacker ‘Shiny Hunters’ came in to play. He was last credited with the notorious Microsoft Github hacking and has been a major threat actor in several data-breach cases.
On the very next day of the original ad posting, Shiny Hunters came in as a competitor and released the entire Wishbone data dump for free, that too on one of the same ad forums.
Now, was this just an overlooked mistake, or an intentional revenge plan, we can surely predict tension between the 2 seller parties. We only hope this doesn’t spiral into a free data leak loop affecting many organizations, as both cyberattackers are known for their legitimate databases.
Wishbone Data Leak Details
Certain cybersecurity researchers have obtained and confirmed the Wishbone registered members database that got leaked in this clout battle. The data has also been verified through various friends and acquaintances who had accounts with Wishbone.
This treasure trove of information will be quite dangerous in the wrong hands with high-risk possibilities of credential-stuffing attacks, account takeovers, phishing campaigns and more. It’s all the more worrisome, as a huge portion of the database includes minors (Wishbone’s biggest audience group).
Now, let’s take a look at exactly what all sensitive information got leaked:
- Email Address
- Encrypted Passwords (MD5 hash)
- Phone Numbers
- Profile Images
- Personal Details - Gender, Date of Birth, Location,
- Social Media Access Tokens (Facebook, Twitter)
- Device Details
- Account Status
- And more
Wishbone Account Hacked – What Should You Do?
If reports are to be believed, most of the data is confirmed as legitimate and thus deems a huge risk, especially if you’re registered with Wishbone. So under the disturbing circumstances, here’s what you can do:
- If you’re logged in with your email, change your Wishbone account PASSWORD immediately
- If you’re using your Wishbone password on any other websites/ apps, change that as well
- If you’re signed up through Facebook or Twitter, disconnect your account from these social platforms. Here’s how you can do it for Facebook and Twitter
- Furthermore, you can check if your account has been hacked here at Cyble’s official data-leak verification software