Wishbone, the social media-based quiz app for teens and young adults, has been compromised, leading to more than 9.4 million records going up for sale on the Dark Web.
The breach gave the attackers access to Wishbone users’ user names, any real or nicknames provided by users during account registration, email addresses and telephone numbers, according to an email sent by the company to users, posted to Pastebin.
“If you elected to provide date of birth information, such information was also included in the incident,” Wishbone said. “However, no passwords, user communications or financial account information were compromised in the incident.”
According to Motherboard, included in the cache are 2.2 million email addresses and 287,000 mobile phone numbers, mostly linked to kids under the age of 18. In some cases, according to the report, gender was also included.
Taken together, the attackers are able to sell contact information linked to specific demographics about children, such as age and gender—a field day for pedophiles and those looking to take advantage of youthful naivete to perpetrate scams and the like. It may even be possible to track down victims in person.
“Whether a child uses an app on their smartphone, a computer at school, or borrows a friend’s phone to play around on, the dangers are there and it's important to teach kids how vital it is never to put any personal information into these apps,” said RJ Gazarek, product manager at Thycotic, a Washington DC-based provider of privileged account management (PAM) solutions. “[Even] with such a small amount of data, it's very easy for malicious people to contact and locate these people online. Especially if the same information was used on other social media sites that provide geo-location information, like Instagram or Facebook.”
He added, “a lot of parents don't know how easy it is to find a lot of personal information about someone on the internet.”
There’s also the more mundane but nonetheless concerning issue of identity theft. Teenagers and young adults are especially vulnerable, because they may not be monitoring the kinds of financial accounts that criminals would typically use stolen identities to create and use.
“Parents must help their children understand why protecting their identity is important, especially before they've reached adulthood and will be opening back accounts, credit lines and applying for loans,” said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company. “Not sharing personal information when asked for it, using strong passwords and changing them on a regular basis, and learning to monitor for strange activity or new accounts being opened in their names are all important concepts that should be taught.”
According to independent researcher Troy Hunt, the database was a MongoDB file that may have been inadvertently left open to the internet. The leak may have stemmed from a vulnerability in a Wishbone API, the company confirmed to Motherboard—one that the company has now closed, it said.
Parents should look through the settings of Wishbone, and any other app their children are using, to see if any personal information is stored in them. And, having a talk with kids about the dangers of exposing information should be at the top of the to-do list. Hunt has also published the leak to his searchable HaveIBeenPwned database, so parents can find out if their child is a victim.
“Teenagers today are constantly connected and sharing all aspects of their daily life is normal as there is a lot of peer pressure to participate in social apps,” said Sanjay Kalra, co-founder and chief product officer at Lacework, a provider of cloud security solutions. “Being a parent of [a] teenager in this hyper-social environment is a scary aspect. You cannot control information once exposed. Parents should be in constant communication with their teenagers, explaining the risks associated with information sharing and training them on basics of internet security. They should be educating them on how to use multiple strong passwords, anonymization of the data and identities and long-term effects of having personal aspects of life in public domain.”