Cyber Incident Victim: Wishbone

In early January 2020, an unauthorized actor compromised the Wishbone mobile application, a social polling platform popular among younger demographics. The breach resulted in the theft of approximately 40 million user records containing personally identifiable information. According to forensic evidence within the stolen data samples, registration and last login timestamps indicated the intrusion occurred around this timeframe. The compromised records included usernames, email addresses, phone numbers, geographic location data (city/state/country), and password hashes initially claimed to be SHA1 but later verified as weaker MD5 hashes through independent analysis. The dataset also contained URLs linking to user profile pictures, some depicting minors given the app's historical popularity with underage users.

The stolen database surfaced on multiple cybercrime forums in May 2020, advertised by a threat actor specializing in the resale of breached data. Priced at 0.85 Bitcoin (~$8,000), the listing formed part of a larger portfolio of 1.5 billion records from various companies. Independent verification by ZDNet and threat intelligence firm KELA confirmed the data's authenticity through cross-referencing with historical breaches, including Wishbone's 2017 incident affecting 2.2 million accounts. Analysis confirmed no overlap between the 2017 and 2020 datasets, establishing this as a distinct intrusion. Wishbone's parent company, Mammoth Media, acknowledged the incident upon media inquiry, stating an ongoing investigation with commitment to share significant developments while emphasizing data protection priorities. The exposure of weakly hashed MD5 passwords created elevated risks of credential-based attacks, compounded by the presence of minor users' information. With 5-10 million downloads on Google Play and consistent Top 50 iOS social app rankings since 2018, the breach impacted a substantial portion of Wishbone's active user base.