A prolific dark web trader has leaked what they claim to be 40 million user records from popular mobile app Wishbone.
The individual known as “ShinyHunters” posted the data to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”
The post was shared by security vendor Cyble and indicates ongoing tension in the cybercrime community. Previously, the database was thought to be selling on the dark web for thousands of dollars.
ShinyHunters has been linked to multiple previous sales of breached data including Home Chef, which this week revealed that it had suffered a serious cybersecurity incident thought to have affected millions of customers.
Popular with youngsters, Wishbone is an iOS and Android app which allows users to “compare anything.”
The trove of data now available to all-comers includes usernames, email addresses, mobile numbers, gender, date-of-birth, Facebook and Twitter access tokens, MD5-hashed passwords and more.
This could provide fraudsters with plenty of information to carry out follow-on phishing attacks, credential stuffing and more.
Trevor Morgan, product manager at comforte AG, argued that tokenizing or securely encrypting the data could have helped Wishbone mitigate the impact of the breach.
“Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums,” he explained.
“Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information.
He urged organizations to rethink their security and data protection processes or risk becoming the next Wishbone.
This isn’t the first time Wishbone has been caught out. A 2016 breach affected 9.4 million records with 2.2 million unique email addresses, according to HaveIBeenPwned.