40 Million “Wishbone” User Records Are Now for Sale on the Dark Web

• A data-broker is selling 40 million user data records belonging to the Wishbone app platform.
• This is the second time the app was hacked in the last three years, and they didn’t announce anything officially.
• The details that have leaked include full names, email addresses, phone numbers, and even hashed passwords.

A hacker has put up 40 million user data records for sale on the dark web, alleging that the data belongs to Wishbone app users. The person claims to have obtained it during a breach that happened earlier this year, although Wishbone hadn’t disclosed any security incidents. Indeed, the timestamps of the files date to January 2020, so the allegations seem to have some basis. The person who is selling the data is not the one who launched the cyber-attack; instead, he claims to have merely bought the pack for purposes of reselling it fora profit. The fact that the same user has dumps that came from hacks on other platforms supports the “data-broker” assumption.

Wishbone is a popular app that allows users to compare anything they want, from fashion items to music tracks, and from celebrity faces to smartphones. It is based on a voting system that engaged the users themselves, and it is particularly popular among younger demographics. Thus, the 40 million user records that are for sale probably concern people of a younger age, which is quite bad for them, and at the same time adds more value to the dump. As for what the sale offers, the following things are included:

• Full names
• Usernames
• Email addresses
• Phone numbers
• Geographic locations
• Genders
• Social media profiles

ZDNet and “Have I Been Pwned” have acquired samples of the data that is offered for purchase and confirmed that they are valid. The same platform was also hacked in 2017, but it was confirmed that the current data does not belong to the old dump. It is a fresh 2020 listing, having new accounts that seem to derive from a recent breach. In fact, there’s no data overlap between the two dumps at all.

So, what happens with the exposed persons now, and are the SHA-1 hashed passwords any easier to crack? While the algorithm is vulnerable to collision attacks, it is generally pretty safe, so it won’t be easy for those buying the dump to derive the passwords. However, if the users were using a short or weak password, the hashing won’t save the day. This applies to those who are using common letter replacements, double letters, and upper-lower case in common words, as cracking tools can quickly test out these combinations when trying to dehash the password.

Still, the rest of the data that’s for sale would be enough for scammers and phishing actors to engage in their typical operations. For now, Wishbone hasn’t provided anything tangible, and neither have they posted an official announcement on the matter. They stated that they are investigating the subject and will soon inform the public of their position on this.