Cyber Incident Victim: Wishbone
Date:
Mar 2017
Location:
United States of America
Summary
A popular teen-focused social quiz app experienced a significant data breach when hackers accessed an unprotected database, compromising millions of user records including over two million email addresses with full names and nearly 300,000 cellphone numbers. The breach exposed sensitive details of primarily underage users—with approximately 70% of a sampled group being minors—including birthdates, genders, and phone numbers, raising concerns about potential identity theft and exploitation risks. The app's parent company confirmed unauthorized API access as the intrusion vector, subsequently rectifying the vulnerability while notifying affected users and apologizing for the incident. Stolen data circulated within underground forums, verified as legitimate through API cross-referencing by cybersecurity researchers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 15, 2017, unknown hackers breached the database of Wishbone, a popular social networking app targeting teenage users, exposing millions of records. The attackers accessed an unprotected database containing sensitive user information, including over 2 million email addresses and full names, along with nearly 300,000 cellphone numbers. Security researcher Troy Hunt, operator of the breach notification service 'Have I Been Pwned,' verified the legitimacy of the leaked data by cross-referencing a sample of accounts through Wishbone’s API. The stolen data subsequently circulated within underground internet forums. Science Inc., the tech incubator owning Wishbone, confirmed the breach in a statement, attributing it to unauthorized API access. The company stated it had rectified the vulnerability and notified users via an apology email that acknowledged the leak and pledged further investigation. While Wishbone allowed sign-ups without mandatory personal information, the exposed dataset included identifiable details for a significant subset of users.
Wishbone, launched in 2015 by Science Inc. founder and former MySpace CEO Michael Jones, ranked among the top 10 U.S. iPhone social networking apps at the time of the breach, with between one and five million downloads on Google Play. The app’s core functionality involved creating and voting on binary-choice polls, attracting a predominantly teenage userbase. Analysis of a 200-account sample from the leaked data revealed approximately 70% of affected users were under 18 years old. The breach exposed full names, birthdates, genders, email addresses, and phone numbers for many minors, raising concerns about risks beyond identity theft and spam, including potential predatory exploitation. Hunt emphasized the heightened danger posed by the exposure of minors’ personally identifiable information. The incident underscored vulnerabilities in Wishbone’s data storage practices, particularly its failure to secure an API that allowed unauthorized extraction of user records. Science Inc.’s public acknowledgment and remediation efforts constituted the primary organizational response to the breach.