Personal details and hashed account passwords of over 40 million users of popular mobile app Wishbone have been put up for sale by hackers on multiple Dark Web forums for 0.85 bitcoin (£6,445).
Offered by Second Street Labs Inc, Wishbone is a highly popular social media application on both Google Play and iOS that lets millions of users compare any products across any category- be it fashion, celebrities, humor, music, or any genre of their liking. The app has a popular voting feature that lets users participate, interact with other users, and find out about what’s hot and what’s not.
Earlier today, ZDNet revealed that hackers are now selling personal details of 40 million users of Wishbone on multiple dark web forums. These details include names, email addresses, phone numbers, geographical locations, genders, social media profiles, and hashed account passwords of users.
An analysis of the data samples shared by hackers on hacker forums revealed that users' account passwords are hashed using the obsolete MD5 encryption algorithm that can be cracked by novice hackers without much fuss. The samples also contained links to users' profile pictures, many of which were of minors.
When contacted, Wishbone told ZDNet that the company is "investigating this matter and will share any significant developments." The mobile application was hacked previously in 2017 but evidence suggests that user records being sold on Dark Web forums were not taken from the 2017 data breach.
Wishbone was immensely popular back in 2018 when it featured among the top ten social networking apps on the Apple App Store but presently ranks 143rd. The app also ranks 42nd in the social app ranking on the Google Play Store. This trend suggests that many users whose records were compromised may not be active users of the app at present.
Poorly-encrypted passwords could result in massive credential-stuffing attacks on online platforms
The hacker behind the sale of data records stolen from Wishbone is in the business of selling massive troves of data stolen from digital platforms and applications that boast millions of users. Companies and applications that feature in the hacker's list include Facebook, Epic Games, Dubsmash, Fotolog, Verifications.io, Evite.com, and Lexisnexis.com.
The most concerning aspect of the data security incident is that millions of account passwords were protected by Wishbone using the MD5 algorithm which is fairly easy to crack when compared to SHA1. Hackers can use the decrypted passwords to launch credential stuffing attacks on multiple digital platforms to exploit the fact that millions of netizens use the same passwords for multiple social media or e-commerce accounts.
"Even on apps and websites which may appear to have little valuable information, if attackers get hold of emails addresses and passwords, they can use those to try attacking other websites that the user is registered to with password stuffing. Or they can go directly after the user with phishing attacks," says Javvad Malik, Security Awareness Advocate at KnowBe4.
"It is why it's important that whenever a user is impacted by any breach from any website, one of the first steps they should take is changing their password on other services which may use the same password. The other thing they should do is exercise heightened vigilance around emails which appear, particularly unexpected ones claiming to be from the company or an official body," he adds.
According to Trevor Morgan, Product Manager at comforte AG, social media platforms can make user details useless for hackers by implementing data tokenisation that renders data records undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information.
"Cautionary stories like this one should encourage organizations to rethink not only their security measures and tools but also their processes in collecting, handling, and storing sensitive data, because data breach and theft can happen to anyone," he adds.