A database of 40 million users of the popular Wishbone application has been put for sale on the dark web.
ZDNet discovered Wishbone user accounts were available on underground forums for 0.85 bitcoin – currently around $8000. The popular mobile app allows users to compare two or more items in voting polls.
The hacking attempt appears to have taken place earlier this year, with the criminals able to get access to details including usernames, emails, phone numbers, city/state/country and hashed passwords.
Since Wishbone is popular among children, the presence of personally identifiable details like profile pictures and profiles URLs may pose a serious threat to their safety.
In a prepared statement, Mammoth Media, the parent company of Wishbone, stated, “Protecting data is of the utmost importance. We are investigating this matter and will share any significant developments.”
According to the report, the passwords were not encrypted properly and were stored in a weak MD5 hashing format. Unlike SHA1 hashing, passwords stored in MD5 format can be easily cracked with the help of various tools freely available on the Internet.
Experts believe the poster may be a reseller or a broker who is looking to make money by reselling the data. Apart from Wishbone, the hacker has also put databases of other companies up for sale, with over 1.5 billion records available, many of which from companies which reported a data breach in the recent past.
Wishbone was previously attacked in 2017, when hackers were able to steal the data of over 2.2 million users. However, the sample data shared by the hacker in this instance did not match any listed online, seemingly confirming this is a new hack.