A hacking attack that targeted the Wishbone app has led to the loss of 40 million user data records that have been put up for sale on the dark web. The hacker behind the dark web sale has claimed that the data dump was obtained through a breach that was launched early 2020 – although Wishbone has not officially commented on a cybersecurity event.
At this point, it appears that the hackers may have some basis, considering that the file timestamps are dated January 2020. It is interesting that the person trying to sell the stolen data was not the same individual behind the cyberattack as they claim to have simply purchased the data pack with the intention of making a profit off the dark web.
This scenario reflects heavily on the existence of data brokers who sell people’s personal data online.
Who and What Has Been Affected?
Wishbone is an app used by various classes of people to make item comparisons, from clothing to music, and from celebrities to mobile devices. The app operates on a voting system that was built on user interests and characteristics, a functionality that resonated with people of the younger demographics.
Therefore, in a general sense, the more than 40 million records that were breached and posted on the dark web probably affected people of the young generation, an aspect that enhances the value of the stolen data. Otherwise, according to the sale offering on the dark web, the following types of data were involved: full names, usernames, email addresses, cellphone numbers, locations, sex and social media account profiles.
What Are the Risks?
Reportedly, the business technology news website ZDNet obtained samples of data that has been advertised, and gave a confirmation to the validity of the dump. Wishbone has been hacked before, although the website clarified that the currently advertised data is a fresh dump owing to the January 2020 breach.
Importantly, no data overlap has been detected as the 2020 listing appears fresh and derived from the latest cyberattack case.
At this point, there are two big concerns – first, what risks are the exposed users facing? , and second, are the SHA-1 hashed passwords easy to compromise?
If we gloss over all hypotheticals, the vulnerabilities of the algorithm to collision attacks poses no reason for worry, and it is quite safe considering the fact that the buyers of the stolen data will not have an easy time to derive the account passwords.
Nonetheless, users that have short or weak password strengths may be at risk of further damage, and may not be protected by the password hashing. This reality is faced by accounts that used common letter replacements, double letters, and upper-lower case in common wordings – the password cracking systems in place will easily test out such combinations when attempting to dehash passwords.
Otherwise, still, the other types of data that have been affected by the cyber-attack may still be used by scammers and phishing experts to facilitate their regular operations.
For now, the Wishbone app management has not substantiated reports of the breach through an official announcement, and neither have the given basis to the appearance of their users’ data on the dark web. Instead, according to ZDNet, Wishbone management is investigating the reports and plans to issue a public position on the matter.
Not the First Time
The last time Wishbone suffered a cyber attack was three years ago – when it suffered the loss of millions of user records, including 2million email addresses and about 300,000 phone numbers.
In the 2017 hacking event, it was reported that a group of unidentified hackers came across an unprotected database for the Wishbone app, made away with the large dump and distributed it in the dark web.
You can join the discussion on Dread and Tape forum