Wishbone

Wishbone, also known as the Wishbone App, operates primarily as a mobile application service. Based in the United States of America, the platform functioned as a social quiz and comparison app. Its core service involved enabling users, particularly younger demographics, to compare items or ideas and share opinions. The app gained significant traction, evidenced by the scale of user data compromised in breaches. Millions of individuals used the service, with a notable historical footprint among teenage and underage users, constituting a substantial portion of its user base according to breach analyses.

Distinguishing characteristics of Wishbone included its specific appeal to younger audiences, facilitating social interactions through comparative polls. This focus amplified concerns during security incidents due to the sensitive nature of the exposed minor-linked data. The organisation experienced two major cybersecurity breaches. In 2017, hackers exploited unauthorized API access to an unprotected database, compromising millions of records containing personal details like email addresses, full names, phone numbers, birthdates, and genders, with minors heavily impacted. A subsequent breach in 2020 exposed approximately 40 million user records, including usernames, emails, phone numbers, locations, weakly hashed passwords, and profile picture links, some depicting minors. Forensic analysis confirmed this was distinct from the 2017 incident. Wishbone's parent company acknowledged the 2017 breach and addressed the vulnerability, while the operator investigated the 2020 incident, emphasizing data protection priorities. Both breaches resulted in stolen data being offered for sale on criminal forums.