top of page

Wishbone Breach: 40 Million Records Leaked on Dark Web

A prolific dark web trader has leaked what they claim to be 40 million user records from popular mobile app Wishbone.

The individual known as “ShinyHunters” posted the data to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”

The post was shared by security vendor Cyble and indicates ongoing tension in the cybercrime community. Previously, the database was thought to be selling on the dark web for thousands of dollars.

ShinyHunters has been linked to multiple previous sales of breached data including Home Chef, which this week revealed that it had suffered a serious cybersecurity incident thought to have affected millions of customers.

Popular with youngsters, Wishbone is an iOS and Android app which allows users to “compare anything.”

The trove of data now available to all-comers includes usernames, email addresses, mobile numbers, gender, date-of-birth, Facebook and Twitter access tokens, MD5-hashed passwords and more.

This could provide fraudsters with plenty of information to carry out follow-on phishing attacks, credential stuffing and more.

Trevor Morgan, product manager at comforte AG, argued that tokenizing or securely encrypting the data could have helped Wishbone mitigate the impact of the breach.

“Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums,” he explained.

“Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information.

He urged organizations to rethink their security and data protection processes or risk becoming the next Wishbone.

This isn’t the first time Wishbone has been caught out. A 2016 breach affected 9.4 million records with 2.2 million unique email addresses, according to HaveIBeenPwned.


Who am I...

Apenas um amante da tecnologia e da Segurança da Informação. Hacker ? Até que prove ao contrário não.. Profissional ? Sim.. Mais de 20 anos no mercado de Segurança da Informação sempre atuando em grandes Empresas.


Levantando a bandeira de que hacker é um profissional e especialista naquilo que ele faz. Hacker é um especialista, um pesquisador, um profissional como outro qualquer.

Skatista, músico e fotógrafo de instagram nas horas vagas....

Procurar por Tags
Pelo Mundo Afora...
  • Twitter Social Icon
  • LinkedIn Social Icon
bottom of page