Flash Alert: Wishbone app breach

Executive summary: IntSights researchers have obtained the full database from the Wishbone app breach

On May 21st it was reported that Wishbone, a popular teen-focused social app, has been breached. The reports came after a threat actor offered the database from the breach for sale on a cybercrime market.

The seller offered the 40M credentials for a price of 0.85BTC (or roughly $8,000). The database contains full names, usernames, phone numbers, location, passwords and more. While the seller claims the passwords were hashed using SHA1, the passwords were actually hashed using MD5, a relatively easy to crack hashing function. Cracking MD5 hashed passwords can be done using freely available tools and can be done quickly if the victim used easy to guess passwords.

IntSights is currently in the process of analyzing and parsing the data. Organizations who have been affected by this breach will be notified.

Affected users are advised to change their password for Wishbone as well as any other service, site, or application where the same password was used in order to prevent credential stuffing attacks.

Reports of the breach:
https://www.techtimes.com/articles/249783/20200521/hack-40-million-user-records-from-social-media-app-are-now-being-sold-online-for-8-000.htm

https://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app/

To see the IntSights External Threat Protection suite of solutions in action, schedule a live demo with a member of our team today.

Request a Demo

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.