Hacker selling 40 million user records from popular Wishbone app
(Source: zdnet.com)

clicks | 16 days ago | Google AI sentiment -0.50 | comments: discuss | tags: bitcoin


Article preview (bot search)

(Original link: zdnet.com)

Image via Wishbone website A hacker has put up for sale today the details of 40 million users registered on Wishbone , a popular mobile app that lets users compare two items in a simple voting poll.
The data is being advertised across multiple hacking forums and being sold for 0.85 bitcoin (~$8000), according to ads seen by ZDNet.
According to the seller's claims and a sample of the data published online, the Wishbone data includes user information such as usernames, emails, phone numbers, city/state/country, but also hashed passwords.
Image: ZDNet The hacker claims the passwords are in the SHA1 format; however the sample that ZDNet reviewed today contained passwords in MD5.
MD5 is a weak password hashing format that can be cracked to reveal the original plaintext passwords, which ZDNet was able to do for some accounts using freely available online tools .
The data also included links to Wishbone profile pictures. URLs included in the sample data loaded images depicting minors, an age category the Wishbone app has always been historically popular ( to many parents' dismay ).
Wishbone hack took place earlier this year The seller claims the Wishbone app data was obtained in a hack that took place earlier this year. User registration and last login dates included in the Wishbone data sample appear to confirm this statement, with all timestamps dating to January 2020.
It is unclear, however, if the individual who has placed all the ads on hacking forums is the actual hacker.
The person behind the forum ads is what security researchers call a "data broker," a type of cyber-criminal specialized in buying and reselling hacked databases in the cybercriminal underground.
According to ads seen by ZDNet, this threat actor is currently selling databases from tens of other companies, totaling more than 1.5 billion records.
Most of the databases are from companies that have reported hacks in previous years. Wishbone was also hacked in 2017 when a hacker obtained details for 2.2 million users.
ZDNet verified today that the data sample from this recent hack was not included in the 2017 hack. We took user emails from today's data sample and verified them against Have I Been Pwned , a website that lets users check if their emails have been included in previous hacks.
However, since Have I Been Pwned allows users to hide their email from public searches, we also verified these emails against a private platform managed by threat intelligence KELA , which has also been indexing and tracking data leaked in older breaches.
None of the accounts included in the sample shared today were included in the 2017 Wishbone breach, confirming that these are new accounts, and this is a new hack.
A Mammoth Media spokesperson was not immediately available for comment.
While the Wishbone has not revealed in recent years its total user count, the app has been in the iOS App Store Top 50 most popular social networking apps for years, reaching its peak in 2018, when it ranked in the category's top 10. On the Google Play Store, the app has between 5 million and 10 million downloads.
10 worst hacks and data breaches of 2019... SEE FULL GALLERY 1 - 5 of 10 NEXT PREV Security Windows 10 to get PUA/PUP protection feature Best security keys in 2020: Hardware-based two-factor authentication for online protection Best password managers for business in 2020: 1Password, Keeper, LastPass, and more Cyber security 101: Protect your privacy from hackers, spies, and the government How to protect smart factories and networks from cyber attacks (ZDNet YouTube) Top 6 cheap home security devices in 2020 (CNET) Why organizations shouldn't automatically give in to ransomware demands (TechRepublic)...