The hacking group calling themselves ‘The Shiny Hunters’ has been busy.
Recently, they put databases containing user records from eleven different companies up for sale on the Dark Web, including a massive database containing some 40 million records belonging to the popular Wishbone app.
Wishbone is a social media platform that’s especially popular among children. It allows users to compare two items by way of a simple poll. The database was initially being offered for 0.85 bitcoin, which is, at the time this article was written, worth approximately $8,000.
Only days after the database was originally offered for sale, it appeared elsewhere on the Dark Web in its entirety, for free. The information it contains includes usernames, email addresses, phone numbers, geo-location data, hashed passwords, and profile data, including links to uploaded user photos. That’s bad news indeed for any parent, because again, this app is especially popular among children.
A closer inspection of the records the database contains reveals that the hashed passwords are only weakly encrypted, using MD5, which can easily be broken using freely available tools, putting every one of the 40 million users identified in the database at risk.
If you’re not sure if your child has downloaded Wishbone, it pays to double check immediately. Be sure to change the password on any account you or your children may have associated with the account.
For the company’s part, a notice recently went up on the Wishbone website that read: “Protecting data is of the utmost importance. We are investigating this matter and will share any significant developments.”
Unfortunately, the most significant development is that some 40 million of the app’s users are now at risk. Don’t take any chances. If you or your kids use this app, change your password immediately and be on the alert for phishing emails sent to any email address referenced in your Wishbone profile.